syslog.texi 21 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570
  1. @node Syslog, Mathematics, Low-Level Terminal Interface, Top
  2. @c %MENU% System logging and messaging
  3. @chapter Syslog
  4. This chapter describes facilities for issuing and logging messages of
  5. system administration interest. This chapter has nothing to do with
  6. programs issuing messages to their own users or keeping private logs
  7. (One would typically do that with the facilities described in
  8. @ref{I/O on Streams}).
  9. Most systems have a facility called ``Syslog'' that allows programs to
  10. submit messages of interest to system administrators and can be
  11. configured to pass these messages on in various ways, such as printing
  12. on the console, mailing to a particular person, or recording in a log
  13. file for future reference.
  14. A program uses the facilities in this chapter to submit such messages.
  15. @menu
  16. * Overview of Syslog:: Overview of a system's Syslog facility
  17. * Submitting Syslog Messages:: Functions to submit messages to Syslog
  18. @end menu
  19. @node Overview of Syslog
  20. @section Overview of Syslog
  21. System administrators have to deal with lots of different kinds of
  22. messages from a plethora of subsystems within each system, and usually
  23. lots of systems as well. For example, an FTP server might report every
  24. connection it gets. The kernel might report hardware failures on a disk
  25. drive. A DNS server might report usage statistics at regular intervals.
  26. Some of these messages need to be brought to a system administrator's
  27. attention immediately. And it may not be just any system administrator
  28. -- there may be a particular system administrator who deals with a
  29. particular kind of message. Other messages just need to be recorded for
  30. future reference if there is a problem. Still others may need to have
  31. information extracted from them by an automated process that generates
  32. monthly reports.
  33. To deal with these messages, most Unix systems have a facility called
  34. "Syslog." It is generally based on a daemon called ``Syslogd''
  35. Syslogd listens for messages on a Unix domain socket named
  36. @file{/dev/log}. Based on classification information in the messages
  37. and its configuration file (usually @file{/etc/syslog.conf}), Syslogd
  38. routes them in various ways. Some of the popular routings are:
  39. @itemize @bullet
  40. @item
  41. Write to the system console
  42. @item
  43. Mail to a specific user
  44. @item
  45. Write to a log file
  46. @item
  47. Pass to another daemon
  48. @item
  49. Discard
  50. @end itemize
  51. Syslogd can also handle messages from other systems. It listens on the
  52. @code{syslog} UDP port as well as the local socket for messages.
  53. Syslog can handle messages from the kernel itself. But the kernel
  54. doesn't write to @file{/dev/log}; rather, another daemon (sometimes
  55. called ``Klogd'') extracts messages from the kernel and passes them on to
  56. Syslog as any other process would (and it properly identifies them as
  57. messages from the kernel).
  58. Syslog can even handle messages that the kernel issued before Syslogd or
  59. Klogd was running. A Linux kernel, for example, stores startup messages
  60. in a kernel message ring and they are normally still there when Klogd
  61. later starts up. Assuming Syslogd is running by the time Klogd starts,
  62. Klogd then passes everything in the message ring to it.
  63. In order to classify messages for disposition, Syslog requires any process
  64. that submits a message to it to provide two pieces of classification
  65. information with it:
  66. @table @asis
  67. @item facility
  68. This identifies who submitted the message. There are a small number of
  69. facilities defined. The kernel, the mail subsystem, and an FTP server
  70. are examples of recognized facilities. For the complete list,
  71. @xref{syslog; vsyslog}. Keep in mind that these are
  72. essentially arbitrary classifications. "Mail subsystem" doesn't have any
  73. more meaning than the system administrator gives to it.
  74. @item priority
  75. This tells how important the content of the message is. Examples of
  76. defined priority values are: debug, informational, warning and critical.
  77. For the complete list, see @ref{syslog; vsyslog}. Except for
  78. the fact that the priorities have a defined order, the meaning of each
  79. of these priorities is entirely determined by the system administrator.
  80. @end table
  81. A ``facility/priority'' is a number that indicates both the facility
  82. and the priority.
