[lug] Syslog woes

Hugh Brown hugh at math.byu.edu
Thu Dec 14 21:38:50 MST 2006

Daniel Webb wrote:
> On Wed, Dec 13, 2006 at 06:05:47PM -0700, David L. Anselmi wrote:
>>> *.*;auth,authpriv.none;mail.error       -/var/log/syslog
>>> 1) What am I missing here?
>> Try mail.none rather than mail.error.
> But I still want mail messages with error and worse to show up in syslog.
>>From my reading of man 5 syslog.conf there is a bug in syslog, but every time
> I think that about one of the more complex old-time Unix services I end up
> filing what turns out to be a frivolous bug report which gets embarassing
> after a while.   :<
> Specifically, from man 5 syslog.conf:
> ----
>  Multiple  selectors  may be specified for a single action using the semicolon
> (``;'') separator.  Remember that each selector in the selector field is
> capable to overwrite the preceding ones.  Using this behavior you can exclude
> some priorities from the pattern.
> ----
> So shouldn't get last "mail.error" override the previous settings for mail?

I'm not an expert by any stretch.  Based on my reading of the man page, 
you'd need to exclude and then include.

So *.* implicitly says log all mail.* to /var/log/syslog  The semi-colon 
says "if negation follows, give it precedence."  Negation seems to be 
done via "none" as the priority or !<priority>. So as far as mail is 
concerned, you've told it


which seems to be, log all mail and log mail at error or higher.

I just tested this line (on a debian sarge box):

*.*;auth,authpriv.none;mail.none;mail.error       -/var/log/syslog

and then used

logger -p mail.err "test of mail.err"
logger -p mail.info "test of mail.info"

The first went to /var/log/syslog, the second didn't.

You could probably shorten it to:

*.*;auth,authpriv,mail.none;mail.err    -/var/log/syslog


More information about the LUG mailing list