Linux Fundamentals - Understanding syslog (system log) daemon

Syslogd, rsyslogd, and syslog-ng are the syslog daemon, or system log daemon. syslogd is the legacy syslog daemon, and rsyslog and syslog-ng are newer syslog daemon that have enhancements over syslogd. The journal is used on some Linux distributions instead of syslog to handle the logging of events.

Which daemon is being used

The ps command can be used to determine if your system is using syslogd, rsyslogd or syslog-ng. In this example, rsyslogd is being used.

~]# ps -ef | grep -i syslog
root      1287     1  0 Aug17 ?        00:13:30 /usr/sbin/rsyslogd -n


conf file location

The find command can be used to determine the location of the conf file.

~]# find /etc/ | grep -i rsyslog.conf


When a service has an event or message it would like to log to a log file, the service needs to have a way of knowing what file the message should be written to. Syslog is used to determine the file a message should be written to. The format of the /etc/syslog.conf or /etc/rsyslog.conf file is facility.priority action. For example, you may have a line in the syslog.conf file mail.* /var/log/maillog. Mail is the facility, * is the priority, and /var/log/maillog is the action.

mail.*    /var/log/maillog


Following is a typical syslog.conf file. When two or more facilities are used, the facilities are separated by a comma. When two or more priorities are used, the priorities are separated by a semi-colon.

In this example, kern (kernal) events at any priority are sent to /dev/console. If /dev/console is set to /dev/tty1, then all kernel events will appear on /dev/tty1.

Also in this example, any type of event at level emergency will be display on every TTY and PTS virtual console.

*.info;mail.none;authpriv.none;cron.none  /var/log/messages
*.emerg                                   *
kern.*                                    /dev/console
authpriv.*                                /var/log/secure
mail.*                                    /var/log/maillog
cron.*                                    /var/log/cron
local7.*                                  /var/log/boot.log
uucp,news.crit                            /var/log/spooler


  • Line 1 log anything level info or higher to /var/log/messages, except mail, authpriv, and cron events.
  • Line 2 sends everyone emergency events
  • Line 3 logs kernel events for any priority to /dev/console
  • Line 4 logs security and authorization events for any priority to /var/log/secure
  • Line 5 logs mail events for any priority to /var/log/maillog
  • Line 6 logs cron events for any priority to /var/log/cron
  • Line 7 logs boot events for any priority to /var/log/boot.log
  • Line 8 logs Unix to Unix copy program (uucp) events and news errors level critical or higher to /var/log/spooler


Following are common facilities:

  • authpriv: security and authorization messages
  • cron: cron daemon messages
  • daemon: various system daemon messages, typically used for services that do not have a facility, such as DHCP, DNS, and NTP, just to name a few
  • kern: kernel messages
  • lpr: printing messages
  • mail: mail system messages
  • news: news daemon messages
  • syslog: syslog messages
  • user: user level messages
  • uucp: Unix to Unix copy program daemon messages
  • local0 through local7: locally defined application messages
  • *: every facility

Following are common priorities. 

  • debug: debugging information (lowest priority)
  • info: information
  • notice: noteworthy, but not necessary implicit of a problem
  • warning: imply a possible problem
  • err: error message
  • crit: critical problem
  • alert: very critical problem (high priority than crit)
  • emerg: emergency message (highest priority)
  • *: every priority


Typically, the action will be the absolute path to a file. However, the action can also be the * character. The * character will send a text message to the terminal of all users logged into the machine. The * character is typically only used for emergency messages.

*.emerg      *


When a service has an event or message it would like to log to a log file, the service will give the message one of the priorities. Syslog uses at or above. For example, uucp and news messages crit and above will be written to /var/log/spooler. This means that uucp and news messages err and below will not be written to /var/log/spooler. Instead, uucp and news messages err and below will be written to /var/log/messages.

uucp,news.crit    /var/log/spooler


If an equal sign is used, only messages at the priority will be written to the specified log file. For example, you could log critical mail messages to /var/log/maillog_critical.

mail.=crit    /var/log/maillog_critical


An exclamation point reverses at or above to below. For example, you could write cron messages below err to /var/log/cron_low_priority.

cron.!err   /var/log/cron_low_priority


The @ character can be used to write log events to a remote machine. For example, you could write cron messages to a machine with DNS name



If you make a change to the syslog or rsyslog configuration file, you will have to restart the daemon for the change to take effect.,The ps command can be used to determine if your system is using init or systemd. If PID 1 is init, then you will use the service command. If PID 1 is systemd, then you will use the systemctl command.

If your system is using systemd, use the systemctl command to restart syslog.

systemctl restart syslog


If your system is using init, use the service command to restart syslog.

service syslog restart


Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee

Add a Comment

We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.

Please enter ab989 in the box below so that we can be sure you are a human.


Web design by yours truely - me, myself, and I   |   |