20 Examples: Make Sure Unix / Linux Configuration Files Are Free From Syntax Errors

Posted on in Categories Howto, Linux, Sys admin, Tips, UNIX last updated February 27, 2016

In Linux and UNIX system services are configured using various text files located in /etc/ or /usr/local/etc/ directory tree. A typical server system could have dozens of configuration files.You can check your configuration files for syntax errors without starting the server and validate all settings. In some cases, it is possible to to check the sanity of the specific data (such as keys) or directories (such as /var/lib/cache/). Text files are easier to manage remotely. You can use ssh and a text editor. If there is an error in configuration, the server may not start. It may result in a disaster. This post explains how to quickly find out a syntax error for popular servers and test configuration file for syntax errors.

Stop! Test Your Server Configuration Before Restarting Unix and Linux Services

The thing about Linux or Unix server is that the smallest typo such as missing semicolon or white space can cause the greatest grief.

  1. The following command line option will not run the server or stop running server, it will just test the configuration file and then exit.
  2. It will check the configuration for correct syntax and then try to open files referred in configuration.
  3. The config file is parsed and checked for syntax errors, along with all files included config file(s) by the server.
  4. In most case you can also specify which configuration file server should use instead of the default.
  5. Once your have verified your configuration files and fixed any errors you can go ahead and reload or restart the server.

A Note About Reloading Servers

The syntax is as follows under Linux:
/sbin/service SERVICE-NAME [reload|restart]
/etc/init.d/SERVICE-NAME [reload|restart]
systemctl reload SERVICE-NAME-HERE
The reload option reloads the config file without interrupting pending operations. For example the following command will reload Apache web server after the config file changes:
# /sbin/service httpd reload
# systemctl reload httpd
However, most Linux and Unix-like daemon programs sometimes use SIGHUP as a signal to restart themselves, the most frequent reason for this being to re-read a configuration file that has been changed. The syntax is as follows:
kill -HUP $(cat /var/run/SERVICE.pid)
kill -HUP `cat /var/run/SERVICE.pid`
Let us see how to test the syntax for various Linux and Unix services.

#1: OpenSSH Server

You can use the following syntax to test OpenSSH config file, type:
# /usr/sbin/sshd -t && echo $?
A sample configuration error session:
# usr/sbin/sshd -t
Sample outputs:

/etc/ssh/sshd_config line 26: Bad yes/without-password/forced-commands-only/no argument: Naa

To print line # 26, enter:
# sed -n '26p' /etc/ssh/sshd_config
Sample outputs:

PermitRootLogin Naa

Use a text editor such as vi to edit the file, enter:
# vi +26 /etc/ssh/sshd_config
Finally update the syntax, enter:

PermitRootLogin No

Save and close the file. Test it again:
# /usr/sbin/sshd -t

OpenSSH Extended Test Mode

Use the -T option to check the validity of the configuration file, output the effective configuration to stdout (screen) and then exit:
# /usr/sbin/sshd -T
See also: Openssh server security best practices for more information.

#2: Apache Web Server

The syntax is as follows to run syntax tests for configuration files only:
# /usr/sbin/apache2 -t
Sample error reporting:

apache2: Syntax error on line 50 of /etc/apache2/apache2.conf: ServerRoot must be a valid directory

On RHEL and friend, enter:
# /usr/sbin/httpd -t
Sample outputs:

Syntax OK

You can also use the apachectl command (pass the configtest or -t option). It will run a configuration file syntax test. It parses the configuration files and either reports Syntax Ok or detailed information about the particular syntax error:
# apachectl configtest
# apachectl -t
Reload Apache server, enter:
# apachectl -k graceful

#3: Nginx Web Server

To run syntax tests for nginx configuration files, enter:
# /usr/local/nginx/sbin/nginx -t
# /usr/local/nginx/sbin/nginx -t -c /usr/local/nginx/conf/nginx.conf

Sample outputs:

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful


  • -c /path/to/file : Specify which configuration file Nginx should use instead of the default.
  • -t : Just test the configuration file.

See also: Howto set nginx as a reverse proxy server and top 20 nginx best security practices for more information.

#4: Lighttpd Web Server

To test the config-file, and exit, enter:
# /usr/local/sbin/lighttpd -t -f /usr/local/etc/lighttpd/cyberciti.biz/lighttpd.conf
Sample outputs:

Syntax OK


  • -f filename : Use filename of the config-file.
  • -t : Test config-file.

