[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
This chapter describes facilities for issuing and logging messages of system administration interest. This chapter has nothing to do with programs issuing messages to their own users or keeping private logs (One would typically do that with the facilities described in Input/Output on Streams).
Most systems have a facility called “Syslog” that allows programs to submit messages of interest to system administrators and can be configured to pass these messages on in various ways, such as printing on the console, mailing to a particular person, or recording in a log file for future reference.
A program uses the facilities in this chapter to submit such messages.
18.1 Overview of Syslog | Overview of a system's Syslog facility | |
18.2 Submitting Syslog Messages | Functions to submit messages to Syslog |
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
System administrators have to deal with lots of different kinds of messages from a plethora of subsystems within each system, and usually lots of systems as well. For example, an FTP server might report every connection it gets. The kernel might report hardware failures on a disk drive. A DNS server might report usage statistics at regular intervals.
Some of these messages need to be brought to a system administrator's attention immediately. And it may not be just any system administrator – there may be a particular system administrator who deals with a particular kind of message. Other messages just need to be recorded for future reference if there is a problem. Still others may need to have information extracted from them by an automated process that generates monthly reports.
To deal with these messages, most Unix systems have a facility called "Syslog." It is generally based on a daemon called “Syslogd” Syslogd listens for messages on a Unix domain socket named ‘/dev/log’. Based on classification information in the messages and its configuration file (usually ‘/etc/syslog.conf’), Syslogd routes them in various ways. Some of the popular routings are:
Syslogd can also handle messages from other systems. It listens on the
syslog
UDP port as well as the local socket for messages.
Syslog can handle messages from the kernel itself. But the kernel doesn't write to ‘/dev/log’; rather, another daemon (sometimes called “Klogd”) extracts messages from the kernel and passes them on to Syslog as any other process would (and it properly identifies them as messages from the kernel).
Syslog can even handle messages that the kernel issued before Syslogd or Klogd was running. A Linux kernel, for example, stores startup messages in a kernel message ring and they are normally still there when Klogd later starts up. Assuming Syslogd is running by the time Klogd starts, Klogd then passes everything in the message ring to it.
In order to classify messages for disposition, Syslog requires any process that submits a message to it to provide two pieces of classification information with it:
This identifies who submitted the message. There are a small number of facilities defined. The kernel, the mail subsystem, and an FTP server are examples of recognized facilities. For the complete list, See section syslog, vsyslog. Keep in mind that these are essentially arbitrary classifications. "Mail subsystem" doesn't have any more meaning than the system administrator gives to it.
This tells how important the content of the message is. Examples of defined priority values are: debug, informational, warning, critical. For the complete list, see syslog, vsyslog. Except for the fact that the priorities have a defined order, the meaning of each of these priorities is entirely determined by the system administrator.
A “facility/priority” is a number that indicates both the facility and the priority.
Warning: This terminology is not universal. Some people use “level” to refer to the priority and “priority” to refer to the combination of facility and priority. A Linux kernel has a concept of a message “level,” which corresponds both to a Syslog priority and to a Syslog facility/priority (It can be both because the facility code for the kernel is zero, and that makes priority and facility/priority the same value).
The GNU C library provides functions to submit messages to Syslog. They do it by writing to the ‘/dev/log’ socket. See section Submitting Syslog Messages.
The GNU C library functions only work to submit messages to the Syslog
facility on the same system. To submit a message to the Syslog facility
on another system, use the socket I/O functions to write a UDP datagram
to the syslog
UDP port on that system. See section Sockets.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
The GNU C library provides functions to submit messages to the Syslog facility:
18.2.1 openlog | Open connection to Syslog | |
18.2.2 syslog, vsyslog | Submit message to Syslog | |
18.2.3 closelog | Close connection to Syslog | |
18.2.4 setlogmask | Cause certain messages to be ignored | |
18.2.5 Syslog Example | Example of all of the above |
These functions only work to submit messages to the Syslog facility on
the same system. To submit a message to the Syslog facility on another
system, use the socket I/O functions to write a UDP datagram to the
syslog
UDP port on that system. See section Sockets.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
The symbols referred to in this section are declared in the file ‘syslog.h’.
openlog
opens or reopens a connection to Syslog in preparation
for submitting messages.
ident is an arbitrary identification string which future
syslog
invocations will prefix to each message. This is intended
to identify the source of the message, and people conventionally set it
to the name of the program that will submit the messages.