  83. @strong{Warning:} This terminology is not universal. Some people use
  84. ``level'' to refer to the priority and ``priority'' to refer to the
  85. combination of facility and priority. A Linux kernel has a concept of a
  86. message ``level,'' which corresponds both to a Syslog priority and to a
  87. Syslog facility/priority (It can be both because the facility code for
  88. the kernel is zero, and that makes priority and facility/priority the
  89. same value).
  90. @Theglibc{} provides functions to submit messages to Syslog. They
  91. do it by writing to the @file{/dev/log} socket. @xref{Submitting Syslog
  92. Messages}.
  93. The @glibcadj{} functions only work to submit messages to the Syslog
  94. facility on the same system. To submit a message to the Syslog facility
  95. on another system, use the socket I/O functions to write a UDP datagram
  96. to the @code{syslog} UDP port on that system. @xref{Sockets}.
  97. @node Submitting Syslog Messages
  98. @section Submitting Syslog Messages
  99. @Theglibc{} provides functions to submit messages to the Syslog
  100. facility:
  101. @menu
  102. * openlog:: Open connection to Syslog
  103. * syslog; vsyslog:: Submit message to Syslog
  104. * closelog:: Close connection to Syslog
  105. * setlogmask:: Cause certain messages to be ignored
  106. * Syslog Example:: Example of all of the above
  107. @end menu
  108. These functions only work to submit messages to the Syslog facility on
  109. the same system. To submit a message to the Syslog facility on another
  110. system, use the socket I/O functions to write a UDP datagram to the
  111. @code{syslog} UDP port on that system. @xref{Sockets}.
  112. @node openlog
  113. @subsection openlog
  114. The symbols referred to in this section are declared in the file
  115. @file{syslog.h}.
  116. @deftypefun void openlog (const char *@var{ident}, int @var{option}, int @var{facility})
  117. @standards{BSD, syslog.h}
  118. @safety{@prelim{}@mtsafe{}@asunsafe{@asulock{}}@acunsafe{@aculock{} @acsfd{}}}
  119. @c openlog @asulock @aculock @acsfd
  120. @c libc_lock_lock @asulock @aculock
  121. @c openlog_internal @acsfd [always guarded by syslog_lock, so no race]
  122. @c strncpy dup ok
  123. @c socket dup @acsfd
  124. @c fcntl dup ok
  125. @c connect dup ok
  126. @c close dup @acsfd
  127. @c cancel_handler(NULL) @aculock
  128. @c libc_lock_unlock @aculock
  129. @code{openlog} opens or reopens a connection to Syslog in preparation
  130. for submitting messages.
  131. @var{ident} is an arbitrary identification string which future
  132. @code{syslog} invocations will prefix to each message. This is intended
  133. to identify the source of the message, and people conventionally set it
  134. to the name of the program that will submit the messages.
  135. If @var{ident} is NULL, or if @code{openlog} is not called, the default
  136. identification string used in Syslog messages will be the program name,
  137. taken from argv[0].
  138. Please note that the string pointer @var{ident} will be retained
  139. internally by the Syslog routines. You must not free the memory that
  140. @var{ident} points to. It is also dangerous to pass a reference to an
  141. automatic variable since leaving the scope would mean ending the
  142. lifetime of the variable. If you want to change the @var{ident} string,
  143. you must call @code{openlog} again; overwriting the string pointed to by
  144. @var{ident} is not thread-safe.
  145. You can cause the Syslog routines to drop the reference to @var{ident} and
  146. go back to the default string (the program name taken from argv[0]), by
  147. calling @code{closelog}: @xref{closelog}.
  148. In particular, if you are writing code for a shared library that might get
  149. loaded and then unloaded (e.g. a PAM module), and you use @code{openlog},
  150. you must call @code{closelog} before any point where your library might
  151. get unloaded, as in this example:
  152. @smallexample
  153. #include <syslog.h>
  154. void
  155. shared_library_function (void)
  156. @{
  157. openlog ("mylibrary", option, priority);
  158. syslog (LOG_INFO, "shared library has been invoked");
  159. closelog ();
  160. @}
  161. @end smallexample
  162. Without the call to @code{closelog}, future invocations of @code{syslog}
  163. by the program using the shared library may crash, if the library gets
  164. unloaded and the memory containing the string @code{"mylibrary"} becomes
  165. unmapped. This is a limitation of the BSD syslog interface.
  166. @code{openlog} may or may not open the @file{/dev/log} socket, depending
  167. on @var{option}. If it does, it tries to open it and connect it as a
  168. stream socket. If that doesn't work, it tries to open it and connect it
  169. as a datagram socket. The socket has the ``Close on Exec'' attribute,
  170. so the kernel will close it if the process performs an exec.
  171. You don't have to use @code{openlog}. If you call @code{syslog} without
  172. having called @code{openlog}, @code{syslog} just opens the connection
  173. implicitly and uses defaults for the information in @var{ident} and
  174. @var{options}.
  175. @var{options} is a bit string, with the bits as defined by the following
  176. single bit masks:
  177. @vtable @code
  178. @item LOG_PERROR
  179. If on, @code{openlog} sets up the connection so that any @code{syslog}
  180. on this connection writes its message to the calling process' Standard
  181. Error stream in addition to submitting it to Syslog. If off, @code{syslog}
  182. does not write the message to Standard Error.
  183. @item LOG_CONS
  184. If on, @code{openlog} sets up the connection so that a @code{syslog} on
  185. this connection that fails to submit a message to Syslog writes the
  186. message instead to system console. If off, @code{syslog} does not write
  187. to the system console (but of course Syslog may write messages it
  188. receives to the console).
  189. @item LOG_PID
  190. When on, @code{openlog} sets up the connection so that a @code{syslog}
  191. on this connection inserts the calling process' Process ID (PID) into
  192. the message. When off, @code{openlog} does not insert the PID.
  193. @item LOG_NDELAY
  194. When on, @code{openlog} opens and connects the @file{/dev/log} socket.
  195. When off, a future @code{syslog} call must open and connect the socket.
  196. @strong{Portability note:} In early systems, the sense of this bit was
  197. exactly the opposite.
  198. @item LOG_ODELAY
  199. This bit does nothing. It exists for backward compatibility.
  200. @end vtable
  201. If any other bit in @var{options} is on, the result is undefined.
  202. @var{facility} is the default facility code for this connection. A
  203. @code{syslog} on this connection that specifies default facility causes
  204. this facility to be associated with the message. See @code{syslog} for
  205. possible values. A value of zero means the default, which is
  206. @code{LOG_USER}.
  207. If a Syslog connection is already open when you call @code{openlog},
  208. @code{openlog} ``reopens'' the connection. Reopening is like opening
  209. except that if you specify zero for the default facility code, the
  210. default facility code simply remains unchanged and if you specify
  211. LOG_NDELAY and the socket is already open and connected, @code{openlog}
  212. just leaves it that way.
  213. @c There is a bug in closelog() (glibc 2.1.3) wherein it does not reset the
  214. @c default log facility to LOG_USER, which means the default default log
  215. @c facility could be whatever the default log facility was for a previous
  216. @c Syslog connection. I have documented what the function should be rather
  217. @c than what it is because I think if anyone ever gets concerned, the code
  218. @c will change.
  219. @end deftypefun
  220. @node syslog; vsyslog
  221. @subsection syslog, vsyslog
  222. The symbols referred to in this section are declared in the file
  223. @file{syslog.h}.
  224. @c syslog() is implemented as a call to vsyslog().
  225. @deftypefun void syslog (int @var{facility_priority}, const char *@var{format}, @dots{})
  226. @standards{BSD, syslog.h}
  227. @safety{@prelim{}@mtsafe{@mtsenv{} @mtslocale{}}@asunsafe{@asucorrupt{} @ascuheap{} @asulock{} @ascudlopen{}}@acunsafe{@acucorrupt{} @aculock{} @acsmem{} @acsfd{}}}
  228. @c syslog @mtsenv @mtslocale @asucorrupt @ascuheap @asulock @ascudlopen @acucorrupt @aculock @acsmem @acsfd
  229. @c va_start dup ok
  230. @c vsyslog_chk @mtsenv @mtslocale @asucorrupt @ascuheap @asulock @ascudlopen @acucorrupt @aculock @acsmem @acsfd
  231. @c syslog(INTERNALLOG) dup @mtsenv @mtslocale @asucorrupt @ascuheap @asulock @ascudlopen @acucorrupt @aculock @acsmem @acsfd
  232. @c open_memstream @ascuheap @acsmem
  233. @c stpcpy dup ok
  234. @c getpid dup ok
  235. @c mempcpy dup ok
  236. @c fsetlocking [no @mtasurace:stream @asulock for exclusive stream]
  237. @c fprintf @mtslocale @ascuheap @acsmem [no @asucorrupt @aculock @acucorrupt on temp memstream]
  238. @c time dup ok
  239. @c localtime_r dup @mtsenv @mtslocale @ascuheap @asulock @aculock @acsmem @acsfd
  240. @c strftime_l(C) dup @mtsenv @mtslocale @asucorrupt @ascuheap @asulock @ascudlopen @acucorrupt @aculock @acsmem @acsfd
  241. @c ftell dup ok [no @asucorrupt @aculock @acucorrupt on temp memstream]
  242. @c fputs_unlocked dup ok [no @mtasurace:stream @asucorrupt @acucorrupt on temp memstream]
  243. @c putc_unlocked dup ok [no @mtasurace:stream @asucorrupt @acucorrupt on temp memstream]
  244. @c vfprintf/vfprintf_chk dup @mtslocale @ascuheap @acsmem [no @mtasurace:stream @asucorrupt @acucorrupt on temp memstream]
  245. @c fclose dup @ascuheap @acsmem [no @asulock @aculock @acsfd on caller-locked memstream]
  246. @c writev dup ok
  247. @c libc_lock_lock dup @asulock @aculock
  248. @c memset dup ok
  249. @c sigemptyset dup ok
  250. @c sigaction(SIGPIPE) dup @mtasusig:PIPE @acusig:PIPE
  251. @c openlog_internal dup @acsfd
  252. @c send dup ok
  253. @c closelog_internal dup @acsfd
  254. @c open dup @acsfd
  255. @c dprintf dup ok
  256. @c libc_lock_unlock @asulock @aculock
  257. @c free dup @acsuheap @acsmem
  258. @c va_end dup ok
  259. @code{syslog} submits a message to the Syslog facility. It does this by
  260. writing to the Unix domain socket @code{/dev/log}.
  261. @code{syslog} submits the message with the facility and priority indicated
  262. by @var{facility_priority}. The macro @code{LOG_MAKEPRI} generates a
  263. facility/priority from a facility and a priority, as in the following
  264. example:
  265. @smallexample
  266. LOG_MAKEPRI(LOG_USER, LOG_WARNING)
  267. @end smallexample
  268. The possible values for the facility code are (macros):
  269. @c Internally, there is also LOG_KERN, but LOG_KERN == 0, which means
  270. @c if you try to use it here, just selects default.