#5: BIND (named) DNS Server

Use named-checkconf command to check the syntax, but not the semantics. The file is parsed and checked for syntax errors, along with all files included by it
# named-checkconf /etc/named.conf
You can also check bind zone files, enter:
# named-checkzone cyberciti.biz /var/named/zone.cyberciti.biz

#6: Squid Proxy Server

To parse and test configuration file, enter:
# /usr/sbin/squid -k check
# /usr/sbin/squid -k parse

Sample outputs:

2012/03/30 07:44:35| Processing Configuration File: /etc/squid/squid.conf (depth 0)
2012/03/30 07:44:35| Initializing https proxy context

#7: MySQL (mysqld) Database Server

Type the following command:
# mysqld --verbose --help
The above will procduce too much output. I recommend redirecting output to /dev/null and only display error/warning on the screen
# /usr/libexec/mysqld --verbose --help 1>/dev/null
Sample outputs:

120330  7:52:43 [Warning] '--log_slow_queries' is deprecated and will be removed in a future release. Please use ''--slow_query_log'/'--slow_query_log_file'' instead.

You can specify a new configuration file such as /root/test-my.cnf
# mysqld --defaults-file=/root/test-my.cnf --verbose --help 1>/dev/null

#8: Postfix Mail Server (MTA)

Use the following syntax. To warn about bad directory/file ownership or permissions, and create missing directories, enter:
# postfix check
# postfix -vvv
Sample outputs:

postfix: dict_register: mail_dict 1
postfix: dict_update: config_directory = /etc/postfix
postfix: dict_update: queue_directory = /var/spool/postfix
postfix: dict_update: command_directory = /usr/sbin
postfix: dict_update: daemon_directory = /usr/libexec/postfix
postfix: dict_update: data_directory = /var/lib/postfix
postfix: dict_update: mail_owner = postfix
postfix: dict_update: inet_interfaces = localhost
postfix: dict_update: inet_protocols = all
postfix: dict_update: mydestination = $myhostname, localhost.$mydomain, localhost
postfix: dict_update: unknown_local_recipient_reject_code = 550
postfix: fatal: /etc/postfix/main.cf, line 385: missing '=' after attribute name: "sss"

You can see errors in maillog log file, enter:
# tail -f /var/log/maillog
Sample outputs:

And it'll run mysqld (or drizzled), parse tMar 30 08:01:34 mx421 postfix[2284]: dict_update: command_directory = /usr/sbin
Mar 30 08:01:34 mx421 postfix[2284]: dict_update: daemon_directory = /usr/libexec/postfix
Mar 30 08:01:34 mx421 postfix[2284]: dict_update: data_directory = /var/lib/postfix
Mar 30 08:01:34 mx421 postfix[2284]: dict_update: mail_owner = postfix
Mar 30 08:01:34 mx421 postfix[2284]: dict_update: inet_interfaces = localhost
Mar 30 08:01:34 mx421 postfix[2284]: dict_update: inet_protocols = all
Mar 30 08:01:34 mx421 postfix[2284]: dict_update: mydestination = $myhostname, localhost.$mydomain, localhost
Mar 30 08:01:34 mx421 postfix[2284]: dict_update: unknown_local_recipient_reject_code = 550
Mar 30 08:01:34 mx421 postfix[2284]: fatal: /etc/postfix/main.cf, line 385: missing '=' after attribute name: "sss"
Mar 30 08:01:42 mx421 postfix[2285]: fatal: /etc/postfix/main.cf, line 385: missing '=' after attribute name: "sss"he config, report any problems, print help, and exit without initializing storage engines or trying to 

#9: Samba (SMB/CIFS) File Server

Type the following command:
# testparm -v

#10: tcpd

The tcpd program can be set up to monitor incoming requests for telnet, finger, ftp, exec, rsh, rlogin, tftp, talk, comsat and other services that have a one-to-one mapping onto executable files. The tcpdchk command examines your tcp wrapper configuration and reports all potential and real problems it can find:
# tcpdchk
# tcpdchk -a
# tcpdchk -d
# tcpdchk -i /path/to/inetd.conf
# tcpdchk -v


  • -a : Report access control rules that permit access without an explicit ALLOW keyword.
  • -d : Examine hosts.allow and hosts.deny files in the current directory instead of the default ones.
  • -i inet_conf : Specify this option when tcpdchk is unable to find your inetd.conf network configuration file, or when you suspect that the program uses the wrong one.
  • -v : Display the contents of each access control rule. Daemon lists, client lists, shell commands and options are shown in a pretty-printed format; this makes it easier for you to spot any discrepancies between what you want and what the program understands.

