The comments in etc/syslog.conf describe partially log-client setup and partially log-host setup and use UDP. I think it would be better to focus on "loghost-client" setup in the default config, the server options needed seem better described in syslogd(8) than in comments in syslog.conf. Since we have nice TLS features I think it makes sense to advertise them here too, and remove the mention of ISDN which makes it seem dated.
any comments? OK? Index: syslog.conf =================================================================== RCS file: /cvs/src/etc/syslog.conf,v retrieving revision 1.20 diff -u -p -r1.20 syslog.conf --- syslog.conf 27 Dec 2016 13:38:14 -0000 1.20 +++ syslog.conf 9 Oct 2021 11:48:35 -0000 @@ -22,13 +22,10 @@ mail.info /var/log/maillog # Everyone gets emergency messages. #*.emerg * -# Uncomment to log to a central host named "loghost". You need to run -# syslogd with the -u option on the remote host if you are using this. -# (This is also required to log info from things like routers and -# ISDN-equipment). If you run -u, you are vulnerable to syslog bombing, -# and should consider blocking external syslog packets. -#*.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none @loghost -#auth,daemon,syslog,user.info;authpriv,kern.debug @loghost +# Uncomment to log to a central host named "loghost" using syslog-tls. +# Other protocols are available, see syslogd(8). +#*.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none @tls://loghost +#auth,daemon,syslog,user.info;authpriv,kern.debug @tls://loghost # Uncomment to log messages from doas(1) to its own log file. Matches are done # based on the program name.