If ident is NULL, or if openlog
is not called, the default
identification string used in Syslog messages will be the program name,
taken from argv[0].
Please note that the string pointer ident will be retained
internally by the Syslog routines. You must not free the memory that
ident points to. It is also dangerous to pass a reference to an
automatic variable since leaving the scope would mean ending the
lifetime of the variable. If you want to change the ident string,
you must call openlog
again; overwriting the string pointed to by
ident is not thread-safe.
You can cause the Syslog routines to drop the reference to ident and
go back to the default string (the program name taken from argv[0]), by
calling closelog
: See section closelog.
In particular, if you are writing code for a shared library that might get
loaded and then unloaded (e.g. a PAM module), and you use openlog
,
you must call closelog
before any point where your library might
get unloaded, as in this example:
#include <syslog.h> void shared_library_function (void) { openlog ("mylibrary", option, priority); syslog (LOG_INFO, "shared library has been invoked"); closelog (); } |
Without the call to closelog
, future invocations of syslog
by the program using the shared library may crash, if the library gets
unloaded and the memory containing the string "mylibrary"
becomes
unmapped. This is a limitation of the BSD syslog interface.
openlog
may or may not open the ‘/dev/log’ socket, depending
on option. If it does, it tries to open it and connect it as a
stream socket. If that doesn't work, it tries to open it and connect it
as a datagram socket. The socket has the “Close on Exec” attribute,
so the kernel will close it if the process performs an exec.
You don't have to use openlog
. If you call syslog
without
having called openlog
, syslog
just opens the connection
implicitly and uses defaults for the information in ident and
options.
options is a bit string, with the bits as defined by the following single bit masks:
LOG_PERROR
If on, openlog
sets up the connection so that any syslog
on this connection writes its message to the calling process' Standard
Error stream in addition to submitting it to Syslog. If off, syslog
does not write the message to Standard Error.
LOG_CONS
If on, openlog
sets up the connection so that a syslog
on
this connection that fails to submit a message to Syslog writes the
message instead to system console. If off, syslog
does not write
to the system console (but of course Syslog may write messages it
receives to the console).
LOG_PID
When on, openlog
sets up the connection so that a syslog
on this connection inserts the calling process' Process ID (PID) into
the message. When off, openlog
does not insert the PID.
LOG_NDELAY
When on, openlog
opens and connects the ‘/dev/log’ socket.
When off, a future syslog
call must open and connect the socket.
Portability note: In early systems, the sense of this bit was exactly the opposite.
LOG_ODELAY
This bit does nothing. It exists for backward compatibility.
If any other bit in options is on, the result is undefined.
facility is the default facility code for this connection. A
syslog
on this connection that specifies default facility causes
this facility to be associated with the message. See syslog
for
possible values. A value of zero means the default default, which is
LOG_USER
.
If a Syslog connection is already open when you call openlog
,
openlog
“reopens” the connection. Reopening is like opening
except that if you specify zero for the default facility code, the
default facility code simply remains unchanged and if you specify
LOG_NDELAY and the socket is already open and connected, openlog
just leaves it that way.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
The symbols referred to in this section are declared in the file ‘syslog.h’.
syslog
submits a message to the Syslog facility. It does this by
writing to the Unix domain socket /dev/log
.
syslog
submits the message with the facility and priority indicated
by facility_priority. The macro LOG_MAKEPRI
generates a
facility/priority from a facility and a priority, as in the following
example:
LOG_MAKEPRI(LOG_USER, LOG_WARNING) |
The possible values for the facility code are (macros):
LOG_USER
A miscellaneous user process
LOG_MAIL
LOG_DAEMON
A miscellaneous system daemon
LOG_AUTH
Security (authorization)
LOG_SYSLOG
Syslog
LOG_LPR
Central printer
LOG_NEWS
Network news (e.g. Usenet)
LOG_UUCP
UUCP
LOG_CRON
Cron and At
LOG_AUTHPRIV
Private security (authorization)
LOG_FTP
Ftp server
LOG_LOCAL0
Locally defined
LOG_LOCAL1
Locally defined
LOG_LOCAL2
Locally defined
LOG_LOCAL3
Locally defined
LOG_LOCAL4
Locally defined
LOG_LOCAL5
Locally defined
LOG_LOCAL6
Locally defined
LOG_LOCAL7
Locally defined
Results are undefined if the facility code is anything else.
note: syslog
recognizes one other facility code: that of
the kernel. But you can't specify that facility code with these
functions. If you try, it looks the same to syslog
as if you are
requesting the default facility. But you wouldn't want to anyway,
because any program that uses the GNU C library is not the kernel.
