\" $NetBSD: syslog.conf.5,v 1.28 2023/12/31 23:39:27 uwe Exp $
\"
\" Copyright (c) 1990, 1991, 1993
\" The Regents of the University of California. All rights reserved.
\"
\" Redistribution and use in source and binary forms, with or without
\" modification, are permitted provided that the following conditions
\" are met:
\" 1. Redistributions of source code must retain the above copyright
\" notice, this list of conditions and the following disclaimer.
\" 2. Redistributions in binary form must reproduce the above copyright
\" notice, this list of conditions and the following disclaimer in the
\" documentation and/or other materials provided with the distribution.
\" 3. Neither the name of the University nor the names of its contributors
\" may be used to endorse or promote products derived from this software
\" without specific prior written permission.
\"
\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
\" SUCH DAMAGE.
\"
\" from: @(#)syslog.conf.5 8.1 (Berkeley) 6/9/93
\"
Dd November 9, 2013
Dt SYSLOG.CONF 5
Os
Sh NAME
Nm syslog.conf
Nd
Xr syslogd 8
configuration file
Sh DESCRIPTION
The
Nm
file is the configuration file for the
Xr syslogd 8
program.
It consists of extended options
Po
lines with one
Ar key\^ Ns Li = Ns Ar value
assignment
Pc
and blocks of lines separated by
Em program
and
Em hostname
specifications, with each line containing two fields: the
Em selector
field which specifies the types of messages and priorities to which the
line applies, and an
Em action
field which specifies the action to be taken if a message
Xr syslogd 8
receives matches the selection criteria.
The
Em selector
field is separated from the
Em action
field by one or more tab characters.
Pp
Blank lines and lines whose first non-blank character is a hash
Pq Ql #
character are ignored.
\"
Ss Selectors
Pp
The
Em selector Ns s
function
are encoded as a
Em facility ,
a period
Pq Ql \&. ,
an optional set of
Em comparison flags
Pq Oo Li \&! Oc Ns Op Li <=> ,
and a
Em level ,
with no intervening white-space.
Both the
Em facility
and the
Em level
are case insensitive.
Pp
The
Em facility
describes the part of the system generating the message, and is one of
the following keywords:
Ic auth ,
Ic authpriv ,
Ic cron ,
Ic daemon ,
Ic ftp ,
Ic kern ,
Ic lpr ,
Ic mail ,
Ic mark ,
Ic news ,
Ic syslog ,
Ic user ,
Ic uucp ,
and
Ic local0
through
Ic local7 .
These keywords
Po
with the exception of
Ic mark
Pc
correspond to the similar
Ql LOG_
values specified to the
Xr openlog 3
and
Xr syslog 3
library routines.
Pp
The
Em comparison flags
may be used to specify exactly what levels are logged.
If unspecified, the default comparison is
Ql >=
Pq greater than or equal to ,
or, if the
Fl U
option is passed to
Xr syslogd 8 ,
Ql =
Pq equal to .
Comparison flags beginning with
Ql \&!
will have their logical sense inverted.
Thus,
Ql !=info
means all levels except info and
Ql !notice
has the same meaning as
Ql <notice .
Pp
The
Em level
describes the severity of the message, and is a keyword from the
following ordered list (higher to lower):
Ic emerg ,
Ic alert ,
Ic crit ,
Ic err ,
Ic warning ,
Ic notice ,
Ic info ,
and
Ic debug .
These keywords correspond to the
similar
Ql LOG_
values specified to the
Xr syslog 3
library routine.
Pp
Each block of lines is separated from the previous block by a
Em program
or
Em hostname
specification.
A block will only log messages corresponding to the most recent
Em program
and
Em hostname
specifications given.
Consider the case of a block that selects
Ql pppd
as the
Em program ,
directly followed by a block that selects messages from the
Em hostname
Ql dialhost .
The second block will log only messages from the
Xr pppd 8
program from the host
Sq dialhost .
Pp
A
Em program
specification of the form
Ql #!+prog1,prog2
or
Ql !+prog1,prog2
will cause subsequent blocks to be applied to messages logged by the
specified programs.
A
Em program
specification of the form
Ql #!-prog1,prog2
or
Ql !-prog1,prog2
will cause subsequent blocks to be applied to messages logged by programs
other than the ones specified.
