summaryrefslogtreecommitdiff
path: root/manual/syslog.texi
blob: a08e103bf3b0cb7067f10bec5878bef7dd367467 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
@node Syslog, Mathematics, Low-Level Terminal Interface, Top
@c %MENU% System logging and messaging
@chapter Syslog


This chapter describes facilities for issuing and logging messages of
system administration interest.  This chapter has nothing to do with
programs issuing messages to their own users or keeping private logs
(One would typically do that with the facilities described in
@ref{I/O on Streams}).

Most systems have a facility called ``Syslog'' that allows programs to
submit messages of interest to system administrators and can be
configured to pass these messages on in various ways, such as printing
on the console, mailing to a particular person, or recording in a log
file for future reference.

A program uses the facilities in this chapter to submit such messages.

@menu
* Overview of Syslog::           Overview of a system's Syslog facility
* Submitting Syslog Messages::   Functions to submit messages to Syslog
@end menu

@node Overview of Syslog
@section Overview of Syslog

System administrators have to deal with lots of different kinds of
messages from a plethora of subsystems within each system, and usually
lots of systems as well.  For example, an FTP server might report every
connection it gets.  The kernel might report hardware failures on a disk
drive.  A DNS server might report usage statistics at regular intervals.

Some of these messages need to be brought to a system administrator's
attention immediately.  And it may not be just any system administrator
-- there may be a particular system administrator who deals with a
particular kind of message.  Other messages just need to be recorded for
future reference if there is a problem.  Still others may need to have
information extracted from them by an automated process that generates
monthly reports.

To deal with these messages, most Unix systems have a facility called
"Syslog."  It is generally based on a daemon called ``Syslogd''
Syslogd listens for messages on a Unix domain socket named
@file{/dev/log}.  Based on classification information in the messages
and its configuration file (usually @file{/etc/syslog.conf}), Syslogd
routes them in various ways.  Some of the popular routings are:

@itemize @bullet
@item
Write to the system console
@item
Mail to a specific user
@item
Write to a log file
@item
Pass to another daemon
@item
Discard
@end itemize

Syslogd can also handle messages from other systems.  It listens on the
@code{syslog} UDP port as well as the local socket for messages.

Syslog can handle messages from the kernel itself.  But the kernel
doesn't write to @file{/dev/log}; rather, another daemon (sometimes
called ``Klogd'') extracts messages from the kernel and passes them on to
Syslog as any other process would (and it properly identifies them as
messages from the kernel).

Syslog can even handle messages that the kernel issued before Syslogd or
Klogd was running.  A Linux kernel, for example, stores startup messages
in a kernel message ring and they are normally still there when Klogd
later starts up.  Assuming Syslogd is running by the time Klogd starts,
Klogd then passes everything in the message ring to it.

In order to classify messages for disposition, Syslog requires any process
that submits a message to it to provide two pieces of classification
information with it:

@table @asis
@item facility
This identifies who submitted the message.  There are a small number of
facilities defined.  The kernel, the mail subsystem, and an FTP server
are examples of recognized facilities.  For the complete list,
@xref{syslog; vsyslog}.  Keep in mind that these are
essentially arbitrary classifications.  "Mail subsystem" doesn't have any
more meaning than the system administrator gives to it.

@item priority
This tells how important the content of the message is.  Examples of
defined priority values are: debug, informational, warning, critical.
For the complete list, see @ref{syslog; vsyslog}.  Except for
the fact that the priorities have a defined order, the meaning of each
of these priorities is entirely determined by the system administrator.

@end table

A ``facility/priority'' is a number that indicates both the facility
and the priority.

@strong{Warning:} This terminology is not universal.  Some people use
``level'' to refer to the priority and ``priority'' to refer to the
combination of facility and priority.  A Linux kernel has a concept of a
message ``level,'' which corresponds both to a Syslog priority and to a
Syslog facility/priority (It can be both because the facility code for
the kernel is zero, and that makes priority and facility/priority the
same value).

@Theglibc{} provides functions to submit messages to Syslog.  They
do it by writing to the @file{/dev/log} socket.  @xref{Submitting Syslog
Messages}.

The @glibcadj{} functions only work to submit messages to the Syslog
facility on the same system.  To submit a message to the Syslog facility
on another system, use the socket I/O functions to write a UDP datagram
to the @code{syslog} UDP port on that system.  @xref{Sockets}.


@node Submitting Syslog Messages
@section Submitting Syslog Messages

@Theglibc{} provides functions to submit messages to the Syslog
facility:

@menu
* openlog::                      Open connection to Syslog
* syslog; vsyslog::              Submit message to Syslog
* closelog::                     Close connection to Syslog
* setlogmask::                   Cause certain messages to be ignored
* Syslog Example::               Example of all of the above
@end menu

These functions only work to submit messages to the Syslog facility on
the same system.  To submit a message to the Syslog facility on another
system, use the socket I/O functions to write a UDP datagram to the
@code{syslog} UDP port on that system.  @xref{Sockets}.



@node openlog
@subsection openlog

The symbols referred to in this section are declared in the file
@file{syslog.h}.

@comment syslog.h
@comment BSD
@deftypefun void openlog (const char *@var{ident}, int @var{option}, int @var{facility})
@safety{@prelim{}@mtsafe{}@asunsafe{@asulock{}}@acunsafe{@aculock{} @acsfd{}}}
@c openlog @asulock @aculock @acsfd
@c  libc_lock_lock @asulock @aculock
@c  openlog_internal @acsfd [always guarded by syslog_lock, so no race]
@c   strncpy dup ok
@c   socket dup @acsfd
@c   fcntl dup ok
@c   connect dup ok
@c   close dup @acsfd
@c  cancel_handler(NULL) @aculock
@c   libc_lock_unlock @aculock

@code{openlog} opens or reopens a connection to Syslog in preparation
for submitting messages.

@var{ident} is an arbitrary identification string which future
@code{syslog} invocations will prefix to each message.  This is intended
to identify the source of the message, and people conventionally set it
to the name of the program that will submit the messages.

If @var{ident} is NULL, or if @code{openlog} is not called, the default
identification string used in Syslog messages will be the program name,
taken from argv[0].

Please note that the string pointer @var{ident} will be retained
internally by the Syslog routines.  You must not free the memory that
@var{ident} points to.  It is also dangerous to pass a reference to an
automatic variable since leaving the scope would mean ending the
lifetime of the variable.  If you want to change the @var{ident} string,
you must call @code{openlog} again; overwriting the string pointed to by
@var{ident} is not thread-safe.

You can cause the Syslog routines to drop the reference to @var{ident} and
go back to the default string (the program name taken from argv[0]), by
calling @code{closelog}: @xref{closelog}.

In particular, if you are writing code for a shared library that might get
loaded and then unloaded (e.g. a PAM module), and you use @code{openlog},
you must call @code{closelog} before any point where your library might
get unloaded, as in this example:

@smallexample
#include <syslog.h>

void
shared_library_function (void)
@{
  openlog ("mylibrary", option, priority);

  syslog (LOG_INFO, "shared library has been invoked");

  closelog ();
@}
@end smallexample

Without the call to @code{closelog}, future invocations of @code{syslog}
by the program using the shared library may crash, if the library gets
unloaded and the memory containing the string @code{"mylibrary"} becomes
unmapped.  This is a limitation of the BSD syslog interface.

@code{openlog} may or may not open the @file{/dev/log} socket, depending
on @var{option}.  If it does, it tries to open it and connect it as a
stream socket.  If that doesn't work, it tries to open it and connect it
as a datagram socket.  The socket has the ``Close on Exec'' attribute,
so the kernel will close it if the process performs an exec.

You don't have to use @code{openlog}.  If you call @code{syslog} without
having called @code{openlog}, @code{syslog} just opens the connection
implicitly and uses defaults for the information in @var{ident} and
@var{options}.

@var{options} is a bit string, with the bits as defined by the following
single bit masks:

@table @code
@item LOG_PERROR
If on, @code{openlog} sets up the connection so that any @code{syslog}
on this connection writes its message to the calling process' Standard
Error stream in addition to submitting it to Syslog.  If off, @code{syslog}
does not write the message to Standard Error.

@item LOG_CONS
If on, @code{openlog} sets up the connection so that a @code{syslog} on
this connection that fails to submit a message to Syslog writes the
message instead to system console.  If off, @code{syslog} does not write
to the system console (but of course Syslog may write messages it
receives to the console).

@item LOG_PID
When on, @code{openlog} sets up the connection so that a @code{syslog}
on this connection inserts the calling process' Process ID (PID) into
the message.  When off, @code{openlog} does not insert the PID.

@item LOG_NDELAY
When on, @code{openlog} opens and connects the @file{/dev/log} socket.
When off, a future @code{syslog} call must open and connect the socket.

@strong{Portability note:}  In early systems, the sense of this bit was
exactly the opposite.

@item LOG_ODELAY
This bit does nothing.  It exists for backward compatibility.

@end table

If any other bit in @var{options} is on, the result is undefined.

@var{facility} is the default facility code for this connection.  A
@code{syslog} on this connection that specifies default facility causes
this facility to be associated with the message.  See @code{syslog} for
possible values.  A value of zero means the default default, which is
@code{LOG_USER}.

If a Syslog connection is already open when you call @code{openlog},
@code{openlog} ``reopens'' the connection.  Reopening is like opening
except that if you specify zero for the default facility code, the
default facility code simply remains unchanged and if you specify
LOG_NDELAY and the socket is already open and connected, @code{openlog}
just leaves it that way.

@c There is a bug in closelog() (glibc 2.1.3) wherein it does not reset the
@c default log facility to LOG_USER, which means the default default log
@c facility could be whatever the default log facility was for a previous
@c Syslog connection.  I have documented what the function should be rather
@c than what it is because I think if anyone ever gets concerned, the code
@c will change.

@end deftypefun


@node syslog; vsyslog
@subsection syslog, vsyslog

The symbols referred to in this section are declared in the file
@file{syslog.h}.

@c syslog() is implemented as a call to vsyslog().
@comment syslog.h
@comment BSD
@deftypefun void syslog (int @var{facility_priority}, const char *@var{format}, @dots{})
@safety{@prelim{}@mtsafe{@mtsenv{} @mtslocale{}}@asunsafe{@asucorrupt{} @ascuheap{} @asulock{} @ascudlopen{}}@acunsafe{@acucorrupt{} @aculock{} @acsmem{} @acsfd{}}}
@c syslog @mtsenv @mtslocale @asucorrupt @ascuheap @asulock @ascudlopen @acucorrupt @aculock @acsmem @acsfd
@c  va_start dup ok
@c  vsyslog_chk @mtsenv @mtslocale @asucorrupt @ascuheap @asulock @ascudlopen @acucorrupt @aculock @acsmem @acsfd
@c   syslog(INTERNALLOG) dup @mtsenv @mtslocale @asucorrupt @ascuheap @asulock @ascudlopen @acucorrupt @aculock @acsmem @acsfd
@c   open_memstream @ascuheap @acsmem
@c   stpcpy dup ok
@c   getpid dup ok
@c   mempcpy dup ok
@c   fsetlocking [no @mtasurace:stream @asulock for exclusive stream]
@c   fprintf @mtslocale @ascuheap @acsmem [no @asucorrupt @aculock @acucorrupt on temp memstream]
@c   time dup ok
@c   localtime_r dup @mtsenv @mtslocale @ascuheap @asulock @aculock @acsmem @acsfd
@c   strftime_l(C) dup @mtsenv @mtslocale @asucorrupt @ascuheap @asulock @ascudlopen @acucorrupt @aculock @acsmem @acsfd
@c   ftell dup ok [no @asucorrupt @aculock @acucorrupt on temp memstream]
@c   fputs_unlocked dup ok [no @mtasurace:stream @asucorrupt @acucorrupt on temp memstream]
@c   putc_unlocked dup ok [no @mtasurace:stream @asucorrupt @acucorrupt on temp memstream]
@c   vfprintf/vfprintf_chk dup @mtslocale @ascuheap @acsmem [no @mtasurace:stream @asucorrupt @acucorrupt on temp memstream]
@c   fclose dup @ascuheap @acsmem [no @asulock @aculock @acsfd on caller-locked memstream]
@c   writev dup ok
@c   libc_lock_lock dup @asulock @aculock
@c   memset dup ok
@c   sigemptyset dup ok
@c   sigaction(SIGPIPE) dup @mtasusig:PIPE @acusig:PIPE
@c   openlog_internal dup @acsfd
@c   send dup ok
@c   closelog_internal dup @acsfd
@c   open dup @acsfd
@c   dprintf dup ok
@c   libc_lock_unlock @asulock @aculock
@c   free dup @acsuheap @acsmem
@c  va_end dup ok

@code{syslog} submits a message to the Syslog facility.  It does this by
writing to the Unix domain socket @code{/dev/log}.

