syslogd

syslogd [options]

-d
    Debug mode.
Runs the daemon in the foreground and prints debug messages to standard output. Useful for troubleshooting configuration.

-f configfile
    Configuration file.
Specifies an alternative configuration file to use instead of the default, which is usually /etc/syslog.conf.

-m interval
    Mark interval.
Sets the number of minutes between Mark messages. These messages are logged at LOG_INFO priority to show that the syslog daemon is still alive. Default is 20 minutes.

-p socket
    Socket path.
Specifies an alternate path for the UNIX domain socket that syslogd listens on for local messages. Default is usually /dev/log.

-r
    Receive remote messages.
Enables receiving log messages from remote hosts via UDP port 514. This option is often disabled by default for security reasons.

-s domains
    DNS lookup exclusion.
Specifies a comma-separated list of domain names for which syslogd will not perform DNS lookups when processing remote messages. This can speed up processing and prevent DNS-related issues.

-v
    Version information.
Prints the version of syslogd and exits.

syslogd is the traditional Unix and Linux system logging daemon. Its primary function is to collect log messages generated by various system processes, applications, and kernel components. It operates by listening for log messages on a UNIX domain socket (typically /dev/log) and optionally on a UDP port (port 514) for remote messages. Based on rules defined in its configuration file (historically /etc/syslog.conf), syslogd filters these messages by facility (e.g., mail, kern, auth) and priority (e.g., info, warning, crit). It then directs them to specified destinations, which can include local log files (like /var/log/messages, /var/log/auth.log), the console, user terminals, or even other remote syslog servers. While foundational, syslogd has largely been superseded by more advanced and feature-rich logging systems like rsyslogd and syslog-ng in modern Linux distributions.

Obsolete in Modern Distributions:
The traditional syslogd has been largely replaced by more robust and feature-rich alternatives like rsyslogd and syslog-ng in most contemporary Linux distributions. These newer daemons offer better performance, security features (e.g., TLS encryption), and more flexible configuration options.

Security Concerns:
The original syslogd, especially when configured to receive remote messages without encryption, is susceptible to spoofing and tampering of log data, as messages are typically sent over UDP in plain text.

Limited Features:
It lacks advanced features present in newer log managers, such as message queuing, database integration, or complex filtering rules beyond basic facility/priority.

The primary configuration for syslogd is found in /etc/syslog.conf. This file defines "selectors" (combinations of facilities and priorities) and "actions" (where messages matching the selector should be sent).

syslogd can direct logs to various destinations:
• Local files (e.g., /var/log/messages, /var/log/mail.log)
• Named pipes
• User terminals or consoles
• Remote syslog servers
• Executing programs (less common with traditional syslogd)

The syslogd daemon originated in the early days of Unix and was a fundamental component for centralized logging. It was introduced as part of the Berkeley Software Distribution (BSD) to standardize how system and application messages were recorded. Its configuration file format, based on facilities and priorities, became a de-facto standard. Over time, as systems grew more complex and security concerns increased, the limitations of the original syslogd became apparent. This led to the development of more advanced logging solutions like syslog-ng (System Logger Next Generation) and rsyslogd (Rocket-fast SYStem LOGger), which aimed to address performance, security, and flexibility shortcomings. While the concept of syslog remains, the specific syslogd implementation has been largely superseded.

rsyslogd(8), syslog-ng(8), logger(1), syslog.conf(5), klogd(8)