syslog: Syslog Defined

When a program sends a message to syslog, its given to the syslog daemon (syslogd) and then routed according to the /etc/syslog.conf

configuration file. By default most of the useful output from syslog is placed into /var/adm/messages.

When messages are sent to syslog they are given a "facility" (whats sending the message) and a "level" (how important is it). If you look in /etc/syslog.conf you'll see a variety of facility.level pairs and then for each of these a destination for that type of message. Facility can be named (daemon, kern, ...) or can be a wildcard (*). Level must be named (alert, crit, notice, ..), but a given level will also report all levels above it, so if you use the "notice" level you'll also get crit's as well, for instance.  

Of the facilities and levels, note that two are special, the wildcard (*) facility and the "none" level. Using the wildcard for the facility means all of them. The "none" severity level isn't useful on its own, but can be handy when creating compound statements for several facilities and levels.

 
So lets look at some sample lines from /etc/syslog.conf:

                 *.err;kern.debug;deamon.notice;mail.crit                /var/adm/messages

So this line passes along anything more sever than an error, any kernel notices or more sever, daemon notices or more sever, and critical or more sever mail messages, and routes these into the /var/adm/messages file. If we wanted to put all mail messages into a log file named "/var/adm/maillog" we could use something like "mail.debug /var/adm/maillog". 

Putting log messages into a file is handy, but we can also send those messages across the network to a centralized syslog server. Simply use "@mysyslogserver" instead of a filename. So, "auth.notice @logserver" will send all authorization notices (or more sever) to the syslog daemon running on a system called "logserver". 

                 auth.notice                @logserver

Syslog on Solaris is setup by default to accept messages both locally and over the network. Reguardless of how a message comes into the syslogd daemon, its routed according to the syslog.conf configuration. So you could put "*.notice @syslogcentral" into the syslog.conf of each of your clients and "*.notice /var/adm/centralized_messages" in the syslog.conf of syslogcentral and wamo bamo, you'd have a centralized syslog infrastructure! 

One thing to note when editing /etc/syslog.conf, you can't use spaces, you must use tabs. Also, after changing the configuration, make sure that you restart syslogd, on Solaris 10 Update 1 or newer you'd use svcadm restart svc:/system/system-log:default.