5.2. Use of syslog(3)

Only rarely should error information be directed to the user. Usually, this is to be limited to “ sorry you cannot login now ” type messages. Information concerning errors in the configuration file, /etc/pam.conf , or due to some system failure encountered by the module, should be written to syslog(3) with facility-type LOG_AUTHPRIV .

With a few exceptions, the level of logging is, at the discretion of the module developer. Here is the recommended usage of different logging levels:

  • As a general rule, errors encountered by a module should be logged at the LOG_ERR level. However, information regarding an unrecognized argument, passed to a module from an entry in the /etc/pam.conf file, is required to be logged at the LOG_ERR level.

  • Debugging information, as activated by the debug argument to the module in /etc/pam.conf , should be logged at the LOG_DEBUG level.

  • If a module discovers that its personal configuration file or some system file it uses for information is corrupted or somehow unusable, it should indicate this by logging messages at level, LOG_ALERT .

  • Shortages of system resources, such as a failure to manipulate a file or malloc() failures should be logged at level LOG_CRIT .

  • Authentication failures, associated with an incorrectly typed password should be logged at level, LOG_NOTICE .