The syslogd is the daemon (background process) that facilitates what is done with the message that the system has generated. The file /etc/syslog.conf is the configuration file that syslogd reads when it starts up.
The syslogd is started when the /etc/rc script executes the /etc/startup/0900_SystemLog script. When the syslogd is started it creates a file called /var/run/syslog.pid. This file contains the process id of the syslogd so that it can be stopped. The syslogd can be stopped and restarted so that a new syslog.conf can be read by the syslogd without restarting the entire computer. The syslogd must be restarted for the changes in syslogd.conf to take effect.
Restarting the syslogd can be done by executing the /etc/startup/0900_System Log script, or by typing syslogd at the command line.
Note: this must be done as root.
syslog.conf
The syslog.conf file is the configuration file for the syslog. It has only a few operands, but it is highly configurable. The syslog.conf file is divided into two fields, the selector field and the action field. These are usually separated by two tabs.
| Selector Field | Action Field |
| facility.levels | action |
The "*" symbol is a wildcard and denotes all facilities or levels.
The Selector Field
The selector field consists of the facility and the level, as shown in the table above. The facility is the part of the operating system reporting the messages, the level is the strength of message. If a message is at or above the level in the selector field, then the action is executed. Actions can do several things with the message and are discussed below.
The possible facilities that can be used are: auth, authprive, cron, daemon, kern, lpr, mail, mark, new, syslog, user, uup, and local0 through local7.
The possible levels are emerg, alert, crit, err, warning, notice, info, debug, and none. The levels are listed from highest to lowest, so a level of debug is the lowest level that can be set and it will report all messages.
| Facilities | Levels |
| auth | alert |
| authprive | crit |
| cron | err |
| daemon | warning |
| kern | notice |
| syslog | info |
| lpr | debug |
| mail |
| mark |
| user |
| uup |
| local0 through local7 | |
Each facility can be used with any level.
Commas are used to separate multiple facilities from each other. Mulitple selector field on the same line can be separated by a semicolon. All selector fields on the same line have will have the action specified on that line.
| Selector Field | Action Field |
| facility,facility.level;facility.level,level;facility.level | action |
All of the messages recorded by the system log would have the same action in this example.
The Action Field
The action field specifies what is done with the message. The following table lists the four possible actions, and what they do.
| Message Is | Action |
| appended to existing file | /var/log/syslog |
| sent to a host | @[hostname] |
| sent to a user | user name (commas separate multiple users) |
| sent to all users | the "*" symbol |
Examples
Anything after a "#" symbol on a line is a comment.
| kern,lpr.err | root,jim_bob # sends kern and lpr level err and higher to the users root and jim_bob |
| mail.*;cron.debug | root #sends only to root |
| mail.alert | * #sends to all users |
| syslog.err | @records.foo.com #sends to the host records.foo.com |