The syslog.conf file is the configuration file for the syslogd(1) program. It consists of lines with two fields: the selector field that specifies the types of messages and priorities to which the line applies, and an action field that specifies the action to be taken if a message syslogd(1) receives matches the selection criteria. The selector field is separated from the action field by one or more tab characters.
The selector function is encoded as a facility, a period ("."), and a level, with no intervening white space. Both the facility and the level are case insensitive:
facility[;facility...].level[,level...]
The facility describes the part of the system generating the message, and is one of the following keywords: auth, authpriv, cron, daemon, ftp, kern, lpr, mail, mark, news, syslog, user, uucp and local0 through local7. These keywords (with the exception of mark) correspond to the similar LOG_ values specified to the openlog(3) and syslog(3) library routines. An asterisk (*) can be used to represent all facilities.
The level describes the severity of the message, and is a keyword from the following ordered list (higher to lower): emerg, alert, crit, err, warning, notice and debug. These keywords correspond to the similar (LOG_) values specified to the syslog(3) library routine. The special level none disables a particular facility; an asterisk specifies all possible levels.
See syslog(3) for a further descriptions of both the facility and level keywords and their significance.
If a received message matches the specified facility and is of the specified level (or a higher level), the action specified in the action field will be taken.
Multiple selectors can be specified for a single action by separating them with semicolon (";") characters. It is important to note, however, that each selector can modify the ones preceding it.
Multiple facilities can be specified for a single level by separating them with comma (",") characters.
The special facility "mark" receives a message at priority "info" every 20 minutes (see syslogd(1)). This is not enabled by a facility field containing an asterisk.
The action field of each line specifies the action to be taken when the selector field selects a message. There are four forms:
Blank lines and lines whose first non-blank character is a hash ("#") character are ignored.
A configuration file might appear as follows:
# Log all kernel messages, authentication messages of
# level notice or higher and anything of level err or
# higher to the console.
# Don't log private authentication messages!
*.err;kern.*;auth.notice;authpriv.none /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* /var/log/maillog
# Everybody gets emergency messages,
# plus log them on another machine.
*.emerg *
*.emerg @arpa.berkeley.edu
# Root and Eric get alert and higher messages.
*.alert root,eric
# Save mail and news errors of level err
# and higher in a special file.
uucp,news.crit /var/log/spoolerr
The effects of multiple selectors are sometimes not intuitive. For example "mail.crit,*.err" will select "mail" facility messages at the level of "err" or higher, not at the level of "crit" or higher.
To prevent tampering, if the permissions protecting syslogd.conf file allow the file to be written by anyone other than the file's owner and group, the file is ignored and an error is logged in the default log file (/var/log/adm/messages), if it exists. If the default log file does not exist, then the only way to determine that the syslogd.conf file is being ignored is by using syslogd -d.
syslogd(1)
syslog(3)