@code{syslog} submits the message with the facility and priority indicated
by @var{facility_priority}.  The macro @code{LOG_MAKEPRI} generates a
facility/priority from a facility and a priority, as in the following
example:

@smallexample
LOG_MAKEPRI(LOG_USER, LOG_WARNING)
@end smallexample

The possible values for the facility code are (macros):

@c Internally, there is also LOG_KERN, but LOG_KERN == 0, which means
@c if you try to use it here, just selects default.

@vtable @code
@item LOG_USER
A miscellaneous user process
@item LOG_MAIL
Mail
@item LOG_DAEMON
A miscellaneous system daemon
@item LOG_AUTH
Security (authorization)
@item LOG_SYSLOG
Syslog
@item LOG_LPR
Central printer
@item LOG_NEWS
Network news (e.g. Usenet)
@item LOG_UUCP
UUCP
@item LOG_CRON
Cron and At
@item LOG_AUTHPRIV
Private security (authorization)
@item LOG_FTP
Ftp server
@item LOG_LOCAL0
Locally defined
@item LOG_LOCAL1
Locally defined
@item LOG_LOCAL2
Locally defined
@item LOG_LOCAL3
Locally defined
@item LOG_LOCAL4
Locally defined
@item LOG_LOCAL5
Locally defined
@item LOG_LOCAL6
Locally defined
@item LOG_LOCAL7
Locally defined
@end vtable

Results are undefined if the facility code is anything else.

@strong{NB:} @code{syslog} recognizes one other facility code: that of
the kernel.  But you can't specify that facility code with these
functions.  If you try, it looks the same to @code{syslog} as if you are
requesting the default facility.  But you wouldn't want to anyway,
because any program that uses @theglibc{} is not the kernel.

You can use just a priority code as @var{facility_priority}.  In that
case, @code{syslog} assumes the default facility established when the
Syslog connection was opened.  @xref{Syslog Example}.

The possible values for the priority code are (macros):

@vtable @code
@item LOG_EMERG
The message says the system is unusable.
@item LOG_ALERT
Action on the message must be taken immediately.
@item LOG_CRIT
The message states a critical condition.
@item LOG_ERR
The message describes an error.
@item LOG_WARNING
The message is a warning.
@item LOG_NOTICE
The message describes a normal but important event.
@item LOG_INFO
The message is purely informational.
@item LOG_DEBUG
The message is only for debugging purposes.
@end vtable

Results are undefined if the priority code is anything else.

If the process does not presently have a Syslog connection open (i.e.,
it did not call @code{openlog}), @code{syslog} implicitly opens the
connection the same as @code{openlog} would, with the following defaults
for information that would otherwise be included in an @code{openlog}
call: The default identification string is the program name.  The
default default facility is @code{LOG_USER}.  The default for all the
connection options in @var{options} is as if those bits were off.
@code{syslog} leaves the Syslog connection open.

If the @file{/dev/log} socket is not open and connected, @code{syslog}
opens and connects it, the same as @code{openlog} with the
@code{LOG_NDELAY} option would.

@code{syslog} leaves @file{/dev/log} open and connected unless its attempt
to send the message failed, in which case @code{syslog} closes it (with the
hope that a future implicit open will restore the Syslog connection to a
usable state).

Example:

@smallexample

#include <syslog.h>
syslog (LOG_MAKEPRI(LOG_LOCAL1, LOG_ERROR),
        "Unable to make network connection to %s.  Error=%m", host);

@end smallexample

@end deftypefun


@comment syslog.h
@comment BSD
@deftypefun void vsyslog (int @var{facility_priority}, const char *@var{format}, va_list @var{arglist})
@safety{@prelim{}@mtsafe{@mtsenv{} @mtslocale{}}@asunsafe{@asucorrupt{} @ascuheap{} @asulock{} @ascudlopen{}}@acunsafe{@acucorrupt{} @aculock{} @acsmem{} @acsfd{}}}
@c vsyslog @mtsenv @mtslocale @asucorrupt @ascuheap @asulock @ascudlopen @acucorrupt @aculock @acsmem @acsfd
@c  vsyslog_chk dup @mtsenv @mtslocale @asucorrupt @ascuheap @asulock @ascudlopen @acucorrupt @aculock @acsmem @acsfd

This is functionally identical to @code{syslog}, with the BSD style variable
length argument.