#11: dhcpd Server

The Internet Systems Consortium DHCP Server, dhcpd, implements the Dynamic Host Configuration Protocol (DHCP) and the Internet Bootstrap Protocol (BOOTP). DHCP allows hosts on a TCP/IP network to request and be assigned IP addresses, and also to discover information about the network to which they are attached. BOOTP provides similar functionality, with certain restrictions. To test syntax pass the following option:
# dhcpd -t
# dhcpd -t -cf /path/to/dhcpd.testing.conf
# dhcpd -T
# dhcpd -T -lf /path/to/dhcpd.lease.file


  • -t : The -t flag is specified, the server will simply test the configuration file for correct syntax, but will not attempt to perform any network operations. This can be used to test the a new configuration file automatically before installing it.
  • -T : This flag can be used to test the lease database file in a similar way.
  • -cf /path/to/dhcpd.testing.conf : Use an alternate configuration file called /path/to/dhcpd.testing.conf.
  • -lf /path/to/dhcpd.lease.file : an alternate lease file called -lf /path/to/dhcpd.lease.file

#12: vsftpd FTP Server

vsftpd is the Very Secure File Transfer Protocol daemon. Use the following command to make sure configuration file is free from syntax errors:
# vsftpd
# vsftpd -olisten=NO /path/to/vsftpd.testing.conf
That example overrides vsftpd’s built-in default for the “listen” option to be NO, but then loads settings from /path/to/vsftpd.testing.conf.

#13: Nagios

Nagios is a popular open source computer system monitor, network monitoring and infrastructure monitoring software application. Use the following syntax to run a sanity check on nagios.cfg as follows:
# nagios -v /path/to/testing/nagios.cfg

  • -v : Verify your configuration.

#14: Openntpd Server

The ntpd daemon synchronizes the local clock to one or more remote NTP servers or local timedelta sensors. ntpd can also act as an NTP server itself, redistributing the local time. Use the following syntax to run a sanity check on ntpd.conf:
# ntpd -n
# ntpd -f /usr/local/etc/ntpd.conf -n
# ntpd -d -f /usr/local/etc/ntpd.conf -n


  • -n : Only check the configuration file for validity.
  • -f /usr/local/etc/ntpd.conf : Use /usr/local/etc/ntpd.conf file as the configuration file, instead of the default /etc/ntpd.conf.
  • -d : Do not daemonize and ntpd will run in the foreground and log to stderr.

#15: Xorg – The X11 Server

Linux and Unix like operating systems uses X11 to provide users with a powerful graphical user interface. X11 is a freely available version of the X Window System that is implemented in Xorg. The default xorg.conf is located in /etc/X11 directory. You can build an initial configuration file by simply running the following command:
# Xorg -configure
To test the existing configuration to verify that Xorg can work with the graphics hardware on the target system, enter:
# Xorg -config /path/to/xorg.conf.new -retro
Please note that the new Xorg is largely self-configuring and doesn’t need one. But, if you use proprietary (say Nvidia) or other drives you need to test Xorg syntax using the above described method.

#16: syslogd / rsyslogd

syslogd is Unix / Linux system logging server. rsyslogd is reliable and extended syslogd for modern Linux distros. Rsyslogd is derived from the sysklogd package which in turn is derived from the stock BSD sources. To check for syntax error, type:
# syslogd -f /etc/rsyslog.testing.conf -d
rsyslogd -c4 -f /etc/rsyslog.testing.conf -N 1
Sample outputs:

rsyslogd: version 4.6.4, config validation run (level 1), master config /etc/rsyslog.conf
rsyslogd: invalid or yet-unknown config file command - have you forgotten to load a module? [try http://www.rsyslog.com/e/3003 ]
rsyslogd: the last error occured in /etc/rsyslog.conf, line 11:"$FilesOnwer root"
rsyslogd: CONFIG ERROR: could not interpret master config file '/etc/rsyslog.testing.conf'. [try http://www.rsyslog.com/e/2124 ]

A sanity check without any errors:

rsyslogd: version 4.6.4, config validation run (level 1), master config /etc/rsyslog.testing.conf
rsyslogd: End of config validation run. Bye.


  • -c4 : Selects the desired backward compatibility mode (in this example it is # 4).
  • -f /etc/rsyslog.testing.conf : Specify an alternative configuration file instead of /etc/rsyslog.conf, which is the default.
  • -d : Debug mode (only use with syslogd)
  • -N 1 : Do a config file check. Do NOT run in regular mode, just check configuration file correctness. This option is meant to verify a config file. The level argument modifies behaviour. Currently, 0 is the same as not specifying the -N option at all (so this makes limited sense) and 1 actually activates the code. Later, higher levels will mean more verbosity (this is a forward-compatibility option).