A
Em program
specification of the form
Ql #!prog1,prog2
or
Ql !prog1,prog2
is equivalent to
Ql !+prog1,prog2 .
Program selectors may also match kernel-generated messages.
For example, a program specification of
Ql !+subsys
will match kernel-generated messages of the form
Ql subsys: here is a message .
The special specification
Ql !*
will cause subsequent blocks to apply to all programs.
Pp
A
Em hostname
specification of the form
Ql #+host1,host2
or
Ql +host1,host2
will cause subsequent blocks to be applied to messages received from
the specified hosts.
A
Em hostname
specification of the form
Ql #-host1,host2
or
Ql -host1,host2
will cause subsequent blocks to be applied to messages from hosts other
than the ones specified.
If the hostname is given as
Ql @ ,
the local hostname will be used.
The special specification
Ql +*
will cause subsequent blocks to apply to all hosts.
Pp
See
Xr syslog 3
for a further descriptions of both the
Em facility
and
Em level
keywords and their significance.
It is preferred that selections be made based on
Em facility
rather than
Em program ,
since the latter can vary in a networked environment.
However, there are cases where a
Em facility
may be too broadly defined.
Pp
If a received message matches the specified
Em facility ,
and the specified
Em level
comparison is true,
and the first word in the message after the date matches the
Em program ,
the action specified in the
Em action
field will be taken.
Pp
Multiple
Em selectors
may be specified for a single
Em action
by separating them with semicolon
Pq Ql \&;
characters.
It is important to note, however, that each
Em selector
can modify the ones preceding it.
Pp
Multiple
Em facilities
may be specified for a single
Em level
by separating them with comma
Pq Ql \&,
characters.
Pp
An asterisk
Pq Ql \&*
can be used to specify all
Em facilities
or all
Em levels .
Pp
The special
Em facility
Ic mark
receives a message at priority
Ql info
every 20 minutes
Po see
Xr syslogd 8
Pc .
This is not enabled by a
Em facility
field containing an asterisk.
Pp
The special
Em level
Ql none
disables a particular
Em facility .
\"
Ss Actions
Pp
The
Em action
field of each line specifies the action to be taken when the
Em selector
field selects a message.
There are five forms:
Bl -bullet
It
A pathname beginning with a leading slash
Pq Ql \&/ .
Selected messages are appended to the file, unless
pathname points to an existing FIFO special file.
Xr syslogd 8
treats FIFO specially by opening them in non-blocking mode and
discarding messages sent when no reader is listening on the other side.
Pp
To ensure that kernel messages are written to disk promptly,
Xr syslogd 8
calls
Xr fsync 2
after writing messages from the kernel.
Other messages are not synced explicitly.
You may disable syncing of files specified to receive kernel messages
by prefixing the pathname with a minus sign
Pq Ql \- .
Note that use of this option may cause the loss of log information in
the event of a system crash immediately following the write attempt.
However, using this option may prove to be useful if your system's
kernel is logging many messages.
Pp
Normally the priority and version is not written to file.
In order to use syslog-sign you may prefix a pathname with the plus sign
Pq Ql + .
If both switches are used the order has to be
Ql +\- .
It
A hostname preceded by an at sign
Pq Ql @ .
Selected messages are forwarded to the
Xr syslogd 8
program on the named host with UDP.
It
A hostname preceded by an at sign
Pq Ql @ ,
and enclosed in brackets
Pq Ql [] .
Selected messages are forwarded with TLS to the
Xr syslogd 8
program on the named host.
After the closing bracket a colon
Pq Ql \&:
and a port number or service name may be appended.
Additional parameters are configured in parentheses in the form of
Ar key\^ Ns Li = Ns Ar value .
Recognized keywords are
Ic subject ,
Ic fingerprint ,
Ic cert ,
and
Ic verify .
It
A comma separated list of users.
Selected messages are written to those users
if they are logged in.
It
An asterisk
Pq Ql * .
Selected messages are written to all logged-in users.
It
A vertical bar
Pq Ql |
followed by a command to which to pipe the selected messages.
The command string is passed to
Pa /bin/sh
for evaluation, so the usual shell metacharacters or input/output
redirection can occur.
