1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
|
.\" $OpenBSD: syslogd.8,v 1.56 2017/07/05 09:40:16 mpi Exp $
.\"
.\" Copyright (c) 1983, 1986, 1991, 1993
.\" The Regents of the University of California. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\" 3. Neither the name of the University nor the names of its contributors
.\" may be used to endorse or promote products derived from this software
.\" without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" from: @(#)syslogd.8 8.1 (Berkeley) 6/6/93
.\" $NetBSD: syslogd.8,v 1.3 1996/01/02 17:41:48 perry Exp $
.\"
.Dd $Mdocdate: July 5 2017 $
.Dt SYSLOGD 8
.Os
.Sh NAME
.Nm syslogd
.Nd log system messages
.Sh SYNOPSIS
.Nm syslogd
.Bk -words
.Op Fl 46dFhnruVZ
.Op Fl a Ar path
.Op Fl C Ar CAfile
.Op Fl c Ar cert_file
.Op Fl f Ar config_file
.Op Fl K Ar CAfile
.Op Fl k Ar key_file
.Op Fl m Ar mark_interval
.Op Fl p Ar log_socket
.Op Fl S Ar listen_address
.Op Fl s Ar reporting_socket
.Op Fl T Ar listen_address
.Op Fl U Ar bind_address
.Ek
.Sh DESCRIPTION
.Nm
writes system messages to log files or a user's terminal.
Output can be sent to other programs
for further processing.
It can also securely send and receive log messages
to and from remote hosts.
.Pp
The options are as follows:
.Bl -tag -width Ds
.It Fl 4
Forces
.Nm
to use only IPv4 addresses for UDP.
.It Fl 6
Forces
.Nm
to use only IPv6 addresses for UDP.
.It Fl a Ar path
Specify a location where
.Nm
should place an additional log socket.
The primary use for this is to place additional log sockets in
.Pa /dev/log
of various chroot filespaces, though the need for these is
less urgent after the introduction of
.Xr sendsyslog 2 .
.It Fl C Ar CAfile
PEM encoded file containing CA certificates used for certificate
validation of a remote loghost;
the default is
.Pa /etc/ssl/cert.pem .
.It Fl c Ar cert_file
PEM encoded file containing the client certificate for TLS connections
to a remote loghost.
The default is not to use a client certificate for the outgoing connection
to a syslog server.
This option has to be used together with
.Fl k Ar key_file .
.It Fl d
Enable debugging to the standard output,
and do not disassociate from the controlling terminal.
.It Fl F
Run in the foreground instead of disassociating from the controlling
terminal and running as a background daemon.
.It Fl f Ar config_file
Specify the pathname of an alternate configuration file;
the default is
.Pa /etc/syslog.conf .
.It Fl h
Include the hostname when sending messages to a remote loghost.
.It Fl K Ar CAfile
PEM encoded file containing CA certificates used for client certificate
validation on the local listen socket.
By default incoming connections from any TLS client are allowed.
.It Fl k Ar key_file
PEM encoded file containing the client private key for TLS connections
to a remote loghost.
This option has to be used together with
.Fl c Ar cert_file .
.It Fl m Ar mark_interval
Select the number of minutes between
.Dq mark
messages; the default is 20 minutes.
.It Fl n
Print source addresses numerically rather than symbolically.
This saves an address-to-name lookup for each incoming message,
which can be useful when combined with the
.Fl u
option on a loghost with no DNS cache.
Messages from the local host will still be logged with
the symbolic local host name.
.It Fl p Ar log_socket
Specify the pathname of an alternate log socket to be used instead;
the default is
.Pa /dev/log .
.It Fl r
Print duplicate lines immediately and suppress the "last message
repeated" summary when piping to another program or forwarding to
a remote loghost.
If given twice, this is done for all log actions.
.It Fl S Ar listen_address
Create a TLS listen socket for receiving encrypted messages and
bind it to the specified address.
A port number may be specified using the
.Ar host : Ns Ar port
syntax.
The first
.Ar listen_address
is also used to find a suitable server key and certificate in
.Pa /etc/ssl/ .
