syslogd - Logs system messages
/usr/sbin/syslogd [-b rcv-buf-size] [-d] [-e] [-E] [-f
cfg-file] [-m mk-interval] [-p path] [-r] [-R] [-s]
Specifies the size in Kbytes of the socket receive buffer.
The default and maximum is 128 Kb. If you attempt to specify
a larger size buffer it is automatically reduced to
128 Kb. Setting the buffer to a small value could result
in messages being lost during periods of high logging
activity. Turns on the debugging feature. Specifies that
events are to be posted to the Event Manager, EVM. This is
the default behavior and the syslogd daemon always
restarts in event forwarding mode unless you specify the
-E option. Turns off the default posting of events to the
Event Manager, EVM. Specifies an alternate configuration
file. Specifies the mark interval. Specifies the pathname
of the UNIX domain socket to be used in making connections
to the syslogd daemon. The default is /dev/log.
You should not change this default in normal operation
because the client functions syslog and openlog. See syslog(3) and openlog(3) reference pages. Allows the syslogd
daemon to create an inet port for remote access. This is
the default behavior. Use the -R option to prevent the
syslogd daemon from creating an inet port. If you specify
the -r and -R options together, the last one specified
takes precedence. Prevents the syslogd daemon from creating
an inet port. Using the -R option prevents all remote
access. Remote systems cannot send messages to be logged
locally, and the local daemon cannot send messages to be
logged remotely. If you specify the -r and -R options
together, the last one specified takes precedence. Disables
the posting of events to the console.
The syslogd daemon reads and logs messages to a set of
files described in the /etc/syslog.conf configuration
Each message logged consists of one line. A message can
contain a priority code, marked by a number in angle
braces at the beginning of the line. Priorities are
defined in the /usr/include/sys/syslog_pri.h file. The
syslogd daemon reads from the domain socket /dev/log, from
an Internet domain socket specified in /etc/services, and
from the special device /dev/klog, which reads kernel messages.
The syslogd daemon configures when it starts up and
when it receives a hangup (SIGHUP) signal. To reconfigure
the daemon, use the ps command to identify the daemon's
process identifier (PID) and then use the following command:
# kill -HUP pid
(The PID of the daemon is also recorded in /var/run/syslog.pid).
This command causes the daemon to read the
revised configuration file.
The /etc/syslog.conf file contains entries that specify
the facility (the part of the system that generated the
error), the error message severity level, and the destination
to which the syslogd daemon sends the messages. Each
line of the /etc/syslog.conf file contains an entry.
The following is an example of an /etc/syslog.conf file:
# # syslogd config file # # facilities: kern user mail
daemon auth syslog lpr binary # priorities: emerg alert
crit err warning notice info debug kern.debug
/var/adm/messages kern.debug /dev/console
The facility and its severity level must be separated by a
period (.). You can specify more than one facility on a
line by separating them with commas. You can specify more
than one facility and severity level on a line by separating
them with semicolons.
The facility and its severity level must be separated from
the destination by one or more tab characters or spaces.
If you specify an asterisk (*) for a facility, messages
generated by all parts of the system are logged. All messages
of the specified level and of a greater severity are
logged. Blank lines and lines beginning with # (number
sign) are ignored.
This line logs all facilities at the emerg level (and
higher) and the mail and daemon facilities at the crit (or
higher) level to the /var/adm/syslog/misc.log destination
Known facilities and levels recognized by the syslogd daemon
are those listed in /usr/include/sys/syslog_pri.h
without the leading LOG_. The additional facility mark
has a message at priority LOG_INFO sent to it every 20
minutes (this may be changed with the -m option). The
mark facility is not enabled by a facility field containing
an * (asterisk). The level none may be used to disable
a particular facility. For example:
The previous entry sends all messages except mail messages
to the /var/adm/syslog/misc.log file.
There are four possibilities for the message destination:
A filename that begins with a leading / (slash). The syslogd
daemon will open the file in append mode. A hostname
preceded by an @ (at sign). Selected messages are forwarded
to the syslogd daemon on the named host. A comma
separated list of users. Selected messages are written to
those users if they are logged in. An * (asterisk).
