Subject: audit of syslog(3) usage...
To: None <>
From: Luke Mewburn <>
List: tech-userlevel
Date: 01/22/2001 11:17:51
I've just completed an audit of the tree of the usage of syslog(3) (or
more specifically, the usage of LOG_, which gets openlog(3) and
program-specific wrappers to syslog(3)).

The results were interesting, and I've attached them below. I may have
missed the occasional case, or summarised a bit to aggressively for a
given program, but the general usage is highlighted. 

A summary:

	- IMO, LOG_CONS was (ab)used too much. I've removed all
	  references to this except in init(8), shutdown(8), and
	  reboot(8), where it makes sense to retain the functionality.
	  There's nothing worse than logging into a serial console
	  to fix a problem and being unable to work because of syslog
	  spam from a program that is using LOG_CONS.

	- A lot of programs use `daemon' as a facility (not surprising,
	  as most of these are daemons).

	- There doesn't seem to be consistency in many programs about
	  differentiating between fatal errors, non-fatal errors,
	  warnings, and diagnostic messages. Many programs log both
	  fatal and non-fatal errors to LOG_ERR.

	- About 15% of the programs were using __progname in the
	  argument to openlog(). I've consistently changed this
	  to using a static identifier, because __progname isn't
	  as portable. (see below)

Discussion points:

	- I'd like to consider separating the logging of fatal and
	  non-fatal errors into different priorities. My suggestion
	  would be to use the priorities as follows:
		CRIT		for fatal errors that will exit
		ERR		for errors that don't exit
		WARNING		for warnings

	- On a tangental point, if we get around to replacing
		const char *__progname
	  with something more portable like: 
		const char *getprogname(const char *argv0)
			(the argv0 element is argv[0] from main(), and could
			 be ignored by NetBSD which can still use __progname
			 from crt0 which is more likely to be accurate)
	  then it's fairly trivial to search the source for openlog()
	  usage and change ident to using getprogname().

	- Consider updating syslog.conf(5), syslog(3), or comments in
	  etc/syslog.conf, to describe which in-tree applications use
	  which facility.

	- Ensure that the usage of priorities by various kernel routines
	  is consistent, both within itself and relative to the other
	  kernel routines.

Food (bits?) for thought/discussion...


Here's the document (with the kernel usage in as well)



	emerg, alert, crit, err, warning, notice, info, debug

	auth, authpriv, cron, daemon, ftp, kern, lpr, mail, news,
	syslog, user, uucp, local0, local1, local2, local3, local4,
	local5, local6, local7

	cons, ndelay, perror, pid

- remove LOG_ODELAY
- remove LOG_PERROR if it's unnecessary
- consider being consistent about levels:
	CRIT		for fatal errors that will exit
	ERR		for errors that don't exit
	WARNING		for warnings
- deprecate LOG_CONS, except where it makes sense (init, shutdown, reboot...)
- be consistent when setting the `ident' parameter of openlog


altqd(8)	daemon.err pid		errors
		daemon.warning		warning messages		default messages
		daemon.debug		debug messages (-v)

amd(8)		(facility can be changed to XYZ with logfile of syslog:XYZ)
		daemon.crit pid		fatal
		daemon.err		error
		daemon.warning		warnings & user errors		info & stats
		daemon.debug		debug and maps

amq(8)		(uses amd(8)'s log file)

apmd(8)		daemon.err		errors			(! -d)
		daemon.warning		warnings		(! -d)
		daemon.notice		power stats		(! -d)
		local1.err		errors			(-d)
		local1.warning		warnings		(-d)
		local1.notice		power stats		(-d)		low impact problems	(-d)
		local1.debug		debug messages		(-d)

atrun(8)	cron.err pid		fatal errors

bootpd(8)	daemon.err pid ndelay	errors (including non-fatal)
		daemon.notice		warnings
		daemoninfo		startup messages, requests

chat(8)		local2.err pid ndelay	fatal errors		-v output

comsat(8)	daemon.err pid		fatal errors		log biffs (-l)
		daemon.debug		debug notices (if debug != 0)
		auth.notice		/ in tty name (might be incorrect code)