Po
Note that redirecting
Xr stdio 3
buffered output from the invoked command can cause additional delays,
or even lost output data in case a logging subprocess exits with a
signal.
Pc
The command itself runs with
Va stdout
and
Va stderr
redirected to
Pa /dev/null .
Upon receipt of a
Dv SIGHUP ,
Xr syslogd 8
will close the pipe to the process.
If the process does not exit voluntarily, it will be sent a
Dv SIGTERM
signal after a grace period of up to 60 seconds.
Pp
The command will only be started once data arrives that should be
piped to it.
If the command exits, it will be restarted as necessary.
Pp
If it is desired that the subprocess should receive exactly one line of
input, this can be achieved by exiting after reading and processing the
single line.
A wrapper script can be used to achieve this effect, if necessary.
Note that this method can be very resource-intensive if many log messages
are being piped through the filter.
Pp
Unless the command is a full pipeline, it may be useful to
start the command with
Ic exec
so that the invoking shell process does not wait for the command to
complete.
Note that the command is started with the UID of the
Xr syslogd 8
process, normally the superuser.
Pp
Just like with files a plus sign
Pq Ql +
will leave the priority and version information intact.
El
Sh "TLS OPTIONS"
Additional options are used for TLS configuration:
Bl -tag -width Ic
It Ic tls_server
Enables TLS server mode.
It Ic tls_bindport
Service name or port number to bind to.
Default is
Ql syslog .
Em As long as no official port is assigned this option is required
Em for TLS servers.
It Ic tls_bindhost
Hostname or IP to bind to.
It Ic tls_gen_cert
Automatically generate a private key and certificate.
It Ic tls_key
File with private key.
Default is
Pa /etc/openssl/default.key
It Ic tls_cert
File with certificate to use.
Default is
Pa /etc/openssl/default.crt
It Ic tls_ca
File with CA certificate to use.
It Ic tls_cadir
Directory containing CA certificates.
It Ic tls_verify
If set to
Ql off
then certificate authentication is skipped.
It Ic tls_allow_fingerprints
List of fingerprints of trusted client certificates.
It Ic tls_allow_clientcerts
List of filenames with trusted client certificates.
El
Pp
One function of TLS is mutual authentication of client and server.
Unless authentication is disabled by setting
Ql tls_verify=off
the following rules are used.
Ss "Client Authentication"
A client can be configured not to check a server's certificate by
setting the
Em action Ap s
parameter
Ql verify
to
Ql off .
If the server's certificate is signed by a trusted CA then it is checked
if its hostname or IP is given in its certificate
Po
as a CommonName, as a
Tn DNS
SubjectAltName, or as an
Tn IP
SubjectAltName
Pc .
If any match is found then the server is authenticated.
If a
Ql subject
parameter is given then it is can satisfy this test as well.
This allows DNS-independent configurations using the server's IP address in the
destination and adding its hostname as
Ql subject
to authenticate the TLS connection without having to add the IP to the X.509
certificate.
Pp
If no CA is used or no trust path between CA and server certificate exists, then
hash value of the server's certificate is compared with the hash given in
Ql fingerprint
and the hash of the certificate in
Ql cert .
If the hashes are equal then the server is authenticated.
Ss "Server Authentication"
If using a CA and the client's certificate is signed by it then the client is
authenticated.
Otherwise the hash of the client's certificate is compared with the hashes given
in
Ql tls_allow_fingerprints ,
and the hashes of the certificates given in
Ql tls_allow_clientcerts
options.
On any match the client is authenticated.
Sh BUFFERING OPTIONS
Xr syslogd 8
is able to buffer temporary not writable messages in memory.
To limit the memory consumed for this buffering the following options may be
given:
Pp
Bl -tag -width Ic -compact
It Ic file_queue_length
It Ic pipe_queue_length
It Ic tls_queue_length
The maximum number of messages buffered for one destination of type file,
pipe, or TLS respectively.
Defaults are
1024 for files and pipes and \-1 (no limit) for TLS.
Pp
It Ic file_queue_size
It Ic pipe_queue_size
It Ic tls_queue_size
The maximum memory usage in bytes of messages buffered for one destination.
Defaults are
Tn 1M
for files and pipes, and
Tn 16M
for TLS.