  271. @vtable @code
  272. @item LOG_USER
  273. A miscellaneous user process
  274. @item LOG_MAIL
  275. Mail
  276. @item LOG_DAEMON
  277. A miscellaneous system daemon
  278. @item LOG_AUTH
  279. Security (authorization)
  280. @item LOG_SYSLOG
  281. Syslog
  282. @item LOG_LPR
  283. Central printer
  284. @item LOG_NEWS
  285. Network news (e.g. Usenet)
  286. @item LOG_UUCP
  287. UUCP
  288. @item LOG_CRON
  289. Cron and At
  290. @item LOG_AUTHPRIV
  291. Private security (authorization)
  292. @item LOG_FTP
  293. Ftp server
  294. @item LOG_LOCAL0
  295. Locally defined
  296. @item LOG_LOCAL1
  297. Locally defined
  298. @item LOG_LOCAL2
  299. Locally defined
  300. @item LOG_LOCAL3
  301. Locally defined
  302. @item LOG_LOCAL4
  303. Locally defined
  304. @item LOG_LOCAL5
  305. Locally defined
  306. @item LOG_LOCAL6
  307. Locally defined
  308. @item LOG_LOCAL7
  309. Locally defined
  310. @end vtable
  311. Results are undefined if the facility code is anything else.
  312. @strong{NB:} @code{syslog} recognizes one other facility code: that of
  313. the kernel. But you can't specify that facility code with these
  314. functions. If you try, it looks the same to @code{syslog} as if you are
  315. requesting the default facility. But you wouldn't want to anyway,
  316. because any program that uses @theglibc{} is not the kernel.
  317. You can use just a priority code as @var{facility_priority}. In that
  318. case, @code{syslog} assumes the default facility established when the
  319. Syslog connection was opened. @xref{Syslog Example}.
  320. The possible values for the priority code are (macros):
  321. @vtable @code
  322. @item LOG_EMERG
  323. The message says the system is unusable.
  324. @item LOG_ALERT
  325. Action on the message must be taken immediately.
  326. @item LOG_CRIT
  327. The message states a critical condition.
  328. @item LOG_ERR
  329. The message describes an error.
  330. @item LOG_WARNING
  331. The message is a warning.
  332. @item LOG_NOTICE
  333. The message describes a normal but important event.
  334. @item LOG_INFO
  335. The message is purely informational.
  336. @item LOG_DEBUG
  337. The message is only for debugging purposes.
  338. @end vtable
  339. Results are undefined if the priority code is anything else.
  340. If the process does not presently have a Syslog connection open (i.e.,
  341. it did not call @code{openlog}), @code{syslog} implicitly opens the
  342. connection the same as @code{openlog} would, with the following defaults
  343. for information that would otherwise be included in an @code{openlog}
  344. call: The default identification string is the program name. The
  345. default default facility is @code{LOG_USER}. The default for all the
  346. connection options in @var{options} is as if those bits were off.
  347. @code{syslog} leaves the Syslog connection open.
  348. If the @file{/dev/log} socket is not open and connected, @code{syslog}
  349. opens and connects it, the same as @code{openlog} with the
  350. @code{LOG_NDELAY} option would.
  351. @code{syslog} leaves @file{/dev/log} open and connected unless its attempt
  352. to send the message failed, in which case @code{syslog} closes it (with the
  353. hope that a future implicit open will restore the Syslog connection to a
  354. usable state).
  355. Example:
  356. @smallexample
  357. #include <syslog.h>
  358. syslog (LOG_MAKEPRI(LOG_LOCAL1, LOG_ERROR),
  359. "Unable to make network connection to %s. Error=%m", host);
  360. @end smallexample
  361. @end deftypefun
  362. @deftypefun void vsyslog (int @var{facility_priority}, const char *@var{format}, va_list @var{arglist})
  363. @standards{BSD, syslog.h}
  364. @safety{@prelim{}@mtsafe{@mtsenv{} @mtslocale{}}@asunsafe{@asucorrupt{} @ascuheap{} @asulock{} @ascudlopen{}}@acunsafe{@acucorrupt{} @aculock{} @acsmem{} @acsfd{}}}
  365. @c vsyslog @mtsenv @mtslocale @asucorrupt @ascuheap @asulock @ascudlopen @acucorrupt @aculock @acsmem @acsfd
  366. @c vsyslog_chk dup @mtsenv @mtslocale @asucorrupt @ascuheap @asulock @ascudlopen @acucorrupt @aculock @acsmem @acsfd
  367. This is functionally identical to @code{syslog}, with the BSD style variable
  368. length argument.
  369. @end deftypefun
  370. @node closelog
  371. @subsection closelog
  372. The symbols referred to in this section are declared in the file
  373. @file{syslog.h}.
