syslogd - Logs system messages
/usr/sbin/syslogd [-b rcv-buf-size] [-d] [-e] [-E] [-f cfg-file] [-m mk-
interval] [-p path] [-r] [-R] [-s]
Specifies the size in Kbytes of the socket receive buffer. The default
and maximum is 128 Kb. If you attempt to specify a larger size buffer
it is automatically reduced to 128 Kb. Setting the buffer to a small
value could result in messages being lost during periods of high log-
-d Turns on the debugging feature.
-e Specifies that events are to be posted to the Event Manager, EVM. This
is the default behavior and the syslogd daemon always restarts in event
forwarding mode unless you specify the -E option.
-E Turns off the default posting of events to the Event Manager, EVM.
Specifies an alternate configuration file.
Specifies the mark interval.
Specifies the pathname of the UNIX domain socket to be used in making
connections to the syslogd daemon. The default is /dev/log. You
should not change this default in normal operation because the client
functions syslog and openlog. See syslog(3) and openlog(3) reference
-r Allows the syslogd daemon to create an inet port for remote access.
This is the default behavior. Use the -R option to prevent the syslogd
daemon from creating an inet port. If you specify the -r and -R
options together, the last one specified takes precedence.
-R Prevents the syslogd daemon from creating an inet port. Using the -R
option prevents all remote access. Remote systems cannot send messages
to be logged locally, and the local daemon cannot send messages to be
logged remotely. If you specify the -r and -R options together, the
last one specified takes precedence.
-s Disables the posting of events to the console.
The syslogd daemon reads and logs messages to a set of files described in
the /etc/syslog.conf configuration file.
Each message logged consists of one line. A message can contain a priority
code, marked by a number in angle braces at the beginning of the line.
Priorities are defined in the /usr/include/sys/syslog_pri.h file. The sys-
logd daemon reads from the domain socket /dev/log, from an Internet domain
socket specified in /etc/services, and from the special device /dev/klog,
which reads kernel messages. The syslogd daemon configures when it starts
up and when it receives a hangup (SIGHUP) signal. To reconfigure the dae-
mon, use the ps command to identify the daemon's process identifier (PID)
and then use the following command:
# kill -HUP pid
(The PID of the daemon is also recorded in /var/run/syslog.pid). This com-
mand causes the daemon to read the revised configuration file.
The /etc/syslog.conf file contains entries that specify the facility (the
part of the system that generated the error), the error message severity
level, and the destination to which the syslogd daemon sends the messages.
Each line of the /etc/syslog.conf file contains an entry.
The following is an example of an /etc/syslog.conf file:
# syslogd config file
# facilities: kern user mail daemon auth syslog lpr binary
# priorities: emerg alert crit err warning notice info debug
The facility and its severity level must be separated by a period (.). You
can specify more than one facility on a line by separating them with com-
mas. You can specify more than one facility and severity level on a line
by separating them with semicolons.
The facility and its severity level must be separated from the destination
by one or more tab characters or spaces.
If you specify an asterisk (*) for a facility, messages generated by all
parts of the system are logged. All messages of the specified level and of
a greater severity are logged. Blank lines and lines beginning with #
(number sign) are ignored.
This line logs all facilities at the emerg level (and higher) and the mail
and daemon facilities at the crit (or higher) level to the
/var/adm/syslog/misc.log destination file.
Known facilities and levels recognized by the syslogd daemon are those
listed in /usr/include/sys/syslog_pri.h without the leading LOG_. The
additional facility mark has a message at priority LOG_INFO sent to it
every 20 minutes (this may be changed with the -m option). The mark facil-
ity is not enabled by a facility field containing an * (asterisk). The
level none may be used to disable a particular facility. For example:
The previous entry sends all messages except mail messages to the
There are four possibilities for the message destination:
+ A filename that begins with a leading / (slash). The syslogd daemon
will open the file in append mode.
+ A hostname preceded by an @ (at sign). Selected messages are for-
warded to the syslogd daemon on the named host.
+ A comma separated list of users. Selected messages are written to
those users if they are logged in.
