linuxhelp gcc syslog

Go to the first, previous, next, last section, table of contents.

SyslogThis chapter describes facilities for issuing and logging messages of system administration interest. This chapter has nothing to do with programs issuing messages to theirown users or keeping private logs (One would typically do that with the facilities described in section Input/Output on Streams).

Most systems have a facility called "Syslog" that allows programs to submit messages of interest to system administrators and can be configured to pass these messages onin various ways, such as printing on the console, mailing to a particular person, or recording in a log file for future reference.

A program uses the facilities in this chapter to submit such messages.

Overview of SyslogSystem administrators have to deal with lots of different kinds of messages from a plethora of subsystems within each system, and usually lots of systems as well. Forexample, an FTP server might report every connection it gets. The kernel might report hardware failures on a disk drive. A DNS server might report usage statistics at regularintervals.

Some of these messages need to be brought to a system administrator's attention immediately. And it may not be just any system administrator -- there may be a particularsystem administrator who deals with a particular kind of message. Other messages just need to be recorded for future reference if there is a problem. Still others may need tohave information extracted from them by an automated process that generates monthly reports.

To deal with these messages, most Unix systems have a facility called "Syslog." It is generally based on a daemon called "Syslogd" Syslogd listens for messages on a Unixdomain socket named ` /dev/log'. Based on classification information in the messages and its configuration file (usually ` /etc/syslog.conf'), Syslogd routes them invarious ways. Some of the popular routings are:

Write to the system consoleMail to a specific userWrite to a log filePass to another daemonDiscard

Syslogd can also handle messages from other systems. It listens on the syslog UDP port as well as the local socket for messages.

Syslog can handle messages from the kernel itself. But the kernel doesn't write to ` /dev/log'; rather, another daemon (sometimes called "Klogd") extracts messages fromthe kernel and passes them on to Syslog as any other process would (and it properly identifies them as messages from the kernel).

Syslog can even handle messages that the kernel issued before Syslogd or Klogd was running. A Linux kernel, for example, stores startup messages in a kernel messagering and they are normally still there when Klogd later starts up. Assuming Syslogd is running by the time Klogd starts, Klogd then passes everything in the message ring to it.

In order to classify messages for disposition, Syslog requires any process that submits a message to it to provide two pieces of classification information with it:

facilityThis identifies who submitted the message. There are a small number of facilities defined. The kernel, the mail subsystem, and an FTP server are examples ofrecognized facilities. For the complete list, See section syslog, vsyslog. Keep in mind that these are essentially arbitrary classifications. "Mail subsystem" doesn't haveany more meaning than the system administrator gives to it.

priorityThis tells how important the content of the message is. Examples of defined priority values are: debug, informational, warning, critical. For the complete list, See sectionsyslog, vsyslog. Except for the fact that the priorities have a defined order, the meaning of each of these priorities is entirely determined by the system administrator.

A "facility/priority" is a number that indicates both the facility and the priority.

Warning: This terminology is not universal. Some people use "level" to refer to the priority and "priority" to refer to the combination of facility and priority. A Linux kernel has aconcept of a message "level," which corresponds both to a Syslog priority and to a Syslog facility/priority (It can be both because the facility code for the kernel is zero, and thatmakes priority and facility/priority the same value).

The GNU C library provides functions to submit messages to Syslog. They do it by writing to the ` /dev/log' socket. See section Submitting Syslog Messages.

The GNU C library functions only work to submit messages to the Syslog facility on the same system. To submit a message to the Syslog facility on another system, use thesocket I/O functions to write a UDP datagram to the syslog UDP port on that system. See section Sockets.

Submitting Syslog MessagesThe GNU C library provides functions to submit messages to the Syslog facility:

These functions only work to submit messages to the Syslog facility on the same system. To submit a message to the Syslog facility on another system, use the socket I/Ofunctions to write a UDP datagram to the syslog UDP port on that system. See section Sockets.

openlog

The symbols referred to in this section are declared in the file ` syslog.h'.

Function: void openlog (char *ident, int option,int facility)

openlog opens or reopens a connection to Syslog in preparation for submitting messages.

ident is an arbitrary identification string which future syslog invocations will prefix to each message. This is intended to identify the source of the message, and peopleconventionally set it to the name of the program that will submit the messages.

openlog may or may not open the ` /dev/log' socket, depending on option. If it does, it tries to open it and connect it as a stream socket. If that doesn't work, it tries toopen it and connect it as a datagram socket. The socket has the "Close on Exec" attribute, so the kernel will close it if the process performs an exec.

You don't have to use openlog. If you call syslog without having called openlog, syslog just opens the connection implicitly and uses defaults for the information inident and options.

converted by Web2PDFConvert.com

options is a bit string, with the bits as defined by the following single bit masks:

LOG_PERRORIf on, openlog sets up the connection so that any syslog on this connection writes its message to the calling process' Standard Error stream in addition tosubmitting it to Syslog. If off, syslog does not write the message to Standard Error.

LOG_CONSIf on, openlog sets up the connection so that a syslog on this connection that fails to submit a message to Syslog writes the message instead to systemconsole. If off, syslog does not write to the system console (but of course Syslog may write messages it receives to the console).

LOG_PIDWhen on, openlog sets up the connection so that a syslog on this connection inserts the calling process' Process ID (PID) into the message. When off,openlog does not insert the PID.

LOG_NDELAYWhen on, openlog opens and connects the ` /dev/log' socket. When off, a future syslog call must open and connect the socket. Portability note: In earlysystems, the sense of this bit was exactly the opposite.

