ADC Home > Reference Library > Reference > Mac OS X > Mac OS X Man Pages

 

This document is a Mac OS X manual page. Manual pages are a command-line technology for providing documentation. You can view these manual pages locally using the man(1) command. These manual pages come from many different sources, and thus, have a variety of writing styles.

For more information about the manual page format, see the manual page for manpages(5).



SYSLOG(1)                 BSD General Commands Manual                SYSLOG(1)

NAME
     syslog -- Apple System Log utility

SYNOPSIS
     syslog -help

     syslog -s [-r host] [-l level] message...

     syslog -s [-r host] -k key val [key val] ...

     syslog -C

     syslog [-db [file ...]] [-w [n]] [-F format] [-T format] expression

     syslog [-db [file ...]] -x expression

     syslog [-db [file ...]] -p expression

     syslog -c process [filter]

DESCRIPTION
     syslog is a command-line utility for a variety of tasks relating to the Apple System Log facility.  It
     provides mechanisms for sending and viewing log messages, pruning the contents of the log message data-bases, databases,
     bases, and for controlling the flow of log messages from client processes.

     When invoked with the -help option, syslog prints a usage message.

   SENDING MESSAGES
     The -s option is used send log messages to the syslogd(8) log message daemon, either locally or to a
     remote server if the -r host option in used.

     There are two main forms of the command.  If the -k option is used, then it must be followed by a list
     of keys and values.  A structured message will be sent to the server with the keys and values given as
     arguments.  If a key or a value has embedded white space, it must be enclosed in quotes.

     If the -k option is not specified, then the rest of the command line is treated as the message text.
     The text may be preceded by -l level to set the log level (priority) of the message.  Levels may be an
     integer value corresponding the the log levels specified in syslog(3) or asl(3), or they may be a
     string.  String values are case insensitive, and should be one of:

     Emergency     (level 0)
     Alert         (level 1)
     Critical      (level 2)
     Error         (level 3)
     Warning       (level 4)
     Notice        (level 5)
     Info          (level 6)
     Debug         (level 7)

     The string ``Panic'' is an alias for ``Emergency''.

     If the -l option is omitted, the log level defaults to 7 (Debug).

     syslog only requires one or two leading characters for a level specification.  A single character suf-fices suffices
     fices in most cases.  Use ``P'' or ``Em'' for Panic / Emergency, and ``Er'' or ``X'' for Error).

   READING MESSAGES
     The syslogd daemon filters and saves log messages to different output streams.  One module saves mes-sages messages
     sages to files specified in the syslog.conf(5) file.  Those log files may be examined with any file
     printing or editing utility, e.g.

           cat /var/log/system.log

     Another module saves messages in an active database, and may also be configured to keep archive data-bases. databases.
     bases.

     If invoked with no arguments, syslog sends a query to syslogd to fetch all messages from the active
     database.  The messages are then printed to standard output, subject to formatting options and charac-ter character
     ter encoding as described below.

     If invoked with the -C option, syslog fetches and prints console messages.  The -C option is actually
     an alias for the expression:

           -k Facility com.apple.console

     See the EXPRESSIONS section below for more details.

     If the system is running in single-user mode, syslog will open the ASL active database file
     (/var/log/asl.db) directly, rather than queying syslogd for messages.  The database file is opened in
     read-only mode, and read access permissions are required.  Specifying the -db option with no argument
     also forces raw database access.

     Archive log databases may be read by providing one or more database names as arguments to the -db
     option.  Each database is read in sequence.  As a special case, the name ``-'' may be used in place of
     a database file name.  In this case, syslog will connect to syslogd and query for the contents of the
     active database.

     The -w option causes syslog to wait for new messages.  By default, syslog prints the last 10 messages,
     then waits for new messages to be added to the database.  A number following the -w option specifies
     the number of messages to print and overrides the default value of 10.  For example:

           syslog -w 20

     This usage is similar to watching a log file using, e.g.

           tail -f /var/log/system.log

     The -w option can only be used for a single database, and when printing messages to standard output.

     If the -x database option is specified, messages are copied to the named database file rather than
     being printed.  The database file will be created if it does not exist.

     When called without the -x option, messages are printed to standard output.  Messages are printed in a
     format similar to that used in the system.log file, except that the message priority level is printed
     between angle-brackets.

