SYSLOGD(8) BSD System Manager's Manual SYSLOGD(8)
NAME
syslogd -- Apple System Log server
SYNOPSIS
syslogd [-d] [-D] [-m mark_interval] [-c log_cutoff] [-l lib_path] [-a] [-ttl time] [-sweep time]
[-db_max size] [-utmp_ttl time] [-fs_ttl time] [-dup_delay time] [-module_name {0|1}]
DESCRIPTION
The syslogd server receives and processes log messages. Several modules receive input messages through
various channels, including UNIX domain sockets associated with the syslog(3), asl(3), and kernel
printf APIs, and optionally on a UDP socket from network clients.
The Apple System Log facility comprises the asl(3) API, a new syslogd server, and the syslog(1) com-mand-line command-line
mand-line utility. The system supports structured and extensible messages, permitting advanced message
browsing and management through search APIs and other components of the Apple system log facility.
Log messages are retained in a data store, subject to pruning, automatic archival, and input filtering
as described below, to simplify the task of locating log messages and to facilitate browsing and
searching. The data store is intended to become a replacement for the numerous log files that are cur-rently currently
rently found in various locations on the system. Those files will be phased out in future versions of
Mac OS.
The following options are recognized:
-d Run syslogd in debugging mode. The server stays attached to the controlling terminal and
prints debugging messages.
-D Start as a daemon. This option forces syslogd to fork and have the child process become a
daemon. Since syslogd is started by launchd, this is not normally required.
-m Set the number of minutes between ``mark'' messages. The default is 20 minutes. The
``mark'' facility is disabled if the setting is zero minutes.
-c Sets a cutoff filter for log priorities for messages to be retained in the log message data
store. The value of log_cutoff must be between 0 and 7, corresponding to log priorities
LOG_EMERG or ASL_LEVEL_EMERG and LOG_DEBUG or ASL_LEVEL_DEBUG as defined in the syslog(3)
and asl(3) header files. Received messages with a priority or level value greater than the
cutoff will not be saved in the data store. The default filter will retain messages in the
range 0 (Emergency) to 5 (Notice) inclusive.
Note that a this filter value may be adjusted while syslogd is running using the syslog com-mand-line command-line
mand-line utility. See the syslog(1) manual. The filter may be adjusted using the ``-c''
option, e.g.
sudo syslog -c syslogd -d
will set the filter to retain messages in the range 0 (Emergency) to 7 (Debug).
-l Specifies an alternate path for loading plug-in modules. By default, syslogd checks for
plug-in modules in the directory /usr/lib/asl.
-a Enables message archival. Messages older than 24 hours (or as otherwise set using -ttl)
will be copied to an archive database when they expire from the active database. Archive
databases are named /var/log/asl.yyyy.mm.dd.archive, and may be read or searched using the
syslog(1) command.
-ttl Sets the time-to-live in seconds for messages in the active database. Expired messages are
removed or copied to an archive database if archival is enabled.
-sweep Sets the interval (in seconds) for a periodic database operation that removes and (option-ally) (optionally)
ally) archives expired messages.
-db_max Sets a size limit in bytes for the active database. The size of the database is reduced by
deleting oldest messages. Deleted messages will be archived if archival is enabled. When
the database reaches its size limit, it is reduced to approximately 90% of the allowed maxi-mum maximum
mum size. This allows the database to grow for some time before the next size-reduction.
The default value for -db_max is 25600000 bytes.
-utmp_ttl Sets the time-to-live in seconds for messages used by the utmp, wtmp, and lastlog subsys-tems. subsystems.
tems. The default is 31622400 seconds (approximately 1 year). Note that if archival is
enabled, these messages will be copied to an archive file after the regular time-to-live
interval (24 hours, or as set using -ttl) but will persist in the active database until
their own expiry time.
-fs_ttl Sets the time-to-live in seconds for filesystem error messages generated by the kernel. The
default is 31622400 seconds (approximately 1 year). As in the case of -utmp_tt, if archival
is enabled, these messages will be copied to an archive file after the regular time-to-live
interval (24 hours, or as set using -ttl) but will persist in the active database until
their own expiry time.
-dup_delay
Sets the time to delay for coalescing duplicate message in log files. If a process logs
multiple messages with the same text, syslogd will wait for the specified period of time to
coalesce duplicates. If identical messages arrive during this interval, syslogd will print
a message of the form:
May 7 12:34:56: --- last message repeated 17 times ---The --The
The default delay time is 30 seconds. Setting the value to 0 disables the coalescing mecha-nism. mechanism.
nism.
