syslogd : system logging daemon

Linux version: syslogd - system logging utilities.

syslogd: [-a socket] [-d] [-f config_file] [-h] [-l hostlist] [-m interval] [-n] [-p socket] [-r] [-s domainlist] [-v] [-x]

Syslogd provides for system logging and kernel message trapping, the use of internet and unix domain sockets enables local and remote logging.

System logging is provided of syslogd
kernel logging is provided by the klogd

logged message contains a time and a hostname field, and should include a program name field.

If an error occurs during parsing the whole line is ignored.

OPTIONS

`-d`	debug mode. Supress fork to the background. Use when changing syslog.conf. See the DEBUGGING .
`-f config file`	configuration file, default: `/etc/syslog.conf` .
`-l hostlist`	hosts that should be logged with simple hostname not fuly qualified domanin name. Multiple hosts are seperated with a colon(`:` )
`-h`	forward any remote messages to forwarding hosts which have been defined, default messages are not forwarded.
`-m minutes`	MARK interval, the line `-- MARK --` is written to the log file even if no message were received, confirming that syslogd has been running. Default: 20 minutes. Setting the interval to zero turns marking off .
`-r`	enable the facility to receive message from the network using an internet domain socket with the syslog service (see services(5)).
`-s domainlist`	domainnames to be stripped off before logging. Multiple domains may be specified using the colon (`:`) separator. No sub-domains may be specified only entire domains. For example if `-s north.de` is specified and the host logging is `satu.infodrom.north.de` no action is taken. Specify two domains : `-s north.de:infodrom.north.de.`
`-x`	Disable name lookups when receiving remote messages, avoids deadlocks when the nameserver is running on the same machine that runs the syslog daemon.
`-n`	don't switch to background. needed if the `syslogd is started and controlled by init(8).`
`-p socket`	alternative unix domain socket instead of`/dev/log.`
`-a socket`	specify additional sockets from which syslogd listens to. This is needed by a daemon run within a chroot() environment. Up to 19 additional sockets.
`-v`	Print version and exit.

SIGNALS

Syslogd reacts to

`SIGHUP`	perform a re-initialization. All open files are closed, the configuration file (default is /etc/syslog.conf) will be reread and the syslog(3) facility is started again. sudo kill -HUP `cat /var/run/syslog*.pid`
`SIGTERM SIGQUIT, SIGINT`	syslogd terminates politely die unless debugging is enabled then ignored sudo kill -QUIT `cat /var/run/syslog*.pid`
`SIGUSR1`	toggle debugging only if started with `-d` sudo kill -USR1 `cat /var/run/syslog*.pid`
`SIGCHLD`	Wait for childs if some were born, because of wall'ing (writeAll) messages.

Configuration File

The following causes ALL output from daemons using the daemon facilities (debug is the lowest priority, so every higher matchs) to go into /usr/adm/daemons:

daemon.debug /usr/adm/daemons

* specifies that all messages for the specified facility are directed to the destination.
= restricts logging to the specified priority class. allows, routing only debug messages to a particular logging source.
Direct debug messages from all sources
*.=debug /usr/adm/debug
! exclude logging of the specified priorities. This affects all (!) possibilities of specifying priorities.
Example:Log all messages of the facility mail except those with the priority info And all messages from news.info (including) to news.crit (excluding)
mail.*;mail.!=info /usr/adm/mail news.info;news.!crit /usr/adm/news
```
            mail.none
       or
            mail.!*
       or
            mail.!debug
```
to skip all messages with a mail facility.
- omit sync'ing the file after every write to it.(reduces I/O load).

Remote Logging

Messages can be sent or received from another node.

Enable with -r; default ignore network.

Sending and receiving syslogd /etc/services should contain syslog 514/udp otherwise syslogd will die.

To forward messages to another host : use @syslogdhostname in syslog.conf for destination.

For example, to forward ALL messages to a remote host

*.* @syslogdhostnam

If the remote hostname cannot be resolved at startup, Syslogd will try to resolve the name ten times and then complain. and ????

syslog-loops (bad) : forwarding messages to a syslogd that forwards them back.

In a network provide a central log server to have all the logs kept on one machine.
If the network consists of different domains logging will include fully qualfied names.
-s stripdomain off several domains other than the one the server is located in and only log simple hostnames.

-l define single hosts as local machines.

The UDP socket used to forward messages to remote hosts or to receive messages from them is only opened when it is needed.

OUTPUT TO NAMED PIPES (FIFOs)

A fifo or named pipe can be used as a destination for log messages by prepending a pipy symbol (``|'') to the name of the file. the fifo must be created with the mkfifo command before syslogd is started.

# Sample configuration to route kernel debugging # messages ONLY to /usr/adm/debug which is a named pipe. kern.=debug |/usr/adm/debug

INSTALLATION CONCERNS

syslogd(8) and klogd(8) can either be run from init(8) or started as part of the rc.* sequence.
If started from init use -n

SECURITY THREATS
There is the potential for the syslogd daemon to be used as a conduit for a denial of service attack. A rogue program(mer) could flood the syslogd daemon with syslog messages resulting in the log files consuming all the remaining space on the filesystem. Activating logging over the inet domain sockets will expose a system to risks outside of programs or individuals on the local machine.