     The output format may by changed by specifying the -F format option.  Non-printable and control charac-ters characters
     ters are encoded in the output, as described below.  The value of format may be one of the following:

     bsd   Format used by the syslogd daemon for system log files, e.g. /var/log/system.log.

     std   Standard (default) format.  Similar to ``bsd'', but includes the message priority level.

     raw   Prints the complete message structure.  Each key/value pair is enclosed in square brackets.
           Embedded closing brackets and white space are escaped.  Time stamps are printed as seconds since
           the epoch by default, but may also be printed in local time or UTC if the -T option is specified
           (see below).

     xml   The list of messages is printed as an XML property list.  Each message is represented as a dic-tionary dictionary
           tionary in a array.  Dictionary keys represent message keys.  Dictionary values are strings.

     The value of the format argument may also be a custom print format string.  A custom format should in
     most cases be enclosed in single quotes to prevent the shell from substituting special characters and
     breaking at white space.

     Custom format strings may include variables of the form ``$Name'' (or ``$(Name)'' if the variable is
     not delimited by whitespace) which will be expanded to the associated with the named key.  For example,
     the command:

           syslog -F '$Time $Host $(Sender)[$(PID)]: $Message'

     produces output similar to the ``bsd'' format.

     Timestamps may be printed in three formats.  Times are generally converted to local time, except when
     the -F sec option is used, in which case times are printed as the number of seconds since the epoch.
     The -T format option may be used to explicity control the format used for timestamps.  The value of
     format may be one of the following:

     sec    Times are printed as the number of seconds since the epoch.

     local  Times are converted to the local time zone, and printed with the format
                  MMM DD HH:MM:SS

     utc    Times are converted to UTC, and printed with the format
                  YYYY.MM.DD HH:MM:SS UTC

     The -u option is a short form for -T utc.

     Control characters and non-printable characters are encoded in the output stream.  In some cases this
     may make messages slightly less natural in appearance.  However, the encoding is designed to preserve
     all the information in the log message, and to prevent malicious users from spoofing or obsucring
     information in log messages.

     Output in the ``std'', ``bsd'', and ``raw'' formats is encoded as it is by the vis utility with the -c
     option.  Newlines and tabs are also encoded as "\n" and "\t" respectively.  In ``raw'' format, space
     chanacters embedded in log message keys are encoded as "\s" and embedded brackets are escaped to print
     as "\[" and "\]".

     XML format output requires that keys are valid UTF8 strings.  Keys which are not valid UTF8 are
     ignored, and the associated value is not printed.

     Values that contain legal UTF8 are printed as strings.  Ampersand, less than, greater than, quotation
     mark, and apostrophe characters are encoded according to XML conventions.  Embedded control characters
     are encoded as ``&#xNN;'' where NN is the character's hexidecimal value.

     Values that do not contain legal UTF8 are encoded in base-64 and printed as data objects.

     If no further command line options are specified, syslog displays all messages, or copies all messages
     to a database file.  However, an expression may be specified using the -k and -o options.

   EXPRESSIONS
     Expressions specify matching criteria.  They may be used to search for messages of interest.  Expres-sions Expressions
     sions are also required when pruning the system log file with the -p option.

     A simple expression is a list of one or more key/value pairs.  A match is made when a message has the
     given value for the specified key.  For example, to find all messages sent by the portmap process:

           syslog -k Sender portmap

     Note that the -C option is treated as an alias for the expression:

           -k Facility com.apple.console

     This provides a quick way to search for console messages.

     The -k option may be followed by one, two, or three arguments.  A single argument causes a match to
     occur if a message has the specified key, regardless of value.  If a pair of arguments is specified, a
     match occurs when a message has exactly the specified value for a given key.  If three arguments are
     given, they are of the form -k key operation value.  syslog supports the following matching operators:

     eq   equal
     ne   not equal
     gt   greater than
     ge   greater than or equal to
     lt   less than
     le   less than or equal to

     Additionally, the operator may be preceded by one or more of the following modifiers:

     C    case-fold
     R    regular expression (see regex(3))
     S    substring
     A    prefix
     Z    suffix
     N    numeric comparison

     An simple expression matches a message if all of the key-value operations match.  Logically, the result
     is an AND of all of key-value operations.  The -o option separates simple expressions and provides an
     OR operation.  If two or more simple expressions are given, separated by -o options, then a match
     occurs is a message matches any of the simple expressions.  For example, to find all messages which
     have either a ``Sender'' value of ``portmap'' or that have a numeric priority level of 4 or less:

           syslog -k Sender portmap -o -k Level Nle 4

     A special convention exists for matching time stamps.  An unsigned integer value is regarded as the
     given number of seconds since 0 hours, 0 minutes, 0 seconds, January 1, 1970, Coordinated Universal
     Time.  An negative integer value is regarded as the given number of seconds before the current time.
     For example, to find all messages of priority level 3 (error) or less which were logged in the last 30
     seconds:

           syslog -k Level Nle 3 -k Time ge -30

     a relative time value may be optionally followed by one of the characters ``s'', ``m'', ``h'', ``d'',
     or ``w'' to specify seconds, minutes, hours, days, or weeks respectively.  Upper case may be used
     equivalently.  A week is taken to be 7 complete days (i.e. 604800 seconds).

