Syslog

1.0 Syslog

Syslog is a protocol for conveying event notification messages.

Syslog was first developed by Eric Allman for logging as a part of the Sendmail project in the 1980s. It soon became a de-facto standard for logging on Unix-like systems. Syslog was formally specified in RFC 3164 in 2001 as "The BSD syslog Protocol" based on the status quo at that time. RFC 3164 was obsoleted by RFC 5424 in March 2009. RFC 5424 is titled as "The Syslog Protocol".

2.0 Syslog components

There are four components, syslog server, syslog content, syslog application and the syslog transport.

2.1 Syslog server

A syslog server collects all the log messages for recording and further analysis.

2.2 Syslog content

Syslog content comprises of individual log messages. The message format is important because it forms the interface between a syslog application and the syslog server. In fact, it can be said that the message format is the syslog protocol.

2.3 Syslog application

A syslog application generates messages for logging. Syslog content is generated by syslog applications.

2.4 Syslog transport

Syslog transport provides the mechanism for sending log messages by a syslog application and collection (receiving) of log messages by the syslog server. The log messages may also be received and sent forward by relays in between. The communication between a syslog application and the server is purely simplex. It is always from the application to the server. There is no communication from the server to an application.

RFC 5424 mandates that Syslog implementations must provide TLS based secure communication between a Syslog application and the server, as specified in RFC 5425. There should also be a UDP based communication channel for devices which cannot send encrypted messages. Port 514 has been earmarked for the server to listen for UDP based communication. Similarly, port 6514 is designated for the server to listen for TLS based secure communication.

3.0 Syslog message format

RFC 5424 describes the format of syslog logging messages which are sent by applications to the syslog server. The message structure comprises of a header, structured data and, optionally, a message. The header has fields like, priority value, which comprises of facility and severity, version, host name, app-name, proc-id and message id. The structured data can be nil, or have one or more elements, with each element having an id and, optionally, multiple name-value pairs. The message is a UTF-8 string. The Syslog message format is standardized in RFC 5424. Anyone interested in building a Syslog server can do so such that it accepts the message format as per RFC 5424. Also, client interface library functions can be built for use by Syslog applications. These library functions must generate syslog messages that match the format specified in RFC 5424.

4.0 Syslog under Linux

Most GNU/Linux distributions use the RSYSLOG server, which is defined as the rocket-fast system for log processing and is a relatively newer implementation of the Syslog protocol. With RSYSLOG, we have the local logging via UNIX sockets. We can also configure the RSYSLOG server to listen for log messages from remote systems using UDP and TCP protocols. Also, we can have secure communication between the RSYSLOG server with remote applications with TLS. RSYSLOGD server is configured from the /etc/rsyslog.conf file.

5.0 How to log messages to Syslog

There are four functions which can be used for logging to Syslog.

void openlog (const char *ident, int option, int facility); void syslog (int priority, const char *format, ...); void closelog (void); int setlogmask (int mask);

openlog opens a connection between the calling program and the Syslog server. ident is an identifying string which is prepended to all subsequent messages logged with syslog calls. option is an OR of one or more of LOG_CONS, LOG_NDELAY, LOG_ODELAY, LOG_PERROR and LOG_PID. LOG_CONS causes writing to the console in case of an error, in addition to writing to the syslog. LOG_NDELAY opens the connection immediately as opposed to the default of opening the connection when the first message is logged. LOG_ODELAY is the opposite of LOG_NDELAY; connection is established only when the first syslog call is made. This is the default. LOG_PERROR writes to stderr in addition to syslog and LOG_PID causes logging of the process id for each message. facility specifies what type of program is logging the message. It can be one of the following: LOG_AUTH, LOG_AUTHPRIV, LOG_CRON, LOG_DAEMON, LOG_FTP, LOG_KERN, LOG_LOCAL0 through LOG_LOCAL7, LOG_LPR, LOG_MAIL, LOG_NEWS, LOG_SYSLOG. LOG_USER and LOG_UUCP. LOG_USER is the default facility.

We can write to Syslog using the syslog function. The first parameter, priority, is the OR of the facility and one of the level values. The level values are LOG_EMERG, LOG_ALERT, LOG_CRIT, LOG_ERR, LOG_WARNING, LOG_NOTICE, LOG_INFO and LOG_DEBUG. priority is followed by printf style format and variables for printing the log message. If %m is specified in the format, it is replaced by the string, strerror (int errnum).

The setlogmask sets the log priority mask for the calling process. It takes mask as a parameter, Logging to syslog can only be done for priorities for which corresponding bit is set in the mask. When a process starts, all the bits are set in its log mask. The macro LOG_MASK (p) provides the bit corresponding to priority p. The macro LOG_UPTO (p) provides mask for enabling logging for all priorities up to and including p from the following list.

  • LOG_EMERG
  • LOG_ALERT
  • LOG_CRIT
  • LOG_ERR
  • LOG_WARNING
  • LOG_NOTICE
  • LOG_INFO
  • LOG_DEBUG

6.0 Example: Writing to syslog

Using the above functions, we can log messages in the syslog.

#include <stdio.h> #include <stdlib.h> #include <error.h> #include <syslog.h> int main (int argc, char **argv) { const char * const ident = "write_log (testing)"; openlog (ident, LOG_CONS | LOG_PID, LOG_USER); syslog (LOG_USER | LOG_INFO, "%s", "She sells C shells by the seashore"); int i = setlogmask (LOG_UPTO (LOG_NOTICE)); syslog (LOG_USER | LOG_INFO, "%s", "She is also selling B shells at the seashore"); syslog (LOG_USER | LOG_NOTICE, "%s", "Shells available at big discounts at seashore!"); closelog (); exit (0); }

The above programs logs the following messages in /var/log/syslog. After the log mask is set upto LOG_NOTICE, the next informational message is not logged. However, the last notice is logged. A small excerpt of syslog, showing the output of the above program, is given below.

... Jan 28 19:15:00 bagpipe write_log (testing)[13816]: She sells C shells by the seashore Jan 28 19:15:00 bagpipe write_log (testing)[13816]: Shells available at big discounts at seashore! ...

Software: