syslogd Daemon

Purpose

Logs system messages.

Syntax

syslogd [-a] [ -d ] [ -s ] [ -f ConfigurationFile ] [ -m MarkInterval ] [ -r ] [ -R ] [ -n ] [ -N ] [ -p LogName ] [ -M all ] [ -A AdditionalLog ] [-e]

Description

The syslogd daemon reads a datagram socket and sends each message line to a destination described by the /etc/syslog.conf configuration file. The syslogd daemon reads the configuration file when it is activated and when it receives a hangup signal.

The syslogd daemon creates the /etc/syslog.pid file, which contains a single line with the command process ID used to end or reconfigure the syslogd daemon.

A terminate signal sent to the syslogd daemon ends the daemon. The syslogd daemon logs the end-signal information and terminates immediately.

Each message is one line. A message can contain a priority code, marked by a digit enclosed in < > (angle braces) at the beginning of the line. Messages longer than 900 bytes may be truncated.

The /usr/include/sys/syslog.h include file defines the facility and priority codes used by the configuration file. Locally written applications use the definitions contained in the syslog.h file to log messages via the syslogd daemon.

Note: The maximum file size for the syslogd log file cannot exceed 2GB.

Flags

-a: Suppresses the reverse host name lookup for the messages coming from the remote host and logs the IP address of the remote host in the log files.

-d: Turns on debugging.

-e: Specifies enhanced rotation. All compressed and uncompressed files that are available in the log directory and that are created by the syslogd daemon are considered for rotation.

-f ConfigurationFile: Specifies an alternate configuration file.

-m MarkInterval: Specifies the number of minutes between the mark command messages. If you do not use this flag, the mark command sends a message with LOG_INFO priority sent every 20 minutes. This facility is not enabled by a selector field containing an asterisk (*), which selects all other facilities.
-M all: Specifies not to suppress duplicate messages in logfile. This flag is valid only if used with the all argument.
-s: Specifies to forward a "shortened" message to another system (if it is configured to do so) for all the forwarding syslog messages generated on the local system.
-r: Suppresses logging of messages received from remote hosts.
-R: Disables the facility to receive messages from the network using the internet domain socket.
-n: Suppresses the "Message forwarded from <log_host_name>: " string added to the beginning of the syslog message that is forwarded to a remote log host.
-N: Suppresses logging of priority and facility information for each log message.
-p: Specifies an alternate path name for the datagram socket.
-A AdditionalLog: Specifies additional logs that the syslogd daemon checks. By default, the syslogd daemon checks the /dev/log file for messages. If this flag is specified, it also checks the additional files for messages. The additional logs might be in the chroot path.

Configuration File

The configuration file informs the syslogd daemon where to send a system message, depending on the message's priority level and the facility that generated it.

If you do not use the -f flag, the syslogd daemon reads the default configuration file, the /etc/syslog.conf file.

The syslogd daemon ignores blank lines and lines beginning with a number sign (#).

Format

Lines in the configuration file for the syslogd daemon contain a selector field, an action field, and an optional rotation field, separated by one or more tabs or spaces.

The selector field names a facility and a priority level. Separate facility names with a comma (,). Separate the facility and priority-level portions of the selector field with a . (period). Separate multiple entries in the same selector field with a semicolon (;). To select all facilities, use an asterisk (*).

The action field identifies a destination (file, host, or user) to receive the messages. If routed to a remote host, the remote system will handle the message as indicated in its own configuration file. To display messages on a user's terminal, the destination field must contain the name of a valid, logged-in system user.

The rotation field identifies how rotation is used. If the action field is a file, then rotation can be based on size or time, or both. One can also compress and/or archive the rotated files.

Facilities

Use the following system facility names in the selector field:

Facility	Description
kern	Kernel
user	User level
mail	Mail subsystem
daemon	System daemons
auth	Security or authorization
syslog	syslogd daemon
lpr	Line-printer subsystem
news	News subsystem
uucp	uucp subsystem
local0 through local7	Local use
*	All facilities

Priority Levels

Use the following message priority levels in the selector field. Messages of the specified priority level and all levels above it are sent as directed.

Priority	Description
emerg	Specifies emergency messages (LOG_EMERG). These messages are not distributed to all users. LOG_EMERG priority messages can be logged into a separate file for reviewing.
alert	Specifies important messages (LOG_ALERT), such as a serious hardware error. These messages are distributed to all users.
crit	Specifies critical messages not classified as errors (LOG_CRIT), such as improper login attempts. LOG_CRIT and higher-priority messages are sent to the system console.
err	Specifies messages that represent error conditions (LOG_ERR), such as an unsuccessful disk write.
warning	Specifies messages for abnormal, but recoverable, conditions (LOG_WARNING).
notice	Specifies important informational messages (LOG_NOTICE). Messages without a priority designation are mapped into this priority message.
info	Specifies informational messages (LOG_INFO). These messages can be discarded, but are useful in analyzing the system.
debug	Specifies debugging messages (LOG_DEBUG). These messages may be discarded.
none	Excludes the selected facility. This priority level is useful only if preceded by an entry with an * (asterisk) in the same selector field.

Destinations

Use the following message destinations in the action field.

File Name: Full path name of a file opened in append mode
@Host: Host name, preceded by the at sign (@ )
User[, User][...]: User names
*: All users
centralizedlog LogSpaceName/LogStreamName: PowerHA® pureScale® logstream
Note: You must have PowerHA pureScale appliance to use the centralizedlog LogSpaceName/LogStreamName message destination.

Rotation

Use the following rotation keywords in the rotation field.

rotate: This keyword must be specified after the action field.
size: This keyword specifies that rotation is based on size. It is followed by a number and either a k (kilobytes) or m(megabytes).
time: This keyword specifies that rotation is based on time. It is followed by a number and either a h(hour) or d(day) or w(week) or m(month) or y(year).
files: This keyword specifies the total number of rotated files. It is followed by a number. If not specified, then there are unlimited number of rotated files.
compress: This keyword specifies that the saved rotated files will be compressed.
archive: This keyword specifies that the saved rotated files will be copied to a directory. It is followed by the directory name.

Effect of command line flags on syslogd rotation:

The -e flag:: This flag is used to enhance the syslogd rotation policy. When this flag is used, all the compressed and uncompressed files are considered during rotation.

Effect of command line flags on syslogd rotation:

The -e flag:: This flag is used to enhance the syslogd rotation policy. When this flag is used, all the compressed and uncompressed files are considered during rotation.

If your log file rotation frequency is only determined by time, you can reset the timer by entering the following command:

refresh -s syslogd

The next rotation that is based on the time of the previous rotation does not occur when this command is run during the scheduled time interval.

Examples

To log all mail facility messages at the debug level or above to the file /tmp/mailsyslog, enter the following command:
```
mail.debug /tmp/mailsyslog
```
To send all system messages except those from the mail facility to a host named rigil, enter the following command:
```
*.debug;mail.none @rigil
```
To send messages at the emerg priority level from all facilities, and messages at the crit priority level and above from the mail and daemon facilities, to users nick and jam, enter the following command:
```
*.emerg;mail,daemon.crit nick, jam
```
To send all mail facility messages to all users' terminal screens, enter the following command:
```
mail.debug *
```
To log all facility messages at the debug level or above to the file /tmp/syslog.out, and have the file rotated when it gets larger then 500 kilobytes or if a week passes, limit the number of rotated files to 10, use compression and also use /syslogfiles as the archive directory, enter the following command:
```
*.debug /tmp/syslog.out rotate size 500k time 1w files 10 compress archive /syslogfiles  
```
To set the rotation schedule for the syslog.out file to rotate only every five days, enter the following command:
```
*.debug /var/log/syslog.out rotate time 5d
```
You can reset the timer at any time before the next rotation by entering the following command:
```
refresh -s syslogd
```
After you reset the timer, the next rotation occurs after the scheduled interval of time that starts at the time when the refresh command is entered.

Files

/etc/syslog.conf: Controls the output of syslogd.
/etc/syslog.pid: Contains the process ID.