El
Pp
Values for these options can be specified using the usual suffixes accepted by
Xr dehumanize_number 3 .
Sh SIGNING OPTIONS
Xr syslogd 8
is able to digitally sign all processed messages.
The used protocol is defined by RFC\~5848 (syslog-sign):
at the start of a session the signing sender sends so called certificate
blocks containing its public key; after that it periodically sends a signed
message containing hashes of previous messages.
Pp
To detect later manipulation one has to keep a copy of the key used for
signing (otherwise an attacker could alter the logs and sign them with his
own key).
If TLS is used with a DSA key then the same key will be used for signing.
This is the recommended setup because it makes it easy to have copies of
the certificate (with the public key) in backups.
Otherwise new keys are generated on every restart and for certain verification
it is necessary to have copies of all used keys.
So logging only to a local file is not secure; at least the used keys should
be logged to another host.
Bl -tag -width Ic
It Ic sign_sg
Enables signing.
Set this option to enable syslog-sign and select how to assign
messages to signature groups (subsets of messages that are signed together).
To enable later signature verification and detection of lost messages the
assignment should be chosen such that all messages of one signature group
are written to the same file.
Four possible values for this option are:
Bl -tag -width Ds
It Li 0
Use one global signature group for all messages.
It Li 1
Use one signature group per priority.
It Li 2
Use signature groups for ranges of priorities.
It Li 3
Use one signature group per destination.
This is a custom strategy not defined by the standard.
With this setting one signature group is set up for
every file and network action.
El
It Ic sign_delim_sg2
This option is only evaluated with
Ql sign_sg=2
and allows to configure the priority ranges for signature groups.
The parameters are numerical values used as the maximum priority for one group.
The default is to use one signature groups per facility, which is equal to
setting
Dl sign_delim_sg2=7 15 23 31 39 ...
El
Sh FILES
Bl -tag -width Pa
It Pa /etc/syslog.conf
The
Xr syslogd 8
configuration file.
It Pa /usr/share/examples/syslogd/verify.pl
Example script to verify message signatures.
Po
Requires Perl and modules not part of
Nx .
Pc
El
Sh EXAMPLES
A configuration file might appear as follows:
Bd -literal
# Log all kernel messages, authentication messages of
# level notice or higher and anything of level err or
# higher to the console.
# Don't log private authentication messages!
*.err;kern.*;auth.notice;authpriv.none /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none /var/log/messages
# Log daemon messages at debug level only
daemon.=debug /var/log/daemon.debug
# The authpriv file has restricted access.
# Write logs with priority for later verification with syslog-sign.
authpriv.* +/var/log/secure
# Log all the mail messages in one place.
mail.* /var/log/maillog
# Everybody gets emergency messages, plus log them on another
# machine.
*.emerg *
*.emerg @arpa.berkeley.edu
# Log all messages of level info or higher to another
# machine using TLS with an alternative portname and a
# fingerprint for authentication
*.info @[logserver]:1234(fingerprint="SHA1:01:02:...")
# Root and Eric get alert and higher messages.
*.alert root,eric
# Save mail and news errors of level err and higher in a
# special file.
mail,news.err /var/log/spoolerr
# Pipe all authentication messages to a filter.
auth.* |exec /usr/local/sbin/authfilter
# Log kernel messages to a separate file without syncing each message.
kern.* -/var/log/kernlog
# Save ftpd transactions along with mail and news.
!ftpd
*.* /var/log/spoolerr
# Send all error messages from a RAID array through a filter.
!raid0
kern.err |exec /usr/local/sbin/raidfilter
# Save pppd messages from dialhost to a separate file.
!pppd
+dialhost
*.* /var/log/dialhost-pppd
# Save non-local log messages from all programs to a separate file.
!*
-@
*.* /var/log/foreign
# Generate digital signatures for all messages
# to each file or network destination.
sign_sg=3
Ed
Sh SEE ALSO
Xr syslog 3 ,
Xr syslogd 8
Sh HISTORY
The
Nm
file appeared in
Bx 4.3 ,
along with
Xr syslogd 8 .
Sh BUGS
The effects of multiple selectors are sometimes not intuitive.
For example
Ql mail.crit;*.err
will select
Ql mail
facility messages at
the level of
Ql err
or higher, not at the level of
Ql crit
or higher.
