Have you ever seen a message in /var/adm/syslog/syslog.log and wished that
something special could be done when it occurs? The messages in the syslog.log
file are written by the syslogd(1m) daemon. Syslogd is started at boot up and
can be configured to handle messages differently.
Syslogd reads and logs messages into a set of files described by the
configuration file /etc/syslog.conf. The syslog.conf file can be configured by
the system administrator to do special handling for messages. Messages can be
routed to a logfile, another host, the terminals of specified users or sent to
all users.
Messages are identified by facility and level. If special handling is desired
for a message that is already being routed to syslog the facility and level of
the message must be identified. This can be accomplished by running syslogd in
debug mode.
Run syslog in debug mode by killing the running syslogd daemon and starting it
with /usr/sbin/syslogd -d. This will result in a continuous scrolling
display to the terminal syslogd was just started from.
Look at the "pri" field in the output that scrolls to the screen. The first
character is the facility and the second is the level. The file
/usr/include/syslog.h contains the translations for the fields.
Let's say the following syslogd debug output shows the message in question.
got a message (1, 0x8)
logmsg: pri 47, flags 0, from nitro, msg Apr 10 09:56:55 : LOGIN:
pam_authenticate error
readfds = 0x68 0x3 0x5 0x6
The facility is 4 so it corresponds to the following line in
/usr/include/syslog.h:
#define LOG_AUTH (4<<3) face="courier new">auth.debug /var/adm/authrequests.log
auth.debug /var/adm/syslog/syslog.log
Now, just have syslogd reread its configuration file to put the changes in
effect. Use the following command:
kill -HUP `cat /var/run/syslog.pid`
NOTE: The fields are seperated by tabs and not spaces. If spaces included it
won't work.
The logger(1) command can be useful for testing the modifications.
The following example shows how to direct messages to a file other than
syslog.log.
First, add "user.none" to the line in syslog.conf that directs messages to
syslog.log. This prevents any messages with facility "user" from being written
to syslog.log.
*.info;mail.none;user.none /var/adm/syslog/syslog.log
Second, add a line to syslog.conf to send the messages to another file.
This "user.info" line causes all facility "user" messages with a level greater
than or equal to "info" to be logged to syslog.notice. The only level lower
than info is debug.
user.info /var/adm/syslog/syslog.notice
