Linux version Apple System Log

syslogd

system logging utilities.

syslogd [-d] [-f config_file] [-h] [-l hostlist] [-m interval] [-n] [-p socket] [-a socket] [-r] [-s domainlist] [-v] [-x]

system logging and kernel message trapping,
Use of internet and unix domain sockets enables local and remote logging.

  1. System logging is provided of syslogd
  2. kernel logging is provided by the klogd
Logged message contains a time and a hostname field, and should include a program name field.

If an error occurs during parsing of the config file the whole line is ignored.

OPTIONS

-d debug mode. Supress fork to the background.
Use when changing syslog.conf.
-f config file default: /etc/syslog.conf .(N.B. not syslogd)
only contains lines defining destination of messages of the form facility.level destination
-l hostlist hosts that should be logged with simple hostname not fuly qualified domanin name. Multiple hosts are seperated with a colon(: )
-h forward any remote messages to forwarding hosts which have been defined, default messages are not forwarded.
-m minutes MARK interval, -- MARK -- is written to the log files(s)? even if no message were received, confirming that syslogd has been running. Default: 20 minutes.
Setting the interval to zero turns marking off .
-r receive message from the network using an internet domain socket with the syslog service
-s domain:… domainnames stripped off before logging.
No sub-domains may be specified only entire domains.
Example: if -s north.de is specified and the host logging is satu.infodrom.north.de no action is taken. Specify two domains : -s north.de:infodrom.north.de.
-x Disable name lookups when receiving remote messages.
avoids deadlocks when the nameserver is running on the same machine that runs the syslog daemon.
-n don't background. needed if the syslogd is started and controlled by init.
-p socket alternative unix domain socket (port) instead of /dev/log.
-i
-a socket … additional sockets syslogd listens to, needed by a daemon run within a chroot environment.
Up to 19 additional sockets.
-v Print version and exit.

SIGNALS

Syslogd reacts to
SIGHUP perform a re-initialization.
Files are closed and the configuration file is re-read

sudo kill -HUP `cat /var/run/syslog*.pid`

SIGTERM syslogd terminates politely

sudo kill -TERM `cat /var/run/syslog*.pid`

SIGQUIT
SIGIN
die unless debugging is enabled then ignored

SIGUSR1 toggle debugging only if started with -d

sudo kill -USR1 `cat /var/run/syslog*.pid`

SIGCHLD Wait for childs if some were born, because of wall'ing (writeAll) messages.

Configuration File

Lines are of the form
facility.level destination

Prefix the destination filename with - to omit sync'ing the file after every write to it.(reduces I/O load).

Example:
Cause ALL messages using the daemon facility
(debug is the lowest priority, so all higher levels match) to go into /var/log/daemons and don't sync I/O system:

daemon.debug -/var/log/daemons

* specifies that all messages for the specified facility are directed to the destination.
= restricts logging to the specified priority class. allows, routing only debug messages to a particular logging source.
! exclude logging of the specified priorities, affects all (!) possibilities of specifying priorities.

Examples:
Direct debug messages from all sources

*.=debug /var/log/debug

All messages of the facility mail except those with the priority info

mail.*;mail.!=info /var/log/mail
All messages from news.info (including) to news.crit (excluding)
news.info;news.!crit /var/log/news

mail.none or mail.!* or mail.!debug
to skip all messages with a mail facility.

Remote Logging

Enable forwarding (perhaps for consolidation) or receiving messages from another node with -r; Default: ignore network.

Sending and receiving syslogd /etc/services must contain syslog 514/udp otherwise syslogd will die.

To forward messages to another host : use @syslogdhostname in syslog.conf for destination.

For example, to forward ALL messages to a remote host

*.*            @syslogdhostnam

If the remote hostname cannot be resolved at startup, Syslogd will try to resolve the name ten times and then complain. and ????

syslog-loops (bad) : forwarding messages to a syslogd that forwards them back.

In a network provide a central log server to have all the logs kept on one machine.
If the network consists of different domains logging will include fully qualfied names.
-s stripdomain off several domains other than the one the server is located in and only log simple hostnames.

-l define single hosts as local machines.

The UDP socket used to forward messages to remote hosts or to receive messages from them is only opened when it is needed.

OUTPUT TO NAMED PIPES (FIFOs)

A fifo or named pipe can be used as a destination for log messages by prepending a | to the name of the file. the fifo must be created with the mkfifo command before syslogd is started.

