The minimum for syslog configurations should be to log (nearly) everything

July 17, 2021

I have some opinions on how the venerable Unix syslog should be set up, but a very strong one of them is that (nearly) every syslog message should be logged somewhere. I consider this a minimum standard for vendor and distribution supplied syslog.conf files. The 'nearly' is that although syslog priorities don't mean much these days, I think a Unix is reasonably justified in not syslog'ing the debug priority for most facilities. However, a stock syslog.conf should definitely log each of the syslog facilities supported by its syslog to somewhere.

(POSIX's syslog.h defines seventeen facilities. Actual Unixes define more; Linux syslog(3) and OpenBSD have 20, while FreeBSD has 23.)

This should also be something you preserve in any local versions or modifications to the standard syslog configuration. Unless you're extremely sure that a syslog facility will never ever be used, you should keep logging it somewhere. And if you're sure it will never be used, well, what's the harm in having it sent to a file that will always wind up being empty? This is especially the case if you're running third party software (whether commercial or open source), because programmers can have all sorts of clever ideas about what syslog facilities to use for what.

If you're extremely sure that you don't need to syslog a particular facility and so you leave it out, please put a comment in your syslog configuration file to explain this. A good goal to strive for in syslog configuration files (for you and for vendors) is to create one that convinces any sysadmin reading it (including your future self) that it covers everything that will ever be logged.

(My other syslog configuration opinions are for another entry.)

PS: Out of the Unixes we use, Ubuntu has a default configuration that clearly logs everything to either /var/log/syslog or /var/log/auth.log, while the stock OpenBSD configuration only covers a limited number of facilities. It's possible that OpenBSD covers every use of syslog in the base system (you'd certainly hope so), but if so I doubt it covers all uses of syslog in the packages collection.

Written on 17 July 2021.
« The WireGuard VPN challenge of provisioning clients
On sending all syslog messages to one file »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sat Jul 17 23:13:58 2021
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.