You can use just a priority code as facility_priority. In that
case, syslog
assumes the default facility established when the
Syslog connection was opened. See section Syslog Example.
The possible values for the priority code are (macros):
LOG_EMERG
The message says the system is unusable.
LOG_ALERT
Action on the message must be taken immediately.
LOG_CRIT
The message states a critical condition.
LOG_ERR
The message describes an error.
LOG_WARNING
The message is a warning.
LOG_NOTICE
The message describes a normal but important event.
LOG_INFO
The message is purely informational.
LOG_DEBUG
The message is only for debugging purposes.
Results are undefined if the priority code is anything else.
If the process does not presently have a Syslog connection open (i.e.,
it did not call openlog
), syslog
implicitly opens the
connection the same as openlog
would, with the following defaults
for information that would otherwise be included in an openlog
call: The default identification string is the program name. The
default default facility is LOG_USER
. The default for all the
connection options in options is as if those bits were off.
syslog
leaves the Syslog connection open.
If the ‘dev/log’ socket is not open and connected, syslog
opens and connects it, the same as openlog
with the
LOG_NDELAY
option would.
syslog
leaves ‘/dev/log’ open and connected unless its attempt
to send the message failed, in which case syslog
closes it (with the
hope that a future implicit open will restore the Syslog connection to a
usable state).
Example:
#include <syslog.h> syslog (LOG_MAKEPRI(LOG_LOCAL1, LOG_ERROR), "Unable to make network connection to %s. Error=%m", host); |
This is functionally identical to syslog
, with the BSD style variable
length argument.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
The symbols referred to in this section are declared in the file ‘syslog.h’.
closelog
closes the current Syslog connection, if there is one.
This includes closing the ‘dev/log’ socket, if it is open.
closelog
also sets the identification string for Syslog messages
back to the default, if openlog
was called with a non-NULL argument
to ident. The default identification string is the program name
taken from argv[0].
If you are writing shared library code that uses openlog
to
generate custom syslog output, you should use closelog
to drop the
GNU C library's internal reference to the ident pointer when you are
done. Please read the section on openlog
for more information:
See section openlog.
closelog
does not flush any buffers. You do not have to call
closelog
before re-opening a Syslog connection with initlog
.
Syslog connections are automatically closed on exec or exit.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
The symbols referred to in this section are declared in the file ‘syslog.h’.
setlogmask
sets a mask (the “logmask”) that determines which
future syslog
calls shall be ignored. If a program has not
called setlogmask
, syslog
doesn't ignore any calls. You
can use setlogmask
to specify that messages of particular
priorities shall be ignored in the future.
A setlogmask
call overrides any previous setlogmask
call.
Note that the logmask exists entirely independently of opening and closing of Syslog connections.
Setting the logmask has a similar effect to, but is not the same as, configuring Syslog. The Syslog configuration may cause Syslog to discard certain messages it receives, but the logmask causes certain messages never to get submitted to Syslog in the first place.
mask is a bit string with one bit corresponding to each of the
possible message priorities. If the bit is on, syslog
handles
messages of that priority normally. If it is off, syslog
discards messages of that priority. Use the message priority macros
described in syslog, vsyslog and the LOG_MASK
to construct
an appropriate mask value, as in this example:
LOG_MASK(LOG_EMERG) | LOG_MASK(LOG_ERROR) |
or
~(LOG_MASK(LOG_INFO)) |
There is also a LOG_UPTO
macro, which generates a mask with the bits
on for a certain priority and all priorities above it:
LOG_UPTO(LOG_ERROR) |
The unfortunate naming of the macro is due to the fact that internally, higher numbers are used for lower message priorities.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Here is an example of openlog
, syslog
, and closelog
:
This example sets the logmask so that debug and informational messages
get discarded without ever reaching Syslog. So the second syslog
in the example does nothing.
#include <syslog.h> setlogmask (LOG_UPTO (LOG_NOTICE)); openlog ("exampleprog", LOG_CONS | LOG_PID | LOG_NDELAY, LOG_LOCAL1); syslog (LOG_NOTICE, "Program started by User %d", getuid ()); syslog (LOG_INFO, "A tree falls in a forest"); closelog (); |
[ << ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
This document was generated by root on January, 9 2009 using texi2html 1.78.