There are a number of methods of protecting a machine:

Implement kernel firewalling to limit which hosts or networks have access to the 514/UDP socket.
Direct Logging to an non-root filesystem.
The ext2 filesystem can be used which can be configured to limit a certain percentage of a filesystem to usage by root only. This will require syslogd to be run as a non-root process.
Disabling inet domain sockets will limit risk to the local machine. this will prevent usage of remote logging since syslogd will be unable to bind to the 514/UDP socket.

DEBUGGING

-d verbose display of activity is output to stdout.

When the configuration file is read a tabulari report is output:

number sequence number representing the position in the internal data structure.
An omitted sequence number indicates an error in /etc/syslog.conf.
pattern represents the internal structure exactly.
Every column stands for a facility (refer to syslog(3)). (only the left most are used. )
Every field in a column represents the priorities (refer to syslog(3)).
action action that takes place when a message is received that matches the pattern. Refer to the syslog.conf(5)
arguments additional arguments to the actions in the action .
1. file-logging this is the filename for the logfile;
2. user-logging this is a list of users;
3. remote logging this is the hostname of the machine to log to;
4. console-logging this is the used console;
5. tty-logging this is the specified tty; wall has no additional arguments.

FILES
/etc/syslog.conf syslog.conf(5)
/dev/log, socket used by local syslog
/var/run/syslogd.pid, file containing the process id of syslogd.

SOCKETS (from /etc/services)>

syslog          514/udp  
syslog-conn     601/udp     # Reliable Syslog Service
syslog-conn     601/tcp     # Reliable Syslog Service

If an error occurs in one line the whole rule is ignored.

Syslogd doesn't change the permissions of logfiles.
If a file is created it is world readable.
This can be avoided by using savelog(8) to rotate logfiles.
It is a security hole if everybody is able to message from the auth.* facility.

SEE ALSO
syslogBDS really Mac OSX ; darwin syslog-ngBalaBit Ltd version syslog.conf klogd(8), logger, syslog(2), syslog(3), services(5), savelog(8)

From smacker OS X 10.5.7 6/18/09

#  Emergency  (0)  note counter-intuitive Emergency has a level less than Debug.
#  Alert     #  Critical #  Error   #  Warning #  Notice #  Info #  Debug 

*.err                                                               /dev/console
kern.*;auth.notice;authpriv,remoteauth,install.none;mail.crit       /dev/console
# DONT Send messages to the serial port.
#*.err;kern.*;auth.notice;authpriv,remoteauth.none;mail.crit        /dev/tty.serial

*.notice                         /var/log/system.log
mail.crit                        /var/log/system.log
kern.debug                       /var/log/system.log
authpriv,remoteauth,ftp          /var/log/system.log
install.none                     /var/log/system.log

# authpriv log file should be restricted access
auth.info;authpriv.*            /var/log/secure.log
remoteauth.crit                 /var/log/secure.log
lpr.info                        /var/log/lpr.log
mail.*                          /var/log/mail.log
ftp.*                           /var/log/ftp.log
install.*                       /var/log/install.log
install.*                       @127.0.0.1:32376
local0.*                        /var/log/appfirewall.log
local1.*                        /var/log/ipfw.log

*.emerg                             *
*.alert                         /var/log/01-alert.log
*.crit                          /var/log/02-crit.log
##see above *.err               /var/log/03-err.log
*.warn                          /var/log/04-warn.log
##see above *.notice            /var/log/05-notice.log
*.notice                        /var/log/05-notice.log
*.info                          /var/log/06-info.log
*.debug                         /var/log/07-debug.log
sudo.*                          /var/log/sudo.log
#++++++++++++++++++++++++++++++++++++++++++++++

darwin

 <key>Label</key> <string>com.apple.syslogd</string>
    <key>OnDemand</key> <false/>
    <key>HopefullyExitsLast</key> <true/>
    <key>EnableTransactions</key> <true/>
    <key>ProgramArguments</key> <array> <string>/usr/sbin/syslogd</string> </array>
    <key>MachServices</key> <dict> <key>com.apple.system.logger</key> <true/> </dict>
    <key>Sockets</key> <dict> <key>AppleSystemLogger</key> 
        <dict> <key>SockPathName</key> <string>/var/run/asl_input</string>
            <key>SockPathMode</key> <integer>438</integer>
        </dict>
        <key>BSDSystemLogger</key>
        <dict> <key>SockPathName</key> <string>/var/run/syslog</string>
            <key>SockType</key> <string>dgram</string>
            <key>SockPathMode</key> <integer>438</integer>
        </dict>
    </dict>
</dict>



/System/Library/LaunchDaemons/com.apple.newsyslog.plist
 <key>Label</key> <string>com.apple.&b>newsyslog</b></string>
    <key>ProgramArguments</key> <array> <string>/usr/sbin/newsyslog</string> </array>
    <key>LowPriorityIO</key> <true/>
    <key>Nice</key> <integer>1</integer>
    <key>StartCalendarInterval</key> <dict> <key>Minute</key> <integer>30</integer> </dict>
&/pre>

COLLABORATORS
       Syslogd  is  taken  from  BSD sources, Greg Wettstein (greg@wind.enjellic.com) performed the port to Linux,