cron(8) pid		commands executed

date(1)		auth.notice		date change

dhclient(1)	daemon.err ndelay	fatal errors, errors, parse warnings		various diagnostics & info
		daemon.debug		debug messages (#ifdef DEBUG)

dhcrelay(8)	daemon.err ndelay	fatal errors, errors, parse warnings		various diagnostics & info
		daemon.debug		debug messages (#ifdef DEBUG)

dhcpd(8)	daemon.err ndelay	fatal errors, errors, parse warnings		various diagnostics & info
		daemon.debug		debug messages (#ifdef DEBUG)

faithd(8)	daemon.err pid		errors (including non-fatal)
		daemon.warning		child exit status warnings		status messages
		daemon.debug		debug message (-d)

fingerd(8)	daemon.err pid		fatal errors
		daemon.notice		logged queries (-l)

ftpd(8)		ftp.err pid ndelay	fatal errors
		ftp.warning		conf file parse errors, other warnings
		ftp.notice		login failures/errors		transfer stats, user logins & timeouts,
					successful command results, xferlog
		ftp.debug		debug info (-d)
		authpriv.notice		login errors

getty(8)	auth.err pid		fatal errors
		auth.warning		warnings/errors

hlfsd(8)	(as per amd(8))

huntd(6)	daemon.err pid		fatal errors
		daemon.warning		warnings

identd(8)	daemon.err PID		fatal errors (-l)
		daemon.warning		errors (-l)
		daemon.notice		access denied, bad passwords,
					if lied, bad requests (-l)		connections/requests (-l)
		daemon.debug		sigalrm (-l), debug msgs (-ld)

inetd(8)	daemon.err pid		errors (including non-fatal)
		daemon.warning		connection problems
		auth.warning		libwrap connection refusal		libwrap connection allowed

init(8)		auth.emerg cons		serious emergencies
		auth.alert		problems with terminals, /etc/rc,
					single user shell failure,
					single user login failure

ipmon(8)	(the facility & level can be changed per-rule in ipf.conf)
		local0.err pid ndelay	short packets
					errors (including non-fatal)
		local0.warning		blocked packets
		local0.notice		passed or unmatched packets		`log'ged packets

isdnd(8)	-			(facility can be changed with -s)
		local0.err pid ndelay	errors (adds perror #ifdef DEBUG)
		local0.warning		warnings
		local0.notice		significant daemon conditions		informational, call handling,
					packet logging
		local0.debug		debug messages

kf(1)		auth.err pid odelay	errors (including non-fatal)

lfs_cleanerd(8)	daemon.err pid ndelay	fatal errors (adds perror if -d)
		daemon.warning		warnings		status messages (-d), stats on SIG...
		daemon.debug		debug messages (-d), debug stats

logger(1)	user.notice pid perror	whatever given (fac.pri can be changed)

login(1)	auth.err		gethostbyname problems, other errors XXX
		auth.warning		problems chowning tkfile
		auth.notice		kerberos ticket problems,
					login refusals/acceptance
		authpriv.notice		login failure

lpd(8)		lpr.alert		remote queue full
		lpr.crit		sleeptime overflow
		lpr.err pid		file/tty/network errors
		lpr.warning		too many children - sleeping		illegal options, status messages,
					some network errors, bad requests
		lpr.debug		connection failure when binding to
					a multi-homed host

lpq(8)		(as per lpd(8))

lpr(8)		(as per lpd(8))

lprm(8)		(as per lpd(8))

mail.local(8)	mail.err perror		various errors

master(8)	mail.crit pid ndelay	panic messages (prefixed with "panic")
		mail.crit		fatal messages (prefixed with "fatal")
		mail.err		error messages (prefixed with "error")
		mail.warning		warnings (prefixed with "warning")		info messages

mopd(8)		daemon.err		errors (including non-fatal)		info messages

mopchk(8)	(as per mopd(8))

moptrace(8)	(as per mopd(8))

mopprobe(8)	(as per mopd(8))

mountd(8)	daemon.err pid		errors (including non-fatal & parsing)
		daemon.warning		warnings
		daemon.notice		refused requests

mount_nfs(8)	daemon.err pid		nfssvc() errors (non fatal?)