   PRUNING
     The Apple System Log facility saves received messages, subject to filtering criteria described in the
     FILTERING CONTROLS section below.  The syslogd daemon deletes messages after given time-to-live values
     to prevent the database from growing too large.  When messages expire, they are either removed
     entirely, or copied to an archive database.  See the syslogd(8) manual for more details on archiving
     messages.

     Messages may be removed from either the active database or from an archive database by using the -p
     option of syslog.  The -p option must be followed by an expression (see above).  Messages that match
     the expression are deleted.

     If the -db option is not specified syslog sends a request to syslogd to perform the requested pruning
     operation.  If -db is given without a database file name, syslog prunes the active database file.  This
     may only be done if the syslogd server is not running.  If one or more database file names are given,
     those databases are pruned subject to the specified expression.  Read and write access to the database
     files are required.

   FILTERING CONTROLS
     Clients of the Apple System Log facility using either the asl(3) or syslog(3) interfaces may specify a
     log filter mask.  The mask specifies which messages should be sent to the syslogd daemon by specifying
     a yes/no setting for each priority level.  Many clients set a filter mask to avoid sending relatively
     unimportant messages.  Debug or Info priority level messages are generally only useful for debugging
     operations.  By setting a filter mask, a process can improve performance by avoiding spending time
     sending messages that are in most cases unnecessary.

     The -c option may be used to control filtering.  In addition to the internal filter value that pro-cesses processes
     cesses may set as described above, the system maintains a global ``master'' filter.  This filter is
     normally ``off'', meaning that it has no effect.  If a value is set for the master filter, it overrides
     the local filter for all processes.  Root user access is required to set the master filter value.

     The current setting of the master filter mask may be inspected using:

           syslog -c 0

     The value of the master filter mask my be set by providing a second argument following -c 0.  The value
     may a set of characters from the set ``pacewnid''.  These correspond to the priority levels Emergency
     (Panic), Alert, Critical, Error, Warning, Notice, Info, and Debug.  The character ``x'' may be used for
     Error, as it is used for sending messages.  The master filter may be unset with:

           syslog -c 0 off

     Since it is common to use the filter as a ``cutoff'' mechanism, for example to cut off messages with
     Debug and Info priority, a single character from the list above may be specified, preceded by a minus
     sign.  In this case, syslog uses a filter mask starting at level 0 (Emergency) ``up to'' the given
     level.  For example, to set the master filter level to cause all processes to log messages from Emer-gency Emergency
     gency up to Debug:

           syslog -c 0 -d

     While the master filter level may be set to control the messages produced by all processes, another
     filter mask may be specified for an individual process.  If a per-process filter mask is set, it over-rides overrides
     rides both the local filter mask and the master filter mask.  The current setting for a per-process
     filter mask may be inspected using -c process, where process is either a PID or the name of a process.
     If a name is used, it must uniquely identify a process.  To set a per-process filter mask, an second
     argument may be supplied following -c process as described above for the master filter mask.  Root
     access is required to set the per-process filter mask for system (UID 0) processes.

     The filtering described above takes place in the client library to determine which messages are sent to
     the syslogd daemon.  The daemon also contains a filter which determines which messages are saved in the
     data store.  Note that this additionally determines which messages are seen when reading messages using
     the syslog utility.

     The default data store filter mask saves messages with priority levels from Emergency to Notice (level
     0 to 5).  The level may be inspected using:

           syslog -c syslogd

     To set the data store filter mask, an second argument may be supplied following -c syslog as described
     above.  For example, to save messages with priority level Error or less in the data store:

           syslog -c syslog -e

SEE ALSO
     syslogd(8), logger(1), asl(3), syslog(3),

HISTORY
     The syslog utility appeared in Mac OS X 10.4.

Mac OS X                       October 18, 2004                       Mac OS X

Did this document help you?
Yes: Tell us what works for you.
It’s good, but: Report typos, inaccuracies, and so forth.
It wasn’t helpful: Tell us what would have helped.