FreeBSD.software
Home/Guides/FreeBSD System Monitoring and Logging Guide
guide·2026-04-09·10 min read

FreeBSD System Monitoring and Logging Guide

Complete FreeBSD logging reference: syslogd configuration, newsyslog rotation, centralized logging, log analysis, Promtail + Loki integration, and security audit logging.

FreeBSD System Monitoring and Logging Guide

FreeBSD's logging infrastructure is simpler and more predictable than what you find on Linux. There is no journald. No binary log format. Logs are plain text files managed by syslogd and rotated by newsyslog. This simplicity is a feature -- logs are readable with cat, searchable with grep, and parseable with any text processing tool.

This guide covers the full logging stack: syslogd configuration, newsyslog rotation, important log files, centralized logging across multiple hosts, integration with modern log aggregation (Loki), and security audit logging with FreeBSD's audit subsystem.

For related monitoring topics, see FreeBSD Server Monitoring Guide.

Log File Locations

FreeBSD's standard log files:

| File | Content |

|------|---------|

| /var/log/messages | General system messages (most important) |

| /var/log/auth.log | Authentication events (login, sudo, SSH) |

| /var/log/security | Security-related events |

| /var/log/cron | Cron job execution |

| /var/log/maillog | Mail system activity |

| /var/log/daemon.log | Daemon-specific messages |

| /var/log/debug.log | Debug-level messages |

| /var/log/console.log | Console output |

| /var/log/utx.log | Login/logout records (binary, read with last) |

| /var/log/devd.log | Device state change events |

Application-specific logs typically go to /var/log// or are configured per application:

sh
# Nginx
/var/log/nginx/access.log
/var/log/nginx/error.log

# PostgreSQL
/var/log/postgresql/postgresql.log

# DHCP
/var/log/dhcpd.log

syslogd Configuration

syslogd is FreeBSD's system log daemon. It receives messages from the kernel, daemons, and applications, and routes them to files, the console, remote hosts, or pipes.

Configuration File

The configuration file is /etc/syslog.conf. Each line has two fields: a selector (facility.priority) and an action (where to write).

sh
cat /etc/syslog.conf

Facilities and Priorities

Facilities: auth, authpriv, console, cron, daemon, ftp, kern, lpr, mail, mark, news, ntp, security, syslog, user, uucp, local0-local7

Priorities (lowest to highest): debug, info, notice, warning, err, crit, alert, emerg

Example Configuration

sh
# /etc/syslog.conf

# Everything except auth and mail goes to messages
*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err  /var/log/messages

# Authentication messages
auth.info;authpriv.info                   /var/log/auth.log

# Security messages
security.*                                /var/log/security

# Cron messages
cron.*                                    /var/log/cron

# Mail messages
mail.info                                 /var/log/maillog

# Debug messages (can be verbose)
*.=debug                                  /var/log/debug.log

# Daemon messages
daemon.info                               /var/log/daemon.log

# Emergency messages to all logged-in users
*.emerg                                   *

# Console messages
*.err;kern.warning;auth.notice;mail.crit  /dev/console

# Custom application logging to dedicated files
local0.*                                  /var/log/myapp.log
local1.*                                  /var/log/myservice.log

Applying Changes

sh
# Reload syslogd after editing syslog.conf
service syslogd reload

Testing syslogd

sh
# Send a test message
logger -t test "This is a syslog test message"

# Verify it appears
tail -1 /var/log/messages
# Should show: ... test: This is a syslog test message

# Send to a specific facility
logger -p local0.info -t myapp "Application started"
tail -1 /var/log/myapp.log

syslogd Flags

sh
# View current syslogd flags
sysrc syslogd_flags

# Common flags:
# -s     Secure mode -- do not log from remote hosts
# -ss    Super-secure -- do not even open the network socket
# -b 0   Do not bind to any network interface (local only)
# -C     Create log files if they do not exist

# Recommended for a standalone server (no remote logging):
sysrc syslogd_flags="-ss"

# For a log server accepting remote logs:
sysrc syslogd_flags="-a 10.0.0.0/24"

newsyslog: Log Rotation

newsyslog handles log rotation, compression, and cleanup. It is the FreeBSD equivalent of Linux's logrotate but simpler and integrated into the base system.

