Software >> OS >> Unix >> What are the fields in /etc/syslog.conf and what is the file format

The key file that is influencing syslog behavior is /etc/syslog.conf  file. Traditionally it contains two columns called the selection and action.

  • selector field: a semicolon-separated list of priority specifications consisting of pairs in the following format: facility.level; facility.level...  For example
    err;kern.debug;daemon.notice;mail.crit
  • action field:  defines where to forward the message. This field can have one or several of the following entries four types of entries:
    1. file  Output sent to the file specified
    2. @host The @ sign denotes that messages must be forwarded to a host  The name should be defined in /etc/hosts and represent a remote logserver.
    3. user[,user]  The user(s)  (can be comma delimitated list) receive messages if they are logged in.
    4. * All logged in users will receive messages when they are logged in.

NOTE: In classic syslogd  the syntax of /etc/syslog.conf is pretty restrictive. It does not permit using spaces as a separator, tabs should be used as a separator between two columns of syslog.conf.

Now let's discuss those two columns is some details. The selector field is a semicolon-separated list of priority specifications in the following format: facility.level; facility.level.

  •  The facility field can contain only 17 codes:
    • kern Messages generated by the kernel.
    • user Messages generated by user processes.
    • mail The mail system.
    • daemon System daemons, such as the in.ftpd and the telnetd daemons.
    • auth The authorization system, including the login and su commands.
    • syslog Messages generated internally by the syslogd daemon.
    • lpr The line printer spooling system, such as the lpr and lpc commands.
    • news Files reserved for the USENET network news system.
    • uucp  (obsolete) The UNIX-to-UNIX copy (UUCP) system does not use the syslog function.
    • cron The cron and at facilities, including crontab, at, and cron.
    • mark  Timing  messages. For example mark.* /dev/console line causes the time to be printed on the system console every 20 minutes. This is useful if you have other information being printed on the console, and you want a running clock on the printout.
    • local0-7 Eight user-defined codes.
  • the level selector specifies the severity or importance of the message. Each level includes all the levels above (of a higher severity).  To remember the sequence for the certification exam you can use an appropriately constructed phase like "Every alerted cardriver escapes warning notice"
    • emerg or 0 Panic conditions that are normally broadcast to all users

    • alert or 1 Conditions that should be corrected immediately, such as a corrupted system database. Only sysadmin of a particular server needs to be informed by mail or paged.

    • crit or 2 Warnings about critical conditions, such as hard device errors. 

    • err  or 3 Errors other than hard device errors

    • warning  or 4 Warning messages, that generally does not interfere with normal operation.

    • notice or 5 Non-error conditions that might require special handling

    • info  or 6 Purely informational messages (usually does not require any handling)

    • debug or 7 Messages that are normally used only when debugging a program

    • none  or 8 Messages are not sent from the indicated facility to the selected file

After making any changes to syslog.conf file, you need to ask the daemon to reread the configuration file with kill -HUP command, for example pkill -HUP syslogd

References

[1] http://www.softpanorama.org/Logs/syslog.shtml