System logging is an important aspect of system administration. It is used to detect hardware and software issues and errors in the system. It plays an important role in security auditing and incident response. System daemons without a controlling terminal usually log information to a system logging facility or other log file.
This section describes how to configure and use the FreeBSD
system logger, syslogd(8), and how to perform log rotation
and log management using newsyslog(8). Focus will be on
setting up and using syslogd(8) on a local machine. For
more advanced setups using a separate loghost, see Section 29.12, “Remote Host Logging with syslogd
”.
In the default FreeBSD configuration, syslogd(8) is
started at boot. This is controlled by the variable
syslogd_enable
in
/etc/rc.conf
. There are numerous
application arguments that affect the behavior of
syslogd(8). To change them, use
syslogd_flags
in
/etc/rc.conf
. Refer to syslogd(8)
for more information on the arguments, and rc.conf(5),
Section 12.3, “Core Configuration” and
Section 12.7, “Using rc(8) Under FreeBSD” for more information about
/etc/rc.conf
and the rc(8)
subsystem.
The configuration file, by default
/etc/syslog.conf
, controls what
syslogd(8) does with the log entries once they are
received. There are several parameters to control the
handling of incoming events, of which the most basic are
facility and
level. The facility describes
which subsystem generated the message, such as the kernel or a
daemon, and the level describes the severity of the event that
occurred. This makes it possible to log the message to
different log files, or discard it, depending on the facility
and level. It is also possible to take action depending on
the application that sent the message, and in the case of
remote logging, the hostname of the machine generating
the logging event.
The configuration file for syslogd(8) contains one
line per action, and the syntax for each line is a selector
field followed by an action field. The syntax of the selector
field is facility.level
which will
match log messages from facility
at level level
or higher. It is
also possible to add an optional comparison flag before the
level to specify more precisely what is logged. Multiple
selector fields can be used for the same action, and are
separated with a semicolon (;
). Using
*
will match everything. The action field
denotes where to send the log message, such as to a file or
remote log host. As an example, here is the default
syslog.conf
from FreeBSD:
Match all messages with a level of
| |
Match all messages from the | |
This line uses a comparison flag, | |
Here is an example usage of a program
specification. This makes the rules
following it only valid for the program in the program
specification. In this case, this and the following
lines log all messages from ppp(8), but no other
programs, to
|
This example shows that there are plenty of levels and
subsystems. The levels are, in order from most to least
critical: emerg
, alert
,
crit
, err
,
warning
, notice
,
info
, and debug
.
The facilities are, in no particular order:
auth
, authpriv
,
console
, cron
,
daemon
, ftp
,
kern
, lpr
,
mail
, mark
,
news
, security
,
syslog
, user
,
uucp
, and local0
through
local7
. Be aware that other operating
systems might have different facilities.
With this knowledge, it is easy to add a new line to
/etc/syslog.conf
to log everything from
the different daemons on level notice
and
higher to /var/log/daemon.log
. Just add
the following:
For more information about the different levels and
facilities, refer to syslog(3) and syslogd(8).
For more information about
/etc/syslog.conf
, its syntax, and more
advanced usage examples, see syslog.conf(5) and
Section 29.12, “Remote Host Logging with syslogd
”.
Log files tend to grow quickly and accumulate steadily. This leads to the files being full of less immediately useful information while filling up the hard drive. Log management attempts to mitigate this. In FreeBSD, newsyslog(8) is used to manage log files. This program periodically rotates and compresses log files, and optionally creates missing log files and signals programs when log files are moved. The log files are not necessarily generated by syslogd(8) as newsyslog(8) works with any logs written from any program. While newsyslog(8) is normally run from cron(8), it is not a system daemon. In the default configuration, it is run every hour.
To know which actions to take, newsyslog(8) reads
its configuration file, by default
/etc/newsyslog.conf
. This
configuration file contains one line for each file that
newsyslog(8) manages. Each line states the file
owner, permissions, when to rotate that file, optional flags
that affect log rotation, such as compression, and programs
to signal when the log is rotated. Here is the default
configuration in FreeBSD:
Each line starts with the name of the file to be
rotated, optionally followed by an owner and group for both
rotated and newly created files. The
mode
field sets the permissions on the
log file and count
denotes how many
rotated log files should be kept. The
size
and when
fields
tell newsyslog(8) when to rotate the file. A log
file is rotated when either its size is larger than the
size
field, or when the time in the
when
filed has passed.
*
means that this field is ignored. The
flags
field gives
newsyslog(8) further instructions, such as how to
compress the rotated file or to create the log file if it
is missing. The last two fields are optional, and
specify the
PID file of a
process and a signal number to send to that process when the
file is rotated. For more information on all fields, valid
flags, and how to specify the rotation time, refer to
newsyslog.conf(5). Since newsyslog(8) is run from
cron(8), it can not rotate files more often than it is
run from cron(8).
All FreeBSD documents are available for download at http://ftp.FreeBSD.org/pub/FreeBSD/doc/
Questions that are not answered by the
documentation may be
sent to <freebsd-questions@FreeBSD.org>.
Send questions about this document to <freebsd-doc@FreeBSD.org>.