Configuring the syslog daemon

The syslog daemon (syslogd) processing is controlled by a configuration file called /etc/syslog.conf, in which you define logging rules and output destinations for error messages, authorization violation messages, and trace data. Logging rules are defined using a facility name and a priority code. For locally generated messages, the user ID and job name of the program that generated the message can also be specified in the rule. For messages arriving over the network, the rule can include the IP address or host name of the sender. The facility name and priority code are passed on the logging request from an application when it wants to log a message. The user ID and job name are provided by the system. See z/OS Communications Server: IP Configuration Reference for more information about logging rules.

You can specify statements and rules in the configuration file using a variety of EBCDIC code pages. Use the SYSLOGD_CODEPAGE environment variable to specify the code page that you want to use. The default code page is IBM®-1047.

As shown in the following sample /etc/syslog.conf file, comments can be added to the configuration file by placing the number (#) character in column one of the comment line. Everything following the number (#) character is treated as a comment. This sample is available in /usr/lpp/tcpip/samples/syslog.conf.



#  Licensed Materials - Property of IBM
#  5650-ZOS

#  Copyright IBM Corp. 2010, 2017
#  Status = CSV2R3

#
# /etc/syslog.conf - control output of syslogd
#
# The # sign begins a comment which extends to the end of the line.
#
# Blank lines are ignored.
#
# See IP Configuration Reference for detailed information about
# the syntax.  These comments are meant to provide only a general
# overview.
#
# There are two types of configuration information:
#
# 1) Global configuration values that control the behavior of syslogd.
# 2) Rules that specify types of messages which syslogd will
#    store, and where syslogd will store them.
#
# Global configuration statements:
# --------------------------------
#
# The following global statements control the syslogd automatic archive
# function.  All statements except BeginArchiveParms should only be
# specified once.  If you specify them multiple times the last
# instance is used.  The BeginArchiveParms statement can be repeated
# multiple times, and each instance pertains to the rules that follow
# it, until another instance is specified.  Each instance completely
# replaces the previous instance.
#
# The automatic archive function archives UNIX file destinations to
# MVS sequential or generation data group (GDG) data sets.  The
# particular UNIX files that are to be archived must include the -N

# parameter.  The -N parameter specifies that the file should be 
# automatically archived and then re-initialized when an archive event
# occurs.  Alternatively, you can specify the -X parameter.  The -X
# parameter specifies that the file should only be re-initialized but
# not archived when an archive event occurs.  Use the -X parameter only
# if you do not want to save the contents of the log file.  If you
# don't specify the -N or -X parameter, then the file does not
# participate in automatic archival.                                                  

