UNIX – Syslog – Quick Guide

Here’s a quick overview of Syslog, there’s much more to it and you can find tons more information in the links at the bottom of the page.

Syslog stands for the System Log protocol. It allows for the sending and receiving of event messages and alerts across an IP network. Operating on either UDP or TCP on port 514, logs/events are sent to the syslog server/daemon, from the syslog client.

In order to configure the Syslog server you will need to configure the /etc/syslog.conf in order to tell the daemon what to do with the logs, i.e display it to the terminal, write it to a file etc etc.

With in the file there are 2 columns, the first being the log message received and the second being the action to take. Keeping in mind that you need to tab the space in between otherwise “she just wont work captain”

#  /etc/syslog.conf     Configuration file for syslogd.
 #                       For more information see syslog.conf(5)
 #                       manpage.

# First some standard logfiles.  Log by facility.

auth,authpriv.*                 /var/log/auth.log
local4.*;local2.*               -/var/log/syslog
news.*                          /var/log/news/news.log
cron.*                          /var/log/cron.log
daemon.*                        -/var/log/daemon.log
kern.*                          -/var/log/kern.log
lpr.*                           -/var/log/lpr.log
mail.*                          -/var/log/mail.log
user.*                          -/var/log/user.log
uucp.*                          /var/log/uucp.log
local2.*                        /var/log/local2.log
local4.*                        /var/log/local4.log

# Logs all but locals to /var/log/messages
*.*;local2,local4.none          /var/log/messages

# Emergencies are sent to everybody logged in.
*.emerg                         *

This conf file allows be to have local4 and local2 go through to their own log files along with being copied to one log file.

There’s also some combos you can use,

  • news.*                            news facility, any priority
  • news.debug                     news facility, debug or higher priority (same as *)
  • user,cron.*                       all messages from cron or user
  • mail.info                            all mail messages of informational or higher priority
  • *.info                               all messages from any facility except debug messages
  • *.=info                             any facility, info msgs only (and not higher)
  • *.!warning                         any facility, that is equal to or less priority to warning
  • *.!=debug                         any facility, any priority except debug
  • *.warning;user,news.none    all messages with a warning or higher priority except user & news

You can also run syslogd-listfiles -a, which will show you the system log files as defined in the /etc/syslog.conf.

Further information can be found at,

Rick Donato

Want to become a UNIX expert?

Here is our hand-picked selection of the best courses you can find online:
UNIX Administration Fundamentals
Vim Masterclass
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial