UNIX System Administration Handbook - Evi Nemeth [134]
Selectors can contain the special keywords * and none, meaning all or nothing, respectively. A selector can include multiple facilities separated with commas. Multiple selectors can also be combined with semicolons.
In general, selectors are ORed together; a message matching any selector will be subject to the line’s action. However, a selector with a level of none excludes the listed facilities regardless of what other selectors on the same line may say.
Here are some examples of ways to format and combine selectors:
facility.level action
facility1,facility2.level action
facility1.level1;facility2.level2 action
*.level action
*.level;badfacility.none action
Table 11.2 on the next page lists the valid facility names (some rows have been shaded to improve readability). Most versions of syslog define 18 different facilities, but 21 are defined in the latest release. The extra slots are reserved for future use.
Table 11.2 Syslog facility names
a. Newer facilities in version 8.1 from Berkeley.
syslogd itself produces time stamp messages, which are logged if the “mark” facility appears in syslog.conf to specify a destination for them. Timestamps can help you figure out that your machine crashed between 3:00 and 3:20 a.m., not just “sometime last night.” This information can be a big help when you are debugging problems that seem to occur on a regular basis. For example, many sites have experienced mysterious crashes when the housekeeping staff plugged in vacuum cleaners late at night, tripping the circuit breakers.
If your system is quite busy, other log messages often provide adequate time stamp information. But in the wee hours of the morning, that is not always the case.
Syslog’s severity levels are listed in order of descending importance in Table 11.3.
Table 11.3 Syslog severity levels (descending severity)
The severity level of a message specifies its importance. In the syslog.conf file, levels indicate the minimum importance that a message must have in order to be logged. For example, a message from the mail system at level warning would match the selector mail.warning as well as the selectors mail.notice, mail.info, mail.debug, *.warning, *.notice, *.info, and *.debug. If syslog.conf specifies that mail.info messages be logged to a file, then mail.warning messages will go there also.
The action field tells what to do with a message. The options are listed in Table 11.4.
Table 11.4 Syslog actions
If a filename action is used, the filename should be an absolute path. On most systems, the file must exist; syslogd will not create it. If a hostname is used rather than an IP address, it must be resolvable through a translation mechanism such as DNS or NIS.
See page 523 for more information about how hostnames are translated to IP addresses.
Some versions of syslog use the m4 macro preprocessor on the configuration file. Check your manual pages and use quotes liberally so that your configuration means what you intend. For example, you must quote anything that is an m4 keyword or contains a comma. Here is a typical m4-style entry:
auth.notice ifdef(`LOGHOST', `/var/log/authlog', `@loghost')
Note that the quotes used are the back-tick and the single apostrophe. This line directs messages to the file /var/log/authlog if LOGHOST is defined. Otherwise, messages are forwarded to the machine loghost. m4’s ifdef statements are very powerful; they allow sysadmins to create a single syslog.conf that can be used on all machines.
Although multiple facilities and levels are allowed in a selector, there is no provision for multiple actions. To send a message to two places (such as to a local file and to a central logging host), two lines with the same selectors can be included in the configuration file.
Red Hat enhancements to syslog
Red Hat ships a version of syslogd with several enhancements. It allows log messages to be