Configuration

The main configuration file is /etc/newsyslog.conf:

sh
cat /etc/newsyslog.conf

Format: logfile [owner:group] mode count size when flags [/pid_file] [sig_num]

sh
# /etc/newsyslog.conf
# logfilename          [owner:group]    mode count size when  flags [/pid_file] [sig_num]
/var/log/messages                        644  7     1000 @T00  JC
/var/log/auth.log                        600  7     1000 @T00  JC
/var/log/security                        600  10    1000 *     JC
/var/log/cron                            600  3     1000 *     JC
/var/log/maillog                         644  7     *    @T00  JC
/var/log/debug.log                       644  5     1000 *     JC
/var/log/daemon.log                      644  5     1000 *     JC

Column meanings:

  • mode: File permissions (644, 600, etc.)
  • count: Number of rotated files to keep
  • size: Rotate when file exceeds this many KB (or * for time-based only)
  • when: Time-based rotation (@T00 = midnight, $W0 = weekly Sunday, $M1D0 = first of month)
  • flags: J = bzip2 compression, C = create file if missing, G = gzip, Z = zstd

Adding Application Log Rotation

sh
# Rotate nginx logs
echo '/var/log/nginx/access.log  www:www 644 14 * @T00 JC /var/run/nginx.pid 30' >> /etc/newsyslog.conf
echo '/var/log/nginx/error.log   www:www 644 14 * @T00 JC /var/run/nginx.pid 30' >> /etc/newsyslog.conf

The /pid_file and sig_num tell newsyslog to signal the process after rotation (signal 30 = USR1, which tells nginx to reopen log files).

newsyslog.conf.d

For cleaner organization, use /usr/local/etc/newsyslog.conf.d/ for application-specific rotation configs:

sh
# /usr/local/etc/newsyslog.conf.d/nginx.conf
/var/log/nginx/access.log  www:www 644 30 * @T00 JC /var/run/nginx.pid 30
/var/log/nginx/error.log   www:www 644 30 * @T00 JC /var/run/nginx.pid 30

Manual Rotation

sh
# Force immediate rotation of a specific log
newsyslog -vF /var/log/messages

# Dry run -- show what would be rotated
newsyslog -nrv

# Force rotate all logs
newsyslog -F

How newsyslog Runs

newsyslog is called by cron -- check /etc/crontab:

sh
grep newsyslog /etc/crontab
# */5 * * * * root /usr/sbin/newsyslog

It runs every 5 minutes by default and checks if any log needs rotation based on size or time criteria.

Centralized Logging

For multiple FreeBSD hosts, centralize logs on a single server.

Log Server Configuration

On the central log server:

sh
# /etc/syslog.conf -- add remote log acceptance
+*
*.*     /var/log/remote/%H/%Y%m%d.log

Enable network listening:

sh
# Allow remote logging from your network
sysrc syslogd_flags="-a 10.0.0.0/24:*"
service syslogd restart

Create the directory structure:

sh
mkdir -p /var/log/remote

syslogd will create subdirectories per hostname automatically.

Client Configuration

On each client host:

sh
# /etc/syslog.conf -- add remote forwarding
*.*     @logserver.example.com

# For TCP (more reliable than UDP):
*.*     @@logserver.example.com

Restart syslogd:

sh
service syslogd restart

Testing

sh
# On a client
logger -t test "Remote logging test"

# On the server
tail /var/log/remote/clienthostname/*.log

Security Audit Logging

FreeBSD includes a comprehensive audit subsystem (based on the BSM -- Basic Security Module -- standard from Sun/TrustedSolaris) that can log detailed system call activity.