# Sample configuration to route kernel debugging # messages ONLY to /var/log/debug which is a named pipe. kern.=debug |/var/log/debug

INSTALLATION CONCERNS

syslogd and klogd can be run from init or started as part of the /etc/rc.* sequence.
If started from init use -n (don't switch to background.)

SECURITY THREATS
There is the potential for the syslogd daemon to be used as a conduit for a denial of service attack. A rogue program(mer) could flood the syslogd daemon with syslog messages resulting in the log files consuming all the remaining space on the filesystem. Activating logging over the inet domain sockets will expose a system to risks outside of programs or individuals on the local machine.

There are a number of methods of protecting a machine:

  1. Implement kernel firewalling to limit which hosts or networks have access to the 514/UDP socket.
  2. Log to an non-root filesystem.
  3. Log to an ext2 filesystem which can be configured to limit a percentage of a filesystem to usage by root only, requiring syslogd to be run as a non-root process.
  4. Disabling inet domain sockets limits risk to the local machine, preventing remote logging since syslogd will be unable to bind to the 514/UDP socket.

DEBUGGING

-d verbose display of activity is output to stdout.

When the configuration file is read a tabular report is output:

  1. number sequence number representing the position in the internal data structure.
    An omitted sequence number indicates an error in /etc/syslog.conf.
  2. pattern
    columns are the facility (only the left most are used. )
    field in a column represents priorities
  3. action when a message is received that matches the pattern.
  4. arguments additional arguments to the actions
    1. file-logging filename for the logfile;
    2. user-logging list of users;
    3. remote logging hostname of the machine to log to;
    4. console-logging used console;
    5. tty-logging specified tty; wall has no additional arguments.

FILES

/etc/syslog.conf syslog.conf(5)
/dev/log, socket used by local syslog
/var/run/syslogd.pid, file containing the process id of syslogd.

SOCKETS

(from /etc/services)
syslog          514/udp  
syslog-conn     601/udp     # Reliable Syslog Service
syslog-conn     601/tcp     # Reliable Syslog Service

If an error occurs in one line the whole rule is ignored. (Don't forget the # to preceed comments (NOT ALL VERSIONS)


Syslogd doesn't change the permissions of logfiles.
created files are world readable.
Use savelog(8) to rotate logfiles.
It is a security hole if everybody is able to message from the auth.* facility.

SEE ALSO
syslogBDS really Mac OSX ; darwin syslog-ngBalaBit Ltd version syslog.conf klogd(8), logger, syslog(2), syslog(3), services(5), savelog(8)

From smacker OS X 10.5.7 6/18/09

#  Emergency  (0)  note counter-intuitive Emergency has a level less than Debug.
#  Alert     #  Critical #  Error   #  Warning #  Notice #  Info #  Debug 

*.err                                                               /dev/console
kern.*;auth.notice;authpriv,remoteauth,install.none;mail.crit       /dev/console
# DONT Send messages to the serial port.
#*.err;kern.*;auth.notice;authpriv,remoteauth.none;mail.crit        /dev/tty.serial

*.notice                         /var/log/system.log
mail.crit                        /var/log/system.log
kern.debug                       /var/log/system.log
authpriv,remoteauth,ftp          /var/log/system.log
install.none                     /var/log/system.log

# authpriv log file should be restricted access
auth.info;authpriv.*            /var/log/secure.log
remoteauth.crit                 /var/log/secure.log
lpr.info                        /var/log/lpr.log
mail.*                          /var/log/mail.log
ftp.*                           /var/log/ftp.log
install.*                       /var/log/install.log
install.*                       @127.0.0.1:32376
local0.*                        /var/log/appfirewall.log
local1.*                        /var/log/ipfw.log

*.emerg                             *
*.alert                         /var/log/01-alert.log
*.crit                          /var/log/02-crit.log
##see above *.err               /var/log/03-err.log
*.warn                          /var/log/04-warn.log
##see above *.notice            /var/log/05-notice.log
*.notice                        /var/log/05-notice.log
*.info                          /var/log/06-info.log
*.debug                         /var/log/07-debug.log
sudo.*                          /var/log/sudo.log
#++++++++++++++++++++++++++++++++++++++++++++++

See

logrotate

: rsyslogd

Collaborators: Syslogd is taken from BSD sources, Greg Wettstein (greg@wind.enjellic.com) performed the port to Linux,