The System Logger (syslogd) and the syslog.conf File

The System Logger (syslogd) and the syslog.conf File

System messages are logged to files in /var/log. The mechanism that does this is called syslogd, the system logger daemon. This daemon's behaviors are set in /etc/syslog.conf, which defines various different log files for different services. Each service or "facility" that syslogd knows about (including auth, authpriv, console, cron, daemon, ftp, kern, lpr, mail, mark, news, ntp, security, syslog, user, uucp, and local0 tHRough local7) has a number of different "severity" levels for which you can control logging. These levels include, in decreasing order of severity, emerg, alert, crit, err, warning, notice, info and debug.

Each daemon or service that you run in FreeBSD can log through the predefined facilities of syslogd; for instance, Sendmail and other mail programs can use the system's syslog() routines to send out messages at various levels of severity, using the mail facility; the messages would be handled by syslogd as defined in syslog.conf.

By default, syslog.conf defines several logging rules, as follows:

*.err;kern.debug;auth.notice;mail.crit          /dev/console *.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err /var/log/messages security.*                                      /var/log/security auth.info;authpriv.info                         /var/log/auth.log mail.info                                       /var/log/maillog lpr.info                                        /var/log/lpd-errs ftp.info                                        /var/log/xferlog cron.*                                          /var/log/cron *.=debug                                        /var/log/debug.log *.emerg                                         *

You can interpret this to mean that all err messages from any service, debug messages from the kernel, authorization notice messages, and crit messages from mail programs will be printed out to the system console, and you will see them if you have a monitor hooked up to your FreeBSD machine. Similarly, all security-related messages go into the /var/log/security file, and all messages from mail programs at the info level go into /var/log/maillog. Almost everything else goes into /var/log/messages, the general system log file.

Certain types of messages are not merely written to log files but are sent to a variety of other types of handling mechanisms. In the default syslog.conf, for example, messages from any service at the emerg level are printed to all users at all terminals. Table 14.3 shows the possible actions for syslogd messages and the syntax for each.

Further details on how to configure syslogd can be found in the man syslogd and man syslog.conf pages.

Note

Each log file in /var/log is rolled over according to a different set of rules. For instance, the /var/log/maillog file is archived and restarted every day by the periodic program. Other log files, such as /var/log/cron and /var/log/messages, are refreshed through other means (often internally by the programs that write to them). Archived log files are generally compressed with bzip. To search through old log files, use bzcat in conjunction with the conventional grep:

# bzcat /var/log/messages.2.bz | grep "rejected"