  374. @deftypefun void closelog (void)
  375. @standards{BSD, syslog.h}
  376. @safety{@prelim{}@mtsafe{}@asunsafe{@asulock{}}@acunsafe{@aculock{} @acsfd{}}}
  377. @c closelog @asulock @aculock @acsfd
  378. @c libc_lock_lock @asulock @aculock
  379. @c closelog_internal @acsfd [always guarded by syslog_lock, so no race]
  380. @c close dup@acsfd
  381. @c cancel_handler(NULL) @aculock
  382. @c libc_lock_unlock @aculock
  383. @code{closelog} closes the current Syslog connection, if there is one.
  384. This includes closing the @file{/dev/log} socket, if it is open.
  385. @code{closelog} also sets the identification string for Syslog messages
  386. back to the default, if @code{openlog} was called with a non-NULL argument
  387. to @var{ident}. The default identification string is the program name
  388. taken from argv[0].
  389. If you are writing shared library code that uses @code{openlog} to
  390. generate custom syslog output, you should use @code{closelog} to drop
  391. @theglibc{}'s internal reference to the @var{ident} pointer when you are
  392. done. Please read the section on @code{openlog} for more information:
  393. @xref{openlog}.
  394. @code{closelog} does not flush any buffers. You do not have to call
  395. @code{closelog} before re-opening a Syslog connection with @code{openlog}.
  396. Syslog connections are automatically closed on exec or exit.
  397. @end deftypefun
  398. @node setlogmask
  399. @subsection setlogmask
  400. The symbols referred to in this section are declared in the file
  401. @file{syslog.h}.
  402. @deftypefun int setlogmask (int @var{mask})
  403. @standards{BSD, syslog.h}
  404. @safety{@prelim{}@mtsafe{}@asunsafe{@asulock{}}@acunsafe{@aculock{}}}
  405. @code{setlogmask} sets a mask (the ``logmask'') that determines which
  406. future @code{syslog} calls shall be ignored. If a program has not
  407. called @code{setlogmask}, @code{syslog} doesn't ignore any calls. You
  408. can use @code{setlogmask} to specify that messages of particular
  409. priorities shall be ignored in the future.
  410. A @code{setlogmask} call overrides any previous @code{setlogmask} call.
  411. Note that the logmask exists entirely independently of opening and
  412. closing of Syslog connections.
  413. Setting the logmask has a similar effect to, but is not the same as,
  414. configuring Syslog. The Syslog configuration may cause Syslog to
  415. discard certain messages it receives, but the logmask causes certain
  416. messages never to get submitted to Syslog in the first place.
  417. @var{mask} is a bit string with one bit corresponding to each of the
  418. possible message priorities. If the bit is on, @code{syslog} handles
  419. messages of that priority normally. If it is off, @code{syslog}
  420. discards messages of that priority. Use the message priority macros
  421. described in @ref{syslog; vsyslog} and the @code{LOG_MASK} to construct
  422. an appropriate @var{mask} value, as in this example:
  423. @smallexample
  424. LOG_MASK(LOG_EMERG) | LOG_MASK(LOG_ERROR)
  425. @end smallexample
  426. or
  427. @smallexample
  428. ~(LOG_MASK(LOG_INFO))
  429. @end smallexample
  430. There is also a @code{LOG_UPTO} macro, which generates a mask with the bits
  431. on for a certain priority and all priorities above it:
  432. @smallexample
  433. LOG_UPTO(LOG_ERROR)
  434. @end smallexample
  435. The unfortunate naming of the macro is due to the fact that internally,
  436. higher numbers are used for lower message priorities.
  437. @end deftypefun
  438. @node Syslog Example
  439. @subsection Syslog Example
  440. Here is an example of @code{openlog}, @code{syslog}, and @code{closelog}:
  441. This example sets the logmask so that debug and informational messages
  442. get discarded without ever reaching Syslog. So the second @code{syslog}
  443. in the example does nothing.
  444. @smallexample
  445. #include <syslog.h>
  446. setlogmask (LOG_UPTO (LOG_NOTICE));
  447. openlog ("exampleprog", LOG_CONS | LOG_PID | LOG_NDELAY, LOG_LOCAL1);
  448. syslog (LOG_NOTICE, "Program started by User %d", getuid ());
  449. syslog (LOG_INFO, "A tree falls in a forest");
  450. closelog ();
  451. @end smallexample