UNIX System Administration Handbook - Evi Nemeth [135]
In syslog.conf, the characters = and ! can be prefixed to priority levels to indicate “this priority only” and “except this priority and higher.” Table 11.5 shows examples.
Table 11.5 Examples of priority level qualifiers in Red Hat’s syslog.conf
Red Hat’s syslogd is especially cautious in its handling of the network. Unless started with the -r flag, it will refuse to accept messages from other machines at all. By default, Red Hat’s syslogd also refuses to act as a third-party message forwarder; messages that arrive from one network host cannot be sent on to another. Use the -h flag to override this behavior. (If you want these options turned on all the time, add the flags to the /etc/rc.d/init.d/syslog script.)
Red Hat uses a separate process, klogd, to obtain messages from the kernel and inject them into the syslog message stream. While it’s possible to tweak this process, it’s rarely necessary or appropriate.
FreeBSD enhancements to syslog
Like Red Hat, FreeBSD provides some extra ways to specify priority levels in the syslog.conf file. They are illustrated in Table 11.6.
Table 11.6 Examples of priority level qualifiers in FreeBSD’s syslog.conf
In a defiant gesture against syslog’s classification scheme, FreeBSD allows you to select messages based on the name of the program from which they originate rather than just the generic and more nebulously defined facility name. Unfortunately, since syslogd doesn’t actually know this information, it has to guess by checking messages to see if they look like they start with a program name and a colon. For example, syslogd would interpret the message
named: starting. named 4.9.7 Sat Sep 2 09:39:12 GMT 1998 PHNE_14618
as having come from named. In the syslog.conf file, sections that should apply only to messages from a particular program are introduced by an exclamation mark and the program name.
For example, the lines
!named
*.* /var/log/named.log
send all messages that look like they came from named to /var/log/named.log.
While it’s useful to be able to route log messages based on their program of origin, this feature is a hack. The message formatting convention that it relies upon is not universally enforced or even universally followed.
FreeBSD’s syslogd must be told which remote hosts to accept log messages from with the -a option. Sets of remote hosts can be specified as network numbers with masks (e.g., -a 128.138.192.0/20) or as domain names (e.g., -a *.cs.colorado.edu). If you do not want to accept any messages from the network, you can prevent syslogd from even opening its network port with the -ss option.
You can put syslogd’s command-line arguments in /etc/rc.conf so that they’ll be used automatically at boot time. For example:
syslogd_flags="-a 128.138.192.0/20 -a *.cs.colorado.edu"
Config file examples
Below are three sample syslog.conf files that correspond to a stand-alone machine on a small network, a client machine on a larger network, and a central logging host on the same large network. The central logging host is called “netloghost”.4
Stand-alone machine
A basic configuration for a stand-alone machine is shown below:
# Small network or stand-alone syslog.conf file
# emergencies: tell everyone who is logged on
*.emerg *
# important messages
*.warning;daemon,auth.info,user.none /var/adm/messages
# printer errors
lpr.debug /var/adm/lpd-errs
The first noncomment line writes emergency messages to the screens of all current users. An example of emergency-level messages are those generated by shutdown when the system is about to be turned off.
The second line writes important messages to /var/adm/messages. The info level is below warning, so the daemon,auth.info clause includes additional logging from passwd, su, and daemon programs. The third line writes printer error messages to /var/adm/lpd-errs.
Network client
A network client typically forwards