#
# Archival occurs for the following events:
#
# - At the time of day configured on the ArchiveTimeOfDay statement.
# - When one or more UNIX file systems reach the percentage full
#   configured on the ArchiveThreshold statement.
# - When the MODIFY procname,ARCHIVE command is issued.
#
# ArchiveTimeOfDay
#   Specifies the local time of day in hours and minutes using a 24
#   hour clock.  Syslogd archives all eligible files at the specified
#   time of day.  There is no default - if you don't specify this
#   statement, then syslogd does not perform time of day archival.
#
# ArchiveThreshold
#   Specifies the percentage of file system full that triggers an
#   archive.  This value applies to all UNIX file systems represented
#   by the set of UNIX files in all rules.  When any file system
#   reaches the specified percentage full, files in that file system
#   are archived until the percentage full reaches half of the
#   configured value.  Files are archived starting with the largest
#   and working toward the smallest.  For example, if you configure
#   80% full, files are archived until the file system is only 40%
#   full.  The default is 70%.
#
# ArchiveCheckInterval
#   Specifies the value in minutes for checking the percentage full
#   for UNIX file systems.  The default is 10 minutes.
#
# BeginArchiveParms
#   Specifies archive data set details.  The following parameters
#   can be specified.  DSNPrefix is required but all other parameters
#   are optional (although they might need to be specified for your
#   installation in order for archival to succeed).
#
#   DSNPrefix
#     Specifies the data set name prefix for the archive data set.
#     The complete data set name is formed by concatenating this
#     prefix value with the unique qualifier specified on the -N
#     parameter on a particular rule, and with a unique suffix value.
#     See IP Configuration Reference for complete details on the data
#     set name.
#
#   Unit
#     Specifies the unit for the archive data set.
#
#   Volume
#     Specifies the volume for the archive data set.
#
#   MgmtClas
#     Specifies the management class for the archive data set.
#
#   StorClas
#     Specifies the storage class for the archive data set.
#
#   RetPd
#     Specifies the retention period in days for a sequential archive
#     data set.  Valid values are 0 - 9999.
#
# The following are example statements that illustrate how to
# configure automatic archival.  See the section on syslogd rules for
# details about specifying rules.
#
#   ArchiveTimeOfDay         00:01
#   ArchiveThreshold         70
#   ArchiveCheckInterval     10
#
#   BeginArchiveParms
#     DSNPrefix              USER1.ARCHIVE
#     Volume                 VOL001
#     RetPd                  30
#   EndArchiveParms
#
#   *.SYSLOGD.daemon.notice  /var/logs/syslogd/daemon.notice -N daemon.notice
#
# NOTE: The archive data set name for the above example will be:
#
#   USER1.ARCHIVE.DAEMON.NOTICE.Dyymmdd.Thhmmss
#
# Syslogd rules:
# --------------
#
# Four criteria can be used to select locally generated
# messages for processing:
#
# 1) user ID associated with application generating the message
#
#    * can be specified for the user ID if the user ID is not
#    important.
#
# 2) job name of application generating the message
#
#    * can be specified for the job name if the job name is not
#    important.
#
# 3) facility of the message, as specified by the application
#
#    This is user, mail, news, uucp, daemon, auth, cron, lpr, or
#    local0-local7.  Consult the documentation for the application
#    to determine which facility the application specifies.
#
#    A special facility, mark, specifies that syslogd should log
#    mark messages on a regular basis.  These can be used to verify
#    that syslogd was operational during a specific time interval.
#
# 4) priority of the message, as specified by the application
#
#    This is emerg, panic, alert, crit, err, error, warn, warning,
#    notice, info, or debug. A filter rule condition using a specified
#    priority will match messages with that priority or higher; higher
#    meaning more severe. 
#
#    A special priority, none, specifies that messages with the
#    specified user ID, job name, or facility should not be
#    selected. 
#
# These criteria are specified together as
#
#    userid.jobname.facility.priority
#
# or, if user ID and job name are both *, as
#
#    facility.priority
#
# This can be combined in a series as
#
#   userid.jobname.facility.priority;userid.jobname.facility.priority
#
# When using syslogd rules with a series of conditions separated by
# semicolons, all of the individual conditions are evaluated
# left-to-right for each message. Each matching condition results in
# either a TRUE (meaning log the message) or a FALSE (meaning don't
# log the message). Conditions that don't match are ignored. 
# The final result of evaluating each matching condition left-to-right
# is the result of the last matching condition. Rules that have no
# matching conditions for a message result in a FALSE.
# Matching exclude conditions (those with priority of none) result
# in a FALSE. As an example, consider the difference between the
# following two rules for a message with facility of daemon and
# a priority of emerg.
#
# daemon.none;*.emerg  /tmp/mylogfile
# *.emerg;daemon.none  /tmp/mylogfile
#
# The first rule, first condition, results in FALSE. The first rule,
# second condition, results in TRUE. Therefore, the message will be
# logged to the destination for this rule. 
# The second rule, first condition, results in TRUE. The second rule,
# second condition, results in FALSE. The message will not be logged
# for this rule.
#
# The order of conditions within the filter is significant.
#
# Three criteria can be used to select messages received over the
# network for processing:
#
# 1) IP address or hostname of the sender. The IP address may be in
#  IPv4 or IPv6 format or may be a hostname that resolves to an
#  IPv4 or IPv6 address. If an IP address is used, an optional prefix
#  length may be specified with the /x notation.
#
# 2) facility of the message. See the description of facility above.
# 3) priority of the message. See the description of priority above.
#
# These criteria can be specified together as
#
#   (ip_address).facility.priority
#
#   or
#
#  (hostname).facility.priority
#
# If the the IP address or hostname is not to be considered in selecting the
# rule, then omit it and specify just facility.priority
#
# The following rule will match locally generated messages or
# messages received over the network from any source IP address
# that have the specified facility and priority (or higher).
#
# facility.priority
#
# The criteria for selecting messages for processing are combined
# with a destination, which tells syslogd what to do with selected
# messages.
#
#   criteria    destination
#
# The destination can be a file, one or more user IDs, SMF, syslogd
# at a remote host, or all logged-in users, or the operlog log stream.