mount_portal(8)	daemon.err pid		fatal errors
		daemon.warning		errors/warnings
		daemon.debug		debug messages (#ifdef DEBUG)

mrouted(8)	daemon.err pid		fatal errors
		daemon.warning		warnings/errors
		daemon.notice		status messages

named(8)	(named sends other messages to facilities and levels
		 defined in named.conf)
		daemon.crit pid ndelay	fatal errors
		daemon.err		internal non-fatal errors
		daemon.warning		bad options		internal warnings

named-xfer(8)	daemon.err pid perror	errors (including non-fatal)
		daemon.notice		xfer problems		warnings, status updates
		daemon.debug		writemsg() failure

nfsd(8)		daemon.err pid		errors (including non-fatal)

ntpd(8)		daemon.err pid ndelay	errors (including non-fatal)
		daemon.warning		warnings
		daemon.notice		notices		info messages (and some debug if -d/-D)
		daemon.debug		debug messages

ntpdate(8)	(as per ntpd(8), except debug messages aren't logged unless -d)

pim6dd(8)	daemon.err pid		error messages
		daemon.warning		warning messages
		daemon.notice		notice messages		info messages
		daemon.debug		debug messages

pim6sd(8)	daemon.err pid		error messages
		daemon.warning		warning messages
		daemon.notice		notice messages		info messages
		daemon.debug		debug messages

poffd(?)	daemon.err		fatal errors
		daemon.debug		debug messages

postdrop(1)	(as per master(8))

postlog(1)		whatever given
					(pid if -i, level can be changed)

postsuper(1)	(as per master(8))

pppd(8)		(uses local2 if any DEBUG options are #defined)
		daemon.err		errors
		daemon.warning		warnings
		daemon.notice		notices (if debug)		status messages (if debug)
		daemon.debug		log all control packets (if debug)

racoon(8)	daemon.alert ndelay	unknown errors		various errors/warnings
		daemon.debug		debug messages

rarpd(8)	daemon.err pid		errors (including non-fatal)
		daemon.warning		warnings		requests (if -l)

rbootd(8)	daemon.err pid		errors (including non-fatal)
		daemon.warning		connection timeouts, bad replies,
					bad packets, dropping existing conns
		daemon.notice		restart/reconfig messages		ignored packets, request allow/denied

reboot(8)	auth.crit cons		halt/reboot/poweroff message (! -l)

rexecd(8)	daemon.err pid		critical errors (if -l)		command run (if -l)

rlogind(8)	auth.err pid		fatal errors
		auth.warning		various warnings
		auth.notice		addr problems, bad port, bad ip opts		login success (-L), login failures

routed(8)	daemon.err pid		errors
		daemon.debug		debug messages (#ifdef RN_DEBUG)

route6d(8)	daemon.err pid ndelay	errors
		daemon.warning		warnings (if -d/-D)		info messages
		daemon.debug		debug messages (if -d/-D)

rpc.bootparamd(8)	daemon.notice	status info (if -s)

rpc.lockd(8)	daemon.err		errors (including non-fatal)	XXX
		daemon.warning		warnings (including fatal)
		daemon.notice		warnings		status messages
		daemon.debug		debug messages (including if -d >0)

rpc.rquotad(8)	daemon.err pid		errors
		daemon.warning		errors

rpc.rstatd(8)	daemon.err pid		fatal errors
		daemon.debug		debug message (#ifdef DEBUG)

rpc.rusersd(8)	daemon.err pid		fatal errors
		daemon.warning		errors/warnings
		daemon.debug		x11 debug messages (#ifdef XIDLE)

rpc.statd(8)	daemon.err		errors (including non-fatal)	XXX		status messages
		daemon.debug		debug messages (including if -d >0)

rpc.rwalld(8)	daemon.err pid		various errors

rpc.sprayd(8)	daemon.err pid		various errors

rpcbind(8)	daemon.err		errors (including non-fatal)
		auth.notice		denied requests (-l)		requests (including some denied) (-l)