Selected messages are written to all users who are logged
*.crit /var/adm/syslog/critical kern.err @ucbarpa
*.emerg * *.alert eric,kridle *.alert;auth.warning
The preceding configuration file logs messages as follows:
Logs all kernel messages and 20 minute marks onto the system
console Logs all notice (or higher) level messages and
all mail system messages except debug messages into the
file /var/adm/syslog/mail Logs all critical messages into
the /var/adm/syslog/critical file Forwards kernel messages
of error severity or higher to ucbarpa. Informs all users
of any emergency messages, informs users eric and kridle
of any alert messages, and informs user ralph of any alert
message or any warning message (or higher) from the authorization
Destinations for logged messages can be specified with
full pathnames that begin with a leading / (slash). The
syslogd daemon then opens the specified file(s) in append
mode. If the pathname to a syslogd daemon log file that is
specified in the syslog.conf file as a /var/adm/syslog.dated/file,
the syslogd daemon inserts a date directory,
and thus produces a day-by-day account of the messages
received, directly above file in the directory
structure. Typically, you will want to divert messages
separately, according to facility, into files such as
kern.log, mail.log, lpr.log, and debug.log. The file
/var/adm/syslog.dated/current is a link to the most recent
log file directory.
If some pathname other than /var/adm/syslog.dated/file is
specified as the pathname to the logfile, the syslogd daemon
does not create the daily date directory. For example,
if you specify /var/adm/syslog/mail.log (without the
suffix after syslog), the syslogd daemon simply logs messages
to the mail.log file and allows this file to grow
The syslogd daemon can recover the messages in the kernel
syslog buffer that were not logged to the files specified
in the /etc/syslog.conf file because a system crash
occurred. The savecore command copies the buffer recovered
from the dump to the file specified in the "msgbuf.err"
entry in the /etc/syslog.conf file. When the syslogd daemon
starts up, it looks for this file and, if it exists,
processes and then deletes the file.
Configuration [Toc] [Back]
The syslogd daemon acts as a central routing facility for
messages whose formats are determined by the programs that
The syslogd daemon creates the /var/run/syslog.pid file if
possible. The file contains a single line with its process
ID. This can be used to kill or reconfigure the syslogd
daemon. For example, if you modify the syslog.conf file
and you want to implement the changes, use the following
# kill -HUP `cat /var/run/syslog.pid`
If a syslog.conf configuration file does not exist, the
syslogd daemon uses the following defaults:
*.ERR /dev/console *.PANIC *
The defaults log all error messages to the console and all
panic messages (from the kernel) to all logged-in users.
No files are written.
To turn off printing of syslog messages to the console,
please refer to the syslog(1) reference page.
Remote Message Forwarding [Toc] [Back]
The syslog has a remote message forwarding function. As a
security feature, this capability is turned off by
default. If you intend to configure other hosts to forward
syslog messages to a local host, use the su command to
become superuser (root) and manually create the /etc/syslog.auth
file using a text editor on the local host.
The /etc/syslog.auth file specifies which remote hosts are
allowed to forward syslog messages to the local host.
Unless the domain host name of a remote host is given in
the local /etc/syslog.auth file, the local host will not
log any messages from that remote host. Note that if no
/etc/syslog.auth file exists on the local host, then any
remote hosts that can establish a network connection will
be able to log messages. See the syslog.auth(4) reference
page for information.
Event Management [Toc] [Back]
By default, the syslogd daemon initializes with the -e
option, and its events are forwarded to the Event Management
utility (EVM). If the syslogd daemon is restarted,
event fowarding also restarts by default. If you do not
want event forwarding to restart automatically, you can
turn it off using the -E option.
Messages from the syslogd daemon are converted to EVM
events and notified to the EVM daemon. Refer to the
EVM(5) reference page and System Administration for more
information on EVM.
Specifies the command path Configuration file. Process
ID. Specifies what remote hosts can forward messages to
the local host. Contains configuration information that
specifies what syslogd messages will be forwarded to the
Event Manager, EVM. Enables and disables printing to the
console device. The name of the domain datagram log
socket. Kernel log device. The directory where daily log
subdirectories reside. A link to the directory containing
the most recent daily log files.
Commands: logger(1), syslog(1), savecore(8).
Functions: syslog(3), openlog(3).
Files: syslog.auth(4), syslog.conf(4), syslog_evm.conf(4).
Network Administration: Connections, Network
Administration: Services, and System Administration.
[ Back ]