LOG_ODELAYThis bit does nothing. It exists for backward compatibility.

If any other bit in options is on, the result is undefined.

facility is the default facility code for this connection. A syslog on this connection that specifies default facility causes this facility to be associated with the message.See syslog for possible values. A value of zero means the default default, which is LOG_USER.

If a Syslog connection is already open when you call openlog, openlog "reopens" the connection. Reopening is like opening except that if you specify zero for thedefault facility code, the default facility code simply remains unchanged and if you specify LOG_NDELAY and the socket is already open and connected, openlog justleaves it that way.

syslog, vsyslog


Function: void syslog (int facility_priority, char *format, ...)

syslog submits a message to the Syslog facility. It does this by writing to the Unix domain socket /dev/log.

syslog submits the message with the facility and priority indicated by facility_priority. The macro LOG_MAKEPRI generates a facility/priority from a facility and a priority,as in the following example:

LOG_MAKEPRI(LOG_USER, LOG_WARNING)

The possible values for the facility code are (macros):

LOG_USERA miscellaneous user process

LOG_MAILMail

LOG_DAEMONA miscellaneous system daemon

LOG_AUTHSecurity (authorization)

LOG_SYSLOGSyslog

LOG_LPRCentral printer

LOG_NEWSNetwork news (e.g. Usenet)

LOG_UUCPUUCP

LOG_CRONCron and At

LOG_AUTHPRIVPrivate security (authorization)

LOG_FTPFtp server

LOG_LOCAL0Locally defined








Results are undefined if the facility code is anything else.

note: syslog recognizes one other facility code: that of the kernel. But you can't specify that facility code with these functions. If you try, it looks the same to syslog as ifyou are requesting the default facility. But you wouldn't want to anyway, because any program that uses the GNU C library is not the kernel.

You can use just a priority code as facility_priority. In that case, syslog assumes the default facility established when the Syslog connection was opened. See sectionSyslog Example.

The possible values for the priority code are (macros):

LOG_EMERGThe message says the system is unusable.

LOG_ALERT


Action on the message must be taken immediately.LOG_CRIT

The message states a critical condition.LOG_ERR

The message describes an error.LOG_WARNING

The message is a warning.LOG_NOTICE

The message describes a normal but important event.LOG_INFO

The message is purely informational.LOG_DEBUG

The message is only for debugging purposes.

Results are undefined if the priority code is anything else.

If the process does not presently have a Syslog connection open (i.e. it did not call openlog), syslog implicitly opens the connection the same as openlog would, withthe following defaults for information that would otherwise be included in an openlog call: The default identification string is the program name. The default defaultfacility is LOG_USER. The default for all the connection options in options is as if those bits were off. syslog leaves the Syslog connection open.

If the ` dev/log' socket is not open and connected, syslog opens and connects it, the same as openlog with the LOG_NDELAY option would.

syslog leaves ` /dev/log' open and connected unless its attempt to send the message failed, in which case syslog closes it (with the hope that a future implicitopen will restore the Syslog connection to a usable state).

Example:

#include syslog (LOG_MAKEPRI(LOG_LOCAL1, LOG_ERROR), "Unable to make network connection to %s. Error=%m", host);

Function: void vsyslog (int facility_priority, char *format, va_list arglist)

This is functionally identical to syslog, with the BSD style variable length argument.

closelog


Function: void closelog (void)

closelog closes the current Syslog connection, if there is one. This include closing the ` dev/log' socket, if it is open.

There is very little reason to use this function. It does not flush any buffers; you can reopen a Syslog connection without closing it first; The connection gets closedautomatically on exec or exit. closelog has primarily aesthetic value.

setlogmask


Function: int setlogmask (int mask)

setlogmask sets a mask (the "logmask") that determines which future syslog calls shall be ignored. If a program has not called setlogmask, syslog doesn't ignoreany calls. You can use setlogmask to specify that messages of particular priorities shall be ignored in the future.

A setlogmask call overrides any previous setlogmask call.

Note that the logmask exists entirely independently of opening and closing of Syslog connections.

Setting the logmask has a similar effect to, but is not the same as, configuring Syslog. The Syslog configuration may cause Syslog to discard certain messages itreceives, but the logmask causes certain messages never to get submitted to Syslog in the first place.

mask is a bit string with one bit corresponding to each of the possible message priorities. If the bit is on, syslog handles messages of that priority normally. If it is off,syslog discards messages of that priority. Use the message priority macros described in section syslog, vsyslog and the LOG_MASK to construct an appropriate maskvalue, as in this example:

LOG_MASK(LOG_EMERG) | LOG_MASK(LOG_ERROR)

or

~(LOG_MASK(LOG_INFO))

There is also a LOG_UPTO macro, which generates a mask with the bits on for a certain priority and all priorities above it:

LOG_UPTO(LOG_ERROR)

The unfortunate naming of the macro is due to the fact that internally, higher numbers are used for lower message priorities.

Syslog Example

Here is an example of openlog, syslog, and closelog:

This example sets the logmask so that debug and informational messages get discarded without ever reaching Syslog. So the second syslog in the example does nothing.

#include

setlogmask (LOG_UPTO (LOG_NOTICE));

openlog ("exampleprog", LOG_CONS | LOG_PID | LOG_NDELAY, LOG_LOCAL1);

syslog (LOG_NOTICE, "Program started by User %d", getuid ());syslog (LOG_INFO, "A tree falls in a forest");

closelog ();


Documents

linuxhelp gcc syslog