rshd(8)		daemon.err pid		fatal errors
		daemon.warning		warnings
		daemon.notice		ignored ip opts, addr problems
		auth.notice		illegal port		valid commands (-L), login failures

rtadvd(8)	daemon.err pid ndelay	errors (including non-fatal)
		daemon.warning		warnings/non-fatal errors (if -d)
		daemon.notice		info messages (if -d)		config warnings (if -d/-D)
		daemon.debug		debug messages (if -d/-D)

rtsold(8)	daemon.err pid ndelay	errors (including non fatal)
		daemon.warning		warnings
		daemon.notice		some warnings		info messages (if -d/-D)
		daemon.debug		debug messages (if -d/-D)

rwhod(8)	daemon.err pid		fatal errors
		daemon.warning		warnings

savecore(8)	daemon.alert perror	panic string
		daemon.err		errors (including non-fatal)
		daemon.warning		warnings & less problematic errors
		daemon.notice		messages about writing core

sendmail(8)	mail.alert pid		very serious errors (inc. non-fatal)
		mail.crit		serious errors (non-fatal)
		mail.err		non-fatal errors
		mail.warning		warnings (depending on LogLevel)
		mail.notice		notices (depending on LogLevel)		info msgs (depending on LogLevel)
		mail.debug		debug msgs (depending on LogLevel)

sesd(8)		user.alert		enclosure unrecoverable
		user.crit		enclosure critical
		user.err		errors (including non-fatal)
		user.warning		enclosure non-critical
		user.notice		enclosure ok		enclosure has status info

shutdown(8)	auth.err cons		errors (including non-fatal)
		auth.notice		halt/reboot/poweroff message

sliplogin(8)	daemon.err		errors		attach/detach info messages

smrsh(8)	mail.crit		fatal errors
		mail.err		fatal errors
		mail.warning		fatal warnings

sshd(8)		(maximum level controlled by sshd.conf's LogLevel directive)
		(facility changed with sshd.conf's SyslogFacility directive)
		auth.err		errors (including non-fatal)		info and verbose messages
		auth.debug		debugging

su(1)		auth.warning		bad su or other problems
		auth.notice		notification of successful su

sup(1)		daemon.err pid		errors (including non-fatal)		info messages
		auth.warning		libwrap deny		libwrap allow

supfilesrv(8)	daemon.err pid		errors (including non-fatal)		info messages
		auth.warning		libwrap deny		libwrap allow

syslogd(8)	user.notice		default for non kernel messages
		kern.crit		default for kernel messages		periodic (20 mins) status messages
		syslog.err		errors (including non-fatal)		restart message

talkd(8)	daemon.err pid		fatal errors
		daemon.warning		network warnings		info messages
		daemon.debug		debug messages (-d)

telnetd(8)	daemon.err pid		fatal errors
		daemon.warning		warnings		reject env var modification

timed(8)	daemon.err pid		errors (including non-fatal)
		daemon.warning		warnings
		daemon.notice		time adjustments, some bad msgs		status messages

timedc(8)	auth.err		errors

tftpd(8)	daemon.err pid ndelay	fatal errors		log requests (-l)
		daemon.debug		debug messages (-l)

uucpd(8)	auth.err pid		fatal errors (-l)		successful logins (-l)

vacation(1)	user.err		fatal errors

wdogctl(8)	daemon.emerg pid perror	timer tickle failure

ypbind(8)	daemon.err pid perror	fatal errors
		daemon.warning		warnings/errors

yppush(8)	daemon.err pid		fatal errors

ypserv(8)	daemon.err pid		errors
		daemon.warning		warnings		all other messages
		daemon.debug		debug messages (#ifdef DEBUG)

ypxfr(8)	daemon.debug pid	debug messages (#ifdef DEBUG)