#
# If the destination is a file, it may be optionally followed by two
# options, -F and -D. -F should be followed by an octal number that
# indicates the permissions value to be used if syslogd must create
# the file. -D should be followed by an octal number that indicates
# the permissions value to be used if syslogd must create the
# directory to contain the file. These options are only effective
# if syslogd is started with the -c start option. See the
# Communications Server IP Configuration Reference for details.
#
# The following example stores messages with facility daemon or
# local1 in the file /directory/logfile.
#
#   daemon.*;local1.*   /directory/logfile
#
# The directory structure used in this sample configuration is
# expected to be created automatically by syslogd, with a new
# directory of log files for each day.  This requires two types
# of configurations outside of the scope of this configuration
# file:
#
# 1) syslogd command-line option
#
#    The syslogd -c command-line option should be enabled, causing
#    syslogd to create log files and directories if they do not
#    already exist.
#
# 2) cron job
#
#    A cron job should be utilized to wake up syslogd at the
#    beginning of each day to switch to new log files in a new
#    directory.  Here is the cron job definition:
#
#      1 0 * * * kill -HUP `cat /etc/syslog.pid`
#
#    This job should be defined for a user ID with UID zero so that
#    it has permissions to send the signal to syslogd.
#
#    See UNIX System Services Planning and UNIX System Services
#    Command Reference for more information about cron.
#
# A sample shell script is provided for removing log files which are
# a specified number of days old.  It assumes the same directory
# structure which is used in this sample configuration.
#
# All example rules except for the last one are commented-out.  Some
# or all of the example rules will need to be changed for your
# environment.  Each example rule contains an explanation of changes
# which may be required.
#
#####################################################################
#
# Write all messages with priority crit or higher to the MVS operator
# console.  See the UNIX System Services Planning manual for more
# information about the /dev/console special file.
#
# *.crit             /dev/console
#
#####################################################################
#
# Write all messages with facility of daemon and a priority of error
# or higher to the operlog log stream. The operlog facility must be
# active in order to be able to log messages to the operlog log
# stream.
#
# daemon.err             /dev/operlog
#####################################################################
#
# Write all messages from syslogd itself to the file
# /var/log/YYYY/MM/DD/syslogd.log and to the system console.
#
# Notes:
#
# a) If syslogd is invoked as a started task or from a shell script
#    (e.g., /etc/rc) with job name SYSLOGD, the name of the
#    long-running syslogd job is SYSLOGD followed by a digit.
#
#    If syslogd runs with a different job name on your system, the
#    rule will have to be changed accordingly.
#
# b) During initialization, syslogd writes messages to
#    /dev/console.  These rules cover messages during steady-
#    state.
#
# *.SYSLOGD*.*.*      /var/log/%Y/%m/%d/syslogd
# *.SYSLOGD*.*.*      /dev/console
#
#####################################################################
#
# Write all messages from inetd to the log file inetd and to the
# console.
#
# Notes:
#
# a) If inetd is invoked as a started task or from a shell script
#    (e.g., /etc/rc) with job name INETD, the name of the
#    long-running inetd job is INETD followed by a digit.
#
#    If inetd runs with a different job name on your system, the rule
#    will have to be changed accordingly.
#
# *.INETD*.*.*       /var/log/%Y/%m/%d/inetd
# *.INETD*.*.*       /dev/console
#
#####################################################################
#
# Write all messages with priority err or higher from applications
# which specify facility "daemon" to the log file daemon.
# Because we chose to log messages from syslogd and inetd separately,
# we'll filter out those messages from this rule using special
# priority none. 
#
# Notes:
#
# a) In this example, SYSLOGD followed by some other character is the
#    job name of syslogd.  If it is different on your system, change
#    the rule.
# b) In this example, INETD followed by some other character is the
#    job name of inetd.  If it is different on your system, change the
#    rule.
#
# daemon.err;*.SYSLOGD*.*.none;*.INETD*.*.none /var/log/%Y/%m/%d/daemon
#
#####################################################################
#
# Write all messages from applications which specify facility "auth"
# to the log file auth.
#
# auth.* /var/log/%Y/%m/%d/auth
#
#####################################################################
#
# Write all messages from applications which specify facility "mail"
# to the log file mail. Use file permissions of 640 octal if the file
# has to be created. Use permission of 770 octal if the directory has
# to be created. syslogd must be started with -c for these options
# to have any effect.
#
# mail.* /var/log/%Y/%m/%d/mail -F 640 -D 770
#
#####################################################################
#
# Write all messages with priority err and higher from otelnetd and
# other applications which specify facility "local1" to the log file
# local1.
#
# local1.err       /var/log/%Y/%m/%d/local1
#
#####################################################################
#
# Write all messages from otelnetd and other applications which
# specify facility "local1" when running as user SMITH to the log file
# local1.smith.  This could be useful if, for example, otelnetd traces
# need to be collected for a problem which user SMITH is experiencing
# and you do not wish to collect otelnetd traces from all user IDs.
#
# SmITh.*.local1.*  /var/log/%Y/%m/%d/local1.smith
#
#####################################################################
#
# Write all messages with priority err and higher to SMF.  These will
# be stored in SMF record type 109.  SMF must be active and
# configured to accept record type 109.  The user ID associated with
# syslogd must have read access to BPX.SMF.  See UNIX System Services
# Planning for more information about BPX.SMF.
#
# *.err        $SMF
#
#####################################################################
#
# Write all messages with priority crit and higher to the syslogd on
# host 192.168.1.9. The host may be specified by IPv4 address, by IPv6
# address, or by a name that resolves to an IPv4 or IPv6 address.
#
# *.crit      @192.168.1.9
#
#####################################################################
#
# Write all messages with priority crit and higher that arrive from
# host 192.168.0.6 to the operlog log stream.
#
# (192.168.0.6).*.crit      /dev/operlog
#
#####################################################################
#
# Write all messages with priority crit and higher that arrive from
# any host with IP address in the range 192.168.0.0 to 192.168.0.255
# to the operlog log stream.
#
# (192.168.0.6/24).*.crit      /dev/operlog
#
#####################################################################
#
# Write all messages with priority err and higher to log file errors.
#
# THIS EXAMPLE STATEMENT IS UNCOMMENTED.
#
*.err            /var/log/%Y/%m/%d/errors
#