@end deftypefun


@node closelog
@subsection closelog

The symbols referred to in this section are declared in the file
@file{syslog.h}.

@comment syslog.h
@comment BSD
@deftypefun void closelog (void)
@safety{@prelim{}@mtsafe{}@asunsafe{@asulock{}}@acunsafe{@aculock{} @acsfd{}}}
@c closelog @asulock @aculock @acsfd
@c  libc_lock_lock @asulock @aculock
@c  closelog_internal @acsfd [always guarded by syslog_lock, so no race]
@c   close dup@acsfd
@c  cancel_handler(NULL) @aculock
@c   libc_lock_unlock @aculock

@code{closelog} closes the current Syslog connection, if there is one.
This includes closing the @file{/dev/log} socket, if it is open.
@code{closelog} also sets the identification string for Syslog messages
back to the default, if @code{openlog} was called with a non-NULL argument
to @var{ident}.  The default identification string is the program name
taken from argv[0].

If you are writing shared library code that uses @code{openlog} to
generate custom syslog output, you should use @code{closelog} to drop
@theglibc{}'s internal reference to the @var{ident} pointer when you are
done.  Please read the section on @code{openlog} for more information:
@xref{openlog}.

@code{closelog} does not flush any buffers.  You do not have to call
@code{closelog} before re-opening a Syslog connection with @code{openlog}.
Syslog connections are automatically closed on exec or exit.

@end deftypefun


@node setlogmask
@subsection setlogmask

The symbols referred to in this section are declared in the file
@file{syslog.h}.

@comment syslog.h
@comment BSD
@deftypefun int setlogmask (int @var{mask})
@safety{@prelim{}@mtunsafe{@mtasurace{:LogMask}}@asunsafe{}@acsafe{}}
@c Read and modify are not guarded by syslog_lock, so concurrent changes
@c or even uses are undefined.  This should use an atomic swap instead,
@c at least for modifications.

@code{setlogmask} sets a mask (the ``logmask'') that determines which
future @code{syslog} calls shall be ignored.  If a program has not
called @code{setlogmask}, @code{syslog} doesn't ignore any calls.  You
can use @code{setlogmask} to specify that messages of particular
priorities shall be ignored in the future.

A @code{setlogmask} call overrides any previous @code{setlogmask} call.

Note that the logmask exists entirely independently of opening and
closing of Syslog connections.

Setting the logmask has a similar effect to, but is not the same as,
configuring Syslog.  The Syslog configuration may cause Syslog to
discard certain messages it receives, but the logmask causes certain
messages never to get submitted to Syslog in the first place.

@var{mask} is a bit string with one bit corresponding to each of the
possible message priorities.  If the bit is on, @code{syslog} handles
messages of that priority normally.  If it is off, @code{syslog}
discards messages of that priority.  Use the message priority macros
described in @ref{syslog; vsyslog} and the @code{LOG_MASK} to construct
an appropriate @var{mask} value, as in this example:

@smallexample
LOG_MASK(LOG_EMERG) | LOG_MASK(LOG_ERROR)
@end smallexample

or

@smallexample
~(LOG_MASK(LOG_INFO))
@end smallexample

There is also a @code{LOG_UPTO} macro, which generates a mask with the bits
on for a certain priority and all priorities above it:

@smallexample
LOG_UPTO(LOG_ERROR)
@end smallexample

The unfortunate naming of the macro is due to the fact that internally,
higher numbers are used for lower message priorities.

@end deftypefun


@node Syslog Example
@subsection Syslog Example

Here is an example of @code{openlog}, @code{syslog}, and @code{closelog}:

This example sets the logmask so that debug and informational messages
get discarded without ever reaching Syslog.  So the second @code{syslog}
in the example does nothing.

@smallexample
#include <syslog.h>

setlogmask (LOG_UPTO (LOG_NOTICE));

openlog ("exampleprog", LOG_CONS | LOG_PID | LOG_NDELAY, LOG_LOCAL1);

syslog (LOG_NOTICE, "Program started by User %d", getuid ());
syslog (LOG_INFO, "A tree falls in a forest");

closelog ();

@end smallexample