_DIAGASSERT(3)	user.debug		assertion failures

getgr*(3)	?.err			bad group_compat database

getpw*(3)	?.err			bad passwd_compat database
					problem opening /etc/*pwd.db

getaddrinfo(3)	auth.notice		bad type returned in getanswer()

gethostby*(3)	auth.notice		bad type returned in getanswer()

rcmd(3)		?.notice		name<->address mismatch

setnetpath(3)	?.err			unable to open NETCONFIG

getnetpath(3)	?.err			unable to open NETCONFIG

rpc(3)		?.err			various errors

login_getclass(3)	?.err		various errors

secure_path(3)	?.err			various errors

hosts_access(3) ?.err			errors (including non-fatal)
		?.warning		bad IP source routing opts
		?.info			ignore IP opts
		?.debug			matched options (hosts_access_verbose>0)
					matched rules (hosts_access_verbose>1)
		(also logs to values of external int variables
		 allow_severity and deny_severity)


(all kernel messages are at logged to the `kern' facility)

crit	i386	isa, mca NMI

err	alpha	stray interrupts
	amiga	if_ed, if_es problems
	arc	isadma, fd, if_sn problems
	arm32	undefined instructions (#ifdef VERBOSE_ARM32)
	arm32	stray interrupts (on various busses), fd problems
	arm32	if_ea, if_eb, if_ie, if_es device timeouts
	atari	fd, zs problems
	bebox	stray interrupts
	hp300	mt errors
	i386	isa stray interrupts
	mac68k	if_sn, if_ae errors, stray interrupts
	newsmips	if_sn, mb8795 errors
	ofppc	stray interrupts
	prep	stray interrupts
	sparc	fd, fpu problems
	sparc64	fd problems
	sun3	fd, if_ie problems
	vax	qv keyboard error, if_ln device timeout
	x68k	fd, ms problems
	compat	compat_offseterr()
	MI	cy timeout
	MI	an, dp8390, elink3, elinkxl, hme, i82586, lance, mb86960 errors
	MI	seeq8005, smc91cxx, tropic, if_eg, if_el, if_hp, if_iy errors
	MI	ofnet, be, qe, if_se errors
	MI	mb86960 errors (#if FE_DEBUG >= 1)
	MI	fd problems
	MI	sun/kbd reset/get_layout failure
	MI	sun/kbd_zs, sun/ms_zs, sun/sunkbd, tc/zskbd, tc/zsms problems
	MI	accounting write failure
	MI	process kill
	MI	pool_get hard limit hit
	MI	system table full
	MI	procfs mount failure
	MI	if_arc errors
	MI	routing errors
	MI	aarp duplicate AT address
	MI	if_arp, if_ieee1394arp errors
	MI	ip_mroute errors
	MI	ipsec: protocol/algorithm/IP-option problems (if ipsec_debug)
	MI	ipsec: ipv6 jumbogram not supported (if ipsec_debug)
	MI	ipsec: unsupport algorithm or key length (if ipsec_debug)
	MI	ipsec: size exceeded, weak key, XXX+MORE (if ipsec_debug)
	MI	icmp6: rejected ICMP6 redirects
	MI	inet6: overlapping fragments, invalid prefix length, ENOBUFS
	MI	inet6: internal errors, already matching addr/prefix
	MI	inet6: option length errors
	MI	mroute6: errors (if mrt6debug && #ifdef MRT6DEBUG)
	MI	mld6: src not link local, illegal type
	MI	nd6: route add failure, non-link-local addr in list
	MI	nd6: invalid hlim (#ifdef ND6_DEBUG)
	MI	nd6: details of bad packets, bad target addr, XXX+MORE
	MI	nfs: bad packet length
	MI	ext2fs & ffs errors