Enabling the Audit System

sh
# Enable auditd
sysrc auditd_enable="YES"
service auditd start

Audit Configuration

The main configuration file is /etc/security/audit_control:

sh
cat > /etc/security/audit_control << 'CONF'
# Directory for audit trail files
dir:/var/audit
# Default audit flags for all users
flags:lo,aa,ad,ex
# Minimum free space before warning (percentage)
minfree:5
# Policy flags
policy:cnt,argv
# Maximum audit file size (0 = unlimited)
filesz:50M
# Expire old trail files when this limit is reached
expire-after:90d
CONF

Audit flag meanings:

  • lo -- Login/logout events
  • aa -- Authentication and authorization
  • ad -- Administrative actions
  • ex -- Program execution
  • fw -- File write
  • fr -- File read
  • fc -- File create

Viewing Audit Logs

Audit logs are binary. Use praudit to read them:

sh
# View the current audit log
praudit /var/audit/current

# View in short form
praudit -s /var/audit/current

# Search for specific events
praudit /var/audit/current | grep -i "login"

# View audit logs in XML format
praudit -x /var/audit/current

Per-User Audit Configuration

Audit specific users more aggressively:

sh
# /etc/security/audit_user
# user:always_audit_flags:never_audit_flags
root:lo,aa,ad,fw,ex:no
admin:lo,aa,ad,ex:no

Audit Trail Rotation

sh
# Force a new audit trail file
audit -n

# Configure automatic rotation in audit_control with filesz
# and expire-after directives (shown above)

Log Analysis

Real-Time Monitoring

sh
# Watch system messages in real time
tail -f /var/log/messages

# Watch multiple logs simultaneously
tail -f /var/log/messages /var/log/auth.log

# Watch with color (if installed)
pkg install ccze
tail -f /var/log/messages | ccze -A

Common Search Patterns

sh
# Failed SSH login attempts
grep "Failed password" /var/log/auth.log

# Successful SSH logins
grep "Accepted" /var/log/auth.log

# Sudo usage
grep "sudo" /var/log/auth.log

# Kernel panics or crashes
grep -i "panic\|fatal\|error" /var/log/messages

# Service restarts
grep "restart\|start\|stop" /var/log/messages

# Disk errors
grep -i "error\|fault\|fail" /var/log/messages | grep -i "da\|ada\|nvd"

# ZFS events
grep -i "zfs\|zpool" /var/log/messages

# Login history
last -10

# Currently logged-in users
who

Parsing with Standard Tools

sh
# Count log events by hour
awk '{print $1, $2, $3}' /var/log/messages | cut -d: -f1 | sort | uniq -c | sort -rn

# Top 10 IPs hitting SSH
grep "Failed password" /var/log/auth.log | awk '{print $(NF-3)}' | sort | uniq -c | sort -rn | head -10

# Log volume per day
for f in /var/log/messages*; do echo "$(wc -l < $f) $f"; done | sort -rn

Loki Integration

For modern log aggregation with Grafana-based querying, add Promtail to ship logs to Loki.

Install and Configure Promtail

sh
pkg install promtail

cat > /usr/local/etc/promtail-local-config.yaml << 'CONF'
server:
  http_listen_port: 9080
  grpc_listen_port: 0

positions:
  filename: /var/db/promtail/positions.yaml

clients:
  - url: http://loki-server:3100/loki/api/v1/push

scrape_configs:
  - job_name: system
    static_configs:
      - targets:
          - localhost
        labels:
          host: myhost
          __path__: /var/log/messages
    pipeline_stages:
      - regex:
          expression: '^(?P<timestamp>\w+\s+\d+\s+[\d:]+)\s+(?P<hostname>\S+)\s+(?P<process>\S+?)(\[(?P<pid>\d+)\])?:\s+(?P<message>.*)$'
      - labels:
          process:
      - timestamp:
          source: timestamp
          format: "Jan  2 15:04:05"

  - job_name: auth
    static_configs:
      - targets:
          - localhost
        labels:
          host: myhost
          job: auth
          __path__: /var/log/auth.log

  - job_name: cron
    static_configs:
      - targets:
          - localhost
        labels:
          host: myhost
          job: cron
          __path__: /var/log/cron

