Supported destinations for syslogd

The following destinations are supported. File names are case sensitive:

/file

A specific path (for example, /tmp/syslogd/auth.log). All log files used by syslogd must be created in the z/OS® UNIX file system before syslogd is started unless the -c start option is specified. If the -c option is specified, the file name can be followed by the -F and -D parameters.

You should use a cron job to signal syslogd at midnight, along with date stamps in the log file directory names, to organize log files by year (%Y), month (%m), and day (%d), only if you do not use the automatic archive function of syslogd. See Configuring syslogd for automatic archiving in z/OS Communications Server: IP Configuration Guide for more information about automatic archiving. Because both of these methods rely on creating new log files, results could be unpredictable if you try to use both methods together.

Destination file access parameters

-F: The -F parameter specifies the access permissions (modes) for the file if the file must be created dynamically. This parameter has no effect if the file already exists.

Restriction: You cannot specify the -F parameter with the -N or -X parameter.
-D: The -D parameter specifies the access permissions (modes) for the directory part of the file name if the directory (or directories) containing the file must be created dynamically. This parameter has no effect on a directory that already exists.
Restriction: You cannot specify the -D parameter with the -N or -X parameter.

The value following the -F parameter or the -D parameter uses the same octal values as specified for the start options -F and -D. If the -F and -D options are specified on a rule, these values override, for this rule only, the default values specified by the start options. For example, for syslogd to create the file (and directories if needed) for /tmp/syslogd/auth.log, you could specify a rule like the following example:

auth.*  /tmp/syslogd/auth.log -F 640 -D 770

The permissions in the previous example rule give the owner read/write access to the file and give members of the file's group read-only access. The file’s owner ID is set to the process’s effective user ID (UID), which for syslogd is always UID 0. By default, the owning group ID (GID) is set to that of the parent directory. However, if the FILE.GROUPOWNER.SETGID profile exists in the UNIXPRIV class, the owning GID is determined by the set-GID bit of the parent directory, as follows:

If the parent’s set-gid bit is on, the owning GID is set to that of the parent directory.
If the parent’s set-gid bit is off, the owning GID is set to the effective GID of the process.

If the /tmp or the /tmp/syslogd directories do not exist, they are created with access permissions of 770.

Destination file archive parameters

The -N and -X parameters are part of the automatic archival function. You should use the -N or -X parameter only if you do not use a cron job to signal syslogd at midnight, along with date stamps in log file directory names, to organize log files by year (%Y), month (%m), and day (%d). See Configuring syslogd for automatic archiving in z/OS Communications Server: IP Configuration Guide for more information about automatic archiving. Because both of these methods rely on creating new log files, results could be unpredictable if you try to use both methods together.

-N

You can specify the -N parameter following the file name to specify automatic archival options. The -N parameter specifies that the file should be automatically archived when an archive event occurs, and provides a unique qualifier to append to the data set prefix specified on the previous instance of the BeginArchiveParms statement. This prefix forms the base archive data set name. Additional information is appended to the base name to form the complete archive data set name. The format of the additional information depends on the type of data set. You can specify either a GDG or a sequential data set.

Results:

If you specify the -N parameter multiple times on the same rule, the last instance is used.
If you have multiple rules that use the same destination file, and you specify a mixture of -N and -X parameters on those rules, the parameter you specify on the first such rule is used.

Restrictions:

You cannot specify the -N parameter with the -F or -D access parameters.
The -N parameter is mutually exclusive with the -X archive parameter.
You cannot archive destination files that are specified on more than 1 rule configuration statement. For example, if you specify the following rule configuration statements:
```
(192.9.200.0/8).local0.info  /tmp/syslogd/otherlog -N OTHER.LOG               
(127.0.0.0/8).local0.info    /tmp/syslogd/otherlog -N OTHER.LOG
```
syslogd will issue the following error message after processing the statements:
```
FSUM1273 SYSLOGD AUTOMATIC ARCHIVE NOT USED FOR RULES WITH SHARED DESTINATION
```
You cannot use the field descriptors for year, month, or day (e.g, %y, %m, or %d) in the qualifier specified for the -N parameter. For example, the following -N specification is not supported and will result in a syntax error when processed by syslogd:
```
-N D%y%m%d.LOG
```

The syslogd application requires the correct SAF authorization to create the target data sets that are needed for archival purposes.

For a GDG data set, specify (+1) at the end of the qualifier value. For example, -N TRACE(+1). The GDG specifiers (+0) and (-n) are not valid. The complete archive data set name for a GDG data set is:

prefix.qualifier.gdg_suffix

where:

prefix is the value specified on the BeginArchiveParms statement.
qualifier is the value specified on the -N parameter.
gdg_suffix is the value automatically supplied for GDG data sets to make them unique.

If you use GDG data sets as an archive destination, the GDG BASE must already have been created. Also, be aware of the maximum number of generation data sets to be kept for the GDG. It is possible for syslogd to write more than one archive to the GDG per day, because of the multiple triggers used to perform archives. For example, if you keep five generation data sets, and syslogd performs five archives in one day, you are effectively retaining only a single day's worth of data.

See the information about Configuring syslogd for automatic archiving in z/OS Communications Server: IP Configuration Guide for sample JCL to create a GDG BASE. See z/OS DFSMS Using Data Sets for more information about GDG data sets.

For a sequential data set do not specify the GDG indicator (+1). The complete archive data set name for a sequential data set is as follows:

prefix.qualifier.date_suffix.time_suffix

where:

prefix is the value specified on the BeginArchiveParms statement.
qualifier is the value specified on the -N parameter.
<date_suffix> is the date value automatically supplied by syslogd for sequential data sets to make them unique. The format of this suffix is: Dyymmdd.
time_suffix is the time of day value automatically supplied by syslogd for sequential data sets to make them unique. The format of this suffix is Thhmmss.

For example, to make a z/OS UNIX file eligible for automatic archival, you could specify the following rule:

auth.* /tmp/syslogd/auth.log -N TRACE

-X

You can specify the-X parameter following the file name to indicate that Start of change the file should only be re-initalized but not archived when an archive event occurs End of change . The -X parameter is mutually exclusive with the -N parameter.

Restriction: You cannot specify the -X parameter with the -F or -D parameter.

@host

A syslog daemon on another host (for example, @host.domain).

user1,user2,...

A list of users.

/dev/console

The MVS™ console.

/dev/operlog

The MVS operlog log stream. See the information about system logger applications in z/OS MVS Setting Up a Sysplex.

Requirement: The MVS operlog stream must be active for syslogd to be able to write to it.

SMF record changes

$SMF

The log message is stored in SMF record type 109. See the information about type 109 SMF records in z/OS Communications Server: IP Programmer's Guide and Reference for a description of type 109 SMF records. The maximum SMF message is 4096. If the BPX.SMF facility is defined, then the user ID with which syslogd runs must be permitted to BPX.SMF. See SEZAINST(EZARACF) for more information.

For example, to send all log messages of severity critical or higher from bpxroot or uswmaint to SMF, use the following statement.
```
bpxroot.*.*.crit;uswmaint.*.*.crit   $SMF
```