warning	alpha	silo overflows
	amiga	if_ed ring buffer overflow
	amiga	if_qn, ser, mfc problems
	amiga	keyboard event queue overflow
	arm26	vm shortage, arckbd errors, if_eh problems
	arm32	if_ea, if_eb packet problems
	arm32	use of ttyv framebuffer mapping
	arm32	multiple open of of/dev/vidcvideo0
	atari	keyboard event queue overflow
	atari	ser, zs silo overflow/overrun
	hp300	apci, dca, dcm problems, mt soft errors
	mac68k	z8530 silo overflow
	pc532	scn overrun
	pmax	dc, scc silo overflow
	pmax	lk201 keyboard error
	pmax	rz partition overlap
	sh3	sci, scif silo overflow
	vax	if_ie buffer problems (if dedebug)
	vax	ts stray interrupts
	x68k	com silo overflow, keyboard event queue overflow
	MI	com, cy, z8530tty, cz, dhu, dl, dz overflows
	MI	magma overflows
	MI	dp8390 receiver overflow (#ifdef DIAGNOSTIC)
	MI	mb86960 warnings (#if FE_DEBUG >= 2)
	MI	ne2000, seeq8005, smc90cx6 warnings
	MI	sun/kbd, wscons/wskbd problems
	MI	ktrace write failure
	MI	settimeofday() ignoring timezone set
	MI	if_arp, if_ieee1394arp warnings
	MI	if_mroute warnings
	MI	ipsec: packet replay, replay counter overflow (if ipsec_debug)
	MI	ipsec: checksum mismatch, ipv6 auth fail (if ipsec_debug)
	MI	ipsec: no key association, XXX+MORE (if ipsec_debug)
	MI	inet6: internal warnings
	MI	mroute6: socket queue full (if mrt6debug && #ifdef MRT6DEBUG)
	MI	isdn: TEI denied

notice	mvme68k	lpt status: offline, out of paper, output error
	pc532	lpt status, plip problems
	sparc64	cgsix problems (#ifdef DEBUG)
	MI	ic/lpt, usb/lpt status
	MI	tcx warnings (#ifdef DEBUG)
	MI	cgsix problems (#ifdef DEBUG)
	MI	accounting status
	MI	if_gif errors
	MI	ipsec: length mismatch, tunnel addr mismatch (if ipsec_debug)
	MI	ipsec: ipv6 pullup gather failure, XXX+MORE (if ipsec_debug)
	MI	inet6: preferred lifetime > valid lifetime
	MI	nd6: nd6_init called > once
	MI	ffs: optimization changes (if ffs_log_changeopt)

info	amiga	grf4 interrupts, if_qn messages
	arm32	stack usage (#ifdef STACKCHECKS)
	vax	ts special condition errors
	MI	mb86960 debugging (#if FE_DEBUG >= 3)
	MI	if_ate debug (#if ATE_DEBUG >= 3)
	MI	process non-zero exit (if kern_logsigexit)
	MI	if_arc out of seq. packets
	MI	if_sppp status messages (some if IFF_DEBUG)
	MI	if_arp, if_ieee1394arp ARP override status messages
	MI	if_atm dropped multicast/broadcast packets
	MI	tcp_input connection refused (if tcp_log_refused)
	MI	icmp6: bad ND options, lladdrlen mismatch
	MI	inet6: packet for unready address
	MI	nd6: bad DAD packet, bad NS target, bad ND option
	MI	nd6: lladdrlen mismatch, duplicate ip6 addr
	MI	isdn: TEI assigned/removed
	MI	nfs: send/receive errors

debug	arm26	arckbd debug (#ifdef ARCKBD_DEBUG)
	hp300	mt debugging
	MI	if_sppp debugging (if interface has IFF_DEBUG set)
	MI	routing debugging (if rn_debug and #ifdef RN_DEBUG)
	MI	if_arp, if_ieee1394arp debugging
	MI	if_atm bad gateways
	MI	ip_mroute debugging (if mrtdebug or tbfdebug)
	MI	ipsec: can't pullup, dying SA, bad mem alloc (if ipsec_debug)
	MI	ipsec: unsupported auth algorithm (if ipsec_debug)
	MI	ipsec: internal errors, mbuf probs, XXX+MORE (if ipsec_debug)
	MI	inet6: unforwarded packets
	MI	mroute6: status messages (if mrt6debug && #ifdef MRT6DEBUG)
	MI	nd6: unsupported option, lookup failure, malloc failures
	MI	nd6: bad gateway
	MI	iso: debug messages


Luke Mewburn  <>
Luke Mewburn     <>
Wasabi Systems - providing NetBSD sales, support and service.