etcsyslog.conf
/etc/syslog.conf
The UNIX logging system uses /etc/syslog.conf to sort log messages into their proper files. Each program that wants to log sends log entries to the logging system and marks each message with a facility and a level. The syslogd(8) program receives these messages and sorts them according to the matching entries in /etc/syslog.conf. Each entry has two sections: a message identifier consisting of a facility and a level, and an action for matching messages. You must separate the action from the facility/level statement with tabs, not spaces.
Facilities
A facility is a log-entry source, generally a program, that sends messages to syslogd. This is an arbitrary label, just a text string used to sort one program from another. In most cases, each program that needs a unique log needs a unique facility. Many programs have a facility dedicated to them, such as mail, ftp, and cron. Syslogd also has a variety of generic facilities that can be used by any program. Programs can use facilities that aren't meant for them, but you'll be able to track them down by finding their name within the message. The standard facilities are:
| auth | Publicly accessible information about user authorization, such as login and su attempts |
| authpriv | Private information about user authorization, accessible only to root |
| cron | Messages from the system scheduler, cron(8) |
| daemon | A catch-all for system daemons that lack their own facility |
| kern | Messages from the kernel |
| lpr | Messages from the printing system |
| | Messages from the mail system |
| mark | This puts an entry in a log every 20 minutes, useful for timing other logs |
| news | Messages from Internet News daemon |
| syslog | Internal logging system messages |
| user | The default message recipient |
| uucp | Logs from the UNIX-to-UNIX Copy Protocol |
| local0 through local7 | Reserved for administrator use |
Levels
A log message's level represents its relative importance. While programs send all their logging data to syslogd, most syslogd configurations only record the important stuff. Everyone has a different view of "important," however, and that's where levels come in. OpenBSD, like every standard-compliant UNIX, provides eight levels, which you can use to tell syslogd what to use and what to discard.
| emerg | System panic. Messages are flashed on every terminal. The system is down. Read crash(8). |
| alert | The system can continue to operate, but requires immediate attention. |
| crit | There are critical errors, but not as bad as the "alert" level. You may have a hard drive going bad, or serious software issues. You can continue running, if you're brave. |
| err | Errors that should be fixed, but will not endanger your system. |
| warning | Assorted errors that should be fixed in your copious free time, as someone will notice them, eventually. |
| notice | General information that probably doesn't require any action on your part. |
| info | Individual transaction and program activity information, such as individual messages sent or received on a mail server. |
| debug | Very detailed information, mostly of use when trying to debug problems. May contain information that violates user privacy. |
| none | Don't log anything from this facility here. |
Actions
Syslogd(8) will take any of several actions upon matching a message. If you give an action of a full path to a file, messages are appended to the file. If you give the "@" symbol followed by the name of a host, messages will be forwarded to the syslogd(8) on that host. If you list users, separated by commas, the message will be sent to the terminal windows of any of those users who are logged in. Finally, if you put an asterisk, every user who is logged in will get the message on his terminal window.
Creating syslog.conf Entries
The first entry on each line describes the information to be logged, by facility and level. All messages sent that use that facility, and that level or higher will match the entry. The second tells the action to be taken when a log message matches the description. Syslogd compares each submission to the entries in /etc/ syslog.conf and, when it finds a matching entry, processes the log entry in the manner described. Take a look at this line from /etc/syslog.conf:
auth.info /var/log/authlog
This tells syslogd(8) to record messages that use the "auth" facility in /var/log/ authlog, if the message has a level of "info" or higher.
Wildcards
You can use wildcards in the message description. For example, to log all messages from the mail system you could use this entry.
mail.* /var/log/maillog
To log everything from everywhere, use two wildcards.
*.* /var/log/everything
Multiple Information Sources
You can send multiple information sources to a single action by separating them with semicolons.
*.notice;auth.debug root
Local Facilities
Many programs can choose which facility to use for their logging. Most add-on programs can be told which facility to use. The various "local" facilities are reserved for these programs. For example, you might tell a program to log to "local5". Exactly how you set these facilities varies from program to program. Once you have the program's facility set, however, logging these messages works exactly like logging any other messages.
local3.debug /var/log/programlog
Logging Hosts
If your network has a loghost where all systems send their logs, you can specify it as an action by using the at symbol (@). Here, we dump all the messages from the local host to the logging host.
*.* @loghost.AbsoluteOpenBSD.com
The /etc/syslog.conf on the log host determines the final destination for the messages it receives. Fortunately, each log message includes the host name.
Logging to User Sessions
You can send a message to a user, if he is logged in. List multiple users by separating them with commas. To send a message to all users, give an asterisk. For example, here I really annoy Chris, Phil, and Don, but notify all users of real emergencies.
*.debug chris,phil,don *.emerg *
Logging by Program Name
If you're out of facilities, you can use the program's name to handle logging. An entry for a name requires at least two lines: the program name with a leading exclamation point and then a line with the logging information. For example, to log the output of (8), you would use this entry:
!chat *.* /var/log/chatlog
EAN: 2147483647
Pages: 298