5.2 Use of syslog(3)

Only rarely should error information be directed to the user. Usually, this is to be limited to ``sorry you cannot login now'' type messages. Information concerning errors in the configuration file, /etc/pam.conf, or due to some system failure encountered by the module, should be written to syslog(3) with facility-type LOG_AUTHPRIV.

With a few exceptions, the level of logging is, at the discretion of the module developer. Here is the recommended usage of different logging levels:

• As a general rule, errors encountered by a module should be logged at the LOG_ERR level. However, information regarding an unrecognized argument, passed to a module from an entry in the /etc/pam.conf file, is required to be logged at the LOG_ERR level.
• Debugging information, as activated by the debug argument to the module in /etc/pam.conf, should be logged at the LOG_DEBUG level.
• If a module discovers that its personal configuration file or some system file it uses for information is corrupted or somehow unusable, it should indicate this by logging messages at level, LOG_ALERT.
• Shortages of system resources, such as a failure to manipulate a file or malloc() failures should be logged at level LOG_CRIT.
• Authentication failures, associated with an incorrectly typed password should be logged at level, LOG_NOTICE.