  - job_name: security
    static_configs:
      - targets:
          - localhost
        labels:
          host: myhost
          job: security
          __path__: /var/log/security
CONF

mkdir -p /var/db/promtail
sysrc promtail_enable="YES"
service promtail start

Querying Logs in Grafana

With Loki as a data source in Grafana:

shell
# All system messages from a specific host
{host="myhost", job="system"}

# SSH failures
{job="auth"} |= "Failed password"

# Errors in the last hour
{host="myhost"} |= "error" | unwrap duration [1h]

# Top log producers by process
sum by (process) (count_over_time({host="myhost"}[1h]))

Performance Considerations

Log Volume on Busy Systems

On high-traffic systems, logging can become a bottleneck:

sh
# Check current log write rate
iostat -w 5 -d  # Watch disk I/O

# If log volume is too high, reduce verbosity
# In syslog.conf, change *.notice to *.warning for high-volume facilities

Filesystem Considerations

sh
# Put /var/log on a separate ZFS dataset with compression
zfs create -o compression=zstd -o atime=off tank/var/log

# ZFS compression is excellent for log files
# Typical compression ratio: 5:1 to 10:1 for text logs

Preventing Disk Full

sh
# Set newsyslog limits aggressively
# In /etc/newsyslog.conf, use size limits AND count limits

# Monitor log disk usage
df -h /var/log

# Set ZFS quota on log dataset
zfs set quota=50G tank/var/log
zfs set reservation=10G tank/var/log

FAQ

Where are FreeBSD's system logs?

The primary system log is /var/log/messages. Authentication logs are in /var/log/auth.log. See the log file locations table at the top of this guide for the complete list.

How do I view logs in real time?

Use tail -f /var/log/messages for system logs. Replace the path with any log file you want to monitor. For multiple files simultaneously, list them all: tail -f /var/log/messages /var/log/auth.log.

What is the difference between syslogd and rsyslog?

FreeBSD uses syslogd from the base system. rsyslog is a Linux-oriented replacement with more features (structured logging, database output, etc.). For most FreeBSD deployments, the base syslogd is sufficient. If you need advanced routing or structured output, consider shipping logs to Loki instead of replacing syslogd.

How do I send logs to a remote server?

Add . @logserver (UDP) or . @@logserver (TCP) to /etc/syslog.conf on the client. On the log server, run syslogd with -a to accept remote connections. See the centralized logging section above.

How long should I keep logs?

Depends on your compliance requirements. General recommendation: 90 days for operational logs, 1 year for security/audit logs. Configure retention via newsyslog's count and size parameters, and the audit subsystem's expire-after directive.

Can I log to a database instead of files?

Not directly with the base syslogd. Use Promtail + Loki for queryable log storage, or install syslog-ng from ports which supports database output. For most use cases, plain text files with Loki indexing provide better operational simplicity than direct database logging.

How do I check who logged into my system?

sh
# Recent logins
last -20

# Failed login attempts
grep "Failed" /var/log/auth.log

# Currently logged in
who

# Full authentication audit trail
grep "session opened\|session closed\|Accepted\|Failed" /var/log/auth.log

How do I rotate application logs that are not managed by newsyslog?

Add an entry to /etc/newsyslog.conf or create a file in /usr/local/etc/newsyslog.conf.d/. Specify the log path, permissions, rotation count, size limit, and optionally a PID file and signal to send the application after rotation.

Get more FreeBSD guides

Weekly tutorials, security advisories, and package updates. No spam.

Previous

FreeBSD Monitoring Stack: Complete Production Setup

Next

FreeBSD 15.0 Preview: What to Expect

Related Guides

guide

FreeBSD Server Administration: Complete Guide (2026)

The complete FreeBSD server administration reference: installation, initial setup, user management, package management, service management, storage with ZFS, logging, monitoring, backup, automation, and maintenance. Everything a sysadmin needs.

guide

FreeBSD Troubleshooting: Common Problems and Solutions (2026)

Solve the most common FreeBSD problems: boot failures, network issues, package conflicts, disk errors, performance problems, kernel panics, ZFS pool issues, and service failures. Diagnostic commands and fixes for each.

guide

FreeBSD Backup Strategy: Complete Guide

Complete guide to FreeBSD backup strategies. Covers ZFS snapshots, BorgBackup, Restic, cloud backup to Backblaze B2, 3-2-1 rule, automated scripts, disaster recovery, and testing restores.

guide

FreeBSD as a Home Lab Server: Complete Guide

Complete guide to building a FreeBSD home lab server. Covers hardware selection, installation, jails for services, bhyve VMs, ZFS storage, networking, monitoring, and project ideas.