+ An * (asterisk). Selected messages are written to all users who are
The preceding configuration file logs messages as follows:
+ Logs all kernel messages and 20 minute marks onto the system console
+ Logs all notice (or higher) level messages and all mail system mes-
sages except debug messages into the file /var/adm/syslog/mail
+ Logs all critical messages into the /var/adm/syslog/critical file
+ Forwards kernel messages of error severity or higher to ucbarpa.
+ Informs all users of any emergency messages, informs users eric and
kridle of any alert messages, and informs user ralph of any alert mes-
sage or any warning message (or higher) from the authorization system.
Destinations for logged messages can be specified with full pathnames that
begin with a leading / (slash). The syslogd daemon then opens the speci-
fied file(s) in append mode. If the pathname to a syslogd daemon log file
that is specified in the syslog.conf file as a /var/adm/syslog.dated/file,
the syslogd daemon inserts a date directory, and thus produces a day-by-day
account of the messages received, directly above file in the directory
structure. Typically, you will want to divert messages separately, accord-
ing to facility, into files such as kern.log, mail.log, lpr.log, and
debug.log. The file /var/adm/syslog.dated/current is a link to the most
recent log file directory.
If some pathname other than /var/adm/syslog.dated/file is specified as the
pathname to the logfile, the syslogd daemon does not create the daily date
directory. For example, if you specify /var/adm/syslog/mail.log (without
the .dated suffix after syslog), the syslogd daemon simply logs messages to
the mail.log file and allows this file to grow indefinitely.
The syslogd daemon can recover the messages in the kernel syslog buffer
that were not logged to the files specified in the /etc/syslog.conf file
because a system crash occurred. The savecore command copies the buffer
recovered from the dump to the file specified in the "msgbuf.err" entry in
the /etc/syslog.conf file. When the syslogd daemon starts up, it looks for
this file and, if it exists, processes and then deletes the file.
The syslogd daemon acts as a central routing facility for messages whose
formats are determined by the programs that produce them.
The syslogd daemon creates the /var/run/syslog.pid file if possible. The
file contains a single line with its process ID. This can be used to kill
or reconfigure the syslogd daemon. For example, if you modify the
syslog.conf file and you want to implement the changes, use the following
# kill -HUP `cat /var/run/syslog.pid`
If a syslog.conf configuration file does not exist, the syslogd daemon uses
the following defaults:
The defaults log all error messages to the console and all panic messages
(from the kernel) to all logged-in users. No files are written.
To turn off printing of syslog messages to the console, please refer to the
syslog(1) reference page.
Remote Message Forwarding
The syslog has a remote message forwarding function. As a security
feature, this capability is turned off by default. If you intend to config-
ure other hosts to forward syslog messages to a local host, use the su com-
mand to become superuser (root) and manually create the /etc/syslog.auth
file using a text editor on the local host.
The /etc/syslog.auth file specifies which remote hosts are allowed to for-
ward syslog messages to the local host. Unless the domain host name of a
remote host is given in the local /etc/syslog.auth file, the local host
will not log any messages from that remote host. Note that if no
/etc/syslog.auth file exists on the local host, then any remote hosts that
can establish a network connection will be able to log messages. See the
syslog.auth(4) reference page for information.
By default, the syslogd daemon initializes with the -e option, and its
events are forwarded to the Event Management utility (EVM). If the syslogd
daemon is restarted, event fowarding also restarts by default. If you do
not want event forwarding to restart automatically, you can turn it off
using the -E option.
Messages from the syslogd daemon are converted to EVM events and notified
to the EVM daemon. Refer to the EVM(5) reference page and System Adminis-
tration for more information on EVM.
Specifies the command path
Specifies what remote hosts can forward messages to the local host.
Contains configuration information that specifies what syslogd messages
will be forwarded to the Event Manager, EVM.
Enables and disables printing to the console device.
The name of the domain datagram log socket.
Kernel log device.
The directory where daily log subdirectories reside.
A link to the directory containing the most recent daily log files.
Commands: logger(1), syslog(1), savecore(8).
Functions: syslog(3), openlog(3).
Files: syslog.auth(4), syslog.conf(4), syslog_evm.conf(4).
Network Administration: Connections, Network Administration: Services, and