.It Fl s Ar reporting_socket
Specify path to an
.Dv AF_LOCAL
socket for use in reporting logs stored in memory buffers using
.Xr syslogc 8 .
.It Fl T Ar listen_address
Create a TCP listen socket for receiving messages and bind it to
the specified address.
There is no well-known port for syslog over TCP, so a port number
must be specified using the
.Ar host : Ns Ar port
syntax.
.It Fl U Ar bind_address
Create a UDP socket for receiving messages and bind it to the
specified address.
This can be used, for example, with a pf divert-to rule to receive
packets when syslogd is bound to localhost.
A port number may be specified using the
.Ar host : Ns Ar port
syntax.
.It Fl u
Select the historical
.Dq insecure
mode, in which syslogd will
accept input from the UDP port.
Some software wants this, but you can be subjected to a variety of
attacks over the network, including attackers remotely filling logs.
.It Fl V
Do not perform remote server certificate and hostname validation
when sending messages.
.It Fl Z
Generate timestamps in ISO format.
This includes the year and the timezone, and all logging is done
in UTC.
.El
.Pp
The options
.Fl a , S , T ,
and
.Fl U
can be given more than once to specify multiple input sources.
.Pp
.Nm
reads its configuration file,
.Xr syslog.conf 5 ,
when it starts up and whenever it
receives a hangup signal.
It creates the file
.Pa /var/run/syslog.pid
and stores its process ID there.
The PID can be used to kill or reconfigure
.Nm .
.Pp
.Nm
opens a UDP socket, as specified
in
.Pa /etc/services ,
for sending forwarded messages.
By default all incoming data on this socket is discarded.
If insecure mode is switched on with
.Fl u ,
it will also read messages from the socket.
.Nm
also opens and reads messages from the
.Ux Ns -domain
socket
.Pa /dev/log ,
and from the special device
.Pa /dev/klog
(to read kernel messages),
and from
.Xr sendsyslog 2
(to read messages from userland processes).
.Pp
The message sent to
.Nm
should consist of a single line.
The message can contain a priority code, which should be a preceding
decimal number in angle braces, for example,
.Dq <5> .
This priority code should map into the priorities defined in the
include file
.In sys/syslog.h .
.Pp
When sending syslog messages to a remote loghost via TLS, the
server's certificate and hostname are validated to prevent malicious
servers from reading messages.
If the server has a certificate with a matching hostname signed by
a CA in
.Pa /etc/ssl/cert.pem ,
it is verified with that by default.
If the server has a certificate with a matching hostname signed by
a private CA, use the
.Fl C
option and put that CA into
.Ar CAfile .
Validation can be explicitly turned off using the
.Fl V
option.
If the server is accepting messages only from clients with a trusted
client certificate, use the
.Fl k
and
.Fl c
options to authenticate
.Nm
with this certificate.
.Pp
When receiving syslog messages from a TLS client, there must be
a server key and certificate in
.Pa /etc/ssl/private/host Ns Oo : Ns Ar port Oc Ns Ar .key
and
.Pa /etc/ssl/host Ns Oo : Ns Ar port Oc Ns Ar .crt .
If the client uses certificates to authenticate, the CA of the
client's certificate may be added to
.Ar CAfile
using the
.Fl K
option to protect from messages being spoofed by malicious senders.
.Sh FILES
.Bl -tag -width /var/run/syslog.pid -compact
.It Pa /dev/log
Name of the
.Ux Ns -domain
datagram log socket.
.It Pa /dev/klog
Kernel log device.
.It Pa /etc/ssl/
Private keys and public certificates.
.It Pa /etc/syslog.conf
Configuration file.
.It Pa /var/run/syslog.pid
Process ID of current
.Nm .
.El
.Sh SEE ALSO
.Xr logger 1 ,
.Xr syslog 3 ,
.Xr services 5 ,
.Xr syslog.conf 5 ,
.Xr newsyslog 8 ,
.Xr syslogc 8
.Sh HISTORY
The
.Nm
command appeared in
.Bx 4.3 .
.Sh CAVEATS
.Nm
does not create files,
it only logs to existing ones.
|