The remaining options of the form -module_name {0|1} may be used to disable (0) or enable (1) the
action of several of internal modules.
-asl_in The ``asl_in'' module receives log messages on the UNIX domain socket associated with the
asl(3) API. The module may be disabled using -asl_in 0. The module is normally enabled.
-asl_action The ``asl_action'' module examines the stream of received log messages and acts upon them
according to the rules specified in the file /etc/asl.conf. See asl.conf(5) for details.
-klog_in The ``klog_in'' module receives log messages on the UNIX domain socket associated with the
kernel logging API. The module may be disabled using -klog_in 0. The module is normally
enabled.
-bsd_in The ``bsd_in'' module receives log messages on the UNIX domain socket associated with the
syslog(3) API. The module may be disabled using -bsd_in 0. The module is normally
enabled.
-bsd_out The ``bsd_out'' module examines the stream of received log messages and acts upon them
according to the rules specified in the file /etc/syslog.conf. See syslog.conf(5) for
details. This module exists for backward compatibility with previous syslogd implementa-tions. implementations.
tions. Apple encourages use of the syslog(1) and asl(3) search APIs over the use of the
log files that are specified in the /etc/syslog.conf file. Future versions of Mac OS will
move functions that are currently handled by the ``bsd_out'' module to the ``asl_action''
module.
-udp_in The ``udp_in'' module receives log messages on the UDP socket associated with the Internet
syslog message protocol.
This module is normally enabled, but is inactive. The actual UDP sockets are managed by
launched, and configured in the syslogd configuration file /System/Library/LaunchDae-mons/com.apple.syslogd.plist. /System/Library/LaunchDaemons/com.apple.syslogd.plist.
mons/com.apple.syslogd.plist. In the default configuration, launchd does not open any
sockets for the ``syslog'' UDP service, so no sockets are provided to the ``udp_in'' mod-ule. module.
ule. If no sockets are provided, the module remains inactive.
The module may be specifically disabled using the -udp_in 0 option.
syslogd initializes its built-in modules and loads plug-ins during its start-up. The data store is
pruned approximately 5 minutes after startup.
syslogd reinitializes in response to a HUP signal.
MESSAGE EXPIRY AND ARCHIVAL
syslogd periodically removes messages from the active database, optionally copying them to an archival
database. Archival is enabled if the -a flag is supplied. By default, messages are removed or
archived after they are 24 hours old. The maximum age of messages in the active database may be set as
the value for the -ttl flag. The message expiry operation runs once an hour by default, but the inter-val interval
val may be changed as the value for the -sweep flag.
After the database sweep operation, syslogd optionally can check the size of the database, and may be
configured to remove additional messages to limit the size of the database. The maximum size of the
database (in bytes) may be specified using the -db_max option. If messages must be removed to limit
the database size, oldest messages are removed first. By default there is no database size limit.
Log messages from the utmp, wtmp, and lastlog subsystems record login, logout, shutdowns, and reboots.
These log messages are given a longer time-to-live in the active database. The default time-to-live
for these messages is 31622400 seconds (approximately one year). This value may be changed using the
-utmp_ttl flag. If archival is enabled, a copy of these messages will be archived at the end of the
regular time-to-live interval (24 hours, or as specified using -ttl -). The messages will persist in
the active database until their own time-to-live has expired.
DATABASE SECURITY
The data store file /var/log/asl.db is only readable by processes with UID 0. Messages in the data
store may have a read UID and GID, so that only processes with the specified UID or GID can fetch those
messages when using asl_search. Read access UID and GID settings may be attached to messages using the
asl(3) library by setting a value for the "ReadUID" and/or "ReadGID" message keys.
Although clients are generally free to use any value for the "Facility" message key, only processes
running with UID 0 may log messages with a facility value of "com.apple.system", or with a value that
has "com.apple.system" as a prefix. Messages logged by non UID 0 processes that use "com.apple.system"
as a facility value or prefix will be saved with the facility value "user".
FILES
/etc/syslog.conf bsd_out module configuration file
/etc/asl.conf asl_action module configuration file
/var/run/syslog.pid process ID file
/var/run/log name of the UNIX domain datagram log socket
/dev/klog kernel log device
SEE ALSO
syslog(1), logger(1), asl(3), syslog(3), asl.conf(5) syslog.conf(5)
HISTORY
The syslogd utility appeared in 4.3BSD.
The Apple System Log facility was introduced in Mac OS X 10.4.
Mac OS X October 18, 2004 Mac OS X
|