#17: CUPS Printing System

CUPS is the standards-based, open source printing system developed by Apple, for Mac OS X and other UNIX/Linux-like operating systems. cupsd is the scheduler for CUPS. It implements a printing system based upon the Internet Printing Protocol, version 2.1. To test config files for error type:
# cupsd -f -c /path/to/cupsd.testing.conf -t
Sample outputs:

Unknown directive Loggslevel on line 6.
/etc/cups/cupsd.conf is OK

A sanity check without any errors:

/etc/cups/cupsd.conf is OK


  • -f : Run cupsd in the foreground; the default is to run in the background as a “daemon”.
  • -c /path/to/cupsd.testing.conf : Uses the /path/to/cupsd.testing.conf configuration file.
  • -t :
    Test the configuration file for syntax errors.

#18: slapd Stand-alone LDAP Daemon

OpenLDAP Software is a free, open source implementation of the Lightweight Directory Access Protocol (LDAP) developed by the OpenLDAP Project. To test whether the configuration file is correct or not, type:
# slapd -Tt
# slapd -Tt -f /path/to/slapd-config.conf

  • -Tt : Test for config file errors.
  • -f /path/to/slapd-config.conf : Specifies the slapd configuration file. The default is /etc/openldap/slapd.conf.

#19: varnishd – HTTP Accelerator Daemon

To test varnishd vlc syntax, enter:
# varnishd -C -f /path/to/wordpress.vlc

  • -C : Print VCL code compiled to C language and exit. Specify the VCL file to compile with the -f option.
  • -F /path/to/wordpress.vlc : Use the specified VCL configuration file instead of the builtin default.

#20: exim MTA

Pass the -bV option to exim. If there are any errors in the configuration file, Exim outputs error messages. Otherwise it outputs the version number and build date, the DBM library that is being used, and information about which drivers and other optional code modules are included in the binary.
# exim -bV
Some simple routing tests can be done by using the address testing option. For example,
# exim -bt <local username>
Admin users can test the malware scanning configuration (in Exim >= 4.73) with the -bmalware option:
# exim -bmalware <filename>
Another source of information is running Exim with debugging turned on, by specifying the -d option. If a message is stuck on Exim’s spool, you can force a delivery with debugging turned on by a command of the form
# exim -d -M <exim-message-id>

#21: Bonus tips

Some additional tips:

Bash / KSH Shell Scripts

It is possible to check a bash script syntax without executing it:
$ bash -n ./myscript
Sample outputs:

./myscript<: line 16: syntax error near unexpected token `fi'
./myscript<: line 16: `fi'

$ ksh -n /path/to/backup.ksh
See how to debug a shell script under Linux or UNIX for more information.

FreeBSD/OpenBSD/Apple OS X pf Firewall

The pfctl command used to control the pf firewall and NAT devices under *BSD operating system including Apple OS X. The syntax is as follows to test for errors:
# pfctl -nf /etc/pf.conf


  • -n : Do not load rules from /path/to/pf.testing.conf, just parse them.
  • -f /path/to/pf.testing.conf : Load the firewall rules contained in a file called /path/to/pf.testing.conf.

Command Summary

OpenSSH/usr/sbin/sshd -t && echo $?
/usr/sbin/sshd -T
Apache/usr/sbin/apache2 -t
apachectl configtest
nginx/usr/local/nginx/sbin/nginx -t
/usr/local/nginx/sbin/nginx -t -c /usr/local/nginx/conf/nginx.conf
lighttpd/usr/local/sbin/lighttpd -t -f /usr/local/etc/lighttpd/cyberciti.biz/lighttpd.conf
Bind (named server config)named-checkconf /etc/named.conf
Bind (zone syntx)named-checkzone cyberciti.biz /var/named/zone.cyberciti.biz
Squid proxy/usr/sbin/squid -k check
/usr/sbin/squid -k parse
MySQL servermysqld --verbose --help
/usr/libexec/mysqld --verbose --help 1>/dev/null
Postfix MTApostfix check
postfix -vvv
Samba SMB/CIFStestparm -v
tcpdchk -v
dhcpd (DHCP / BOOTP) serverdhcpd -t -cf /path/to/dhcpd.testing.conf
vsftpd servervsftpd -olisten=NO /path/to/vsftpd.testing.conf
nagiosnagios -v /path/to/testing/nagios.cfg
Openntpd NTPD serverntpd -d -f /usr/local/etc/ntpd.conf -n
Xorg (X11 Server)Xorg -config /path/to/xorg.conf.new -retro
syslogd / rsyslogdrsyslogd -c4 -f /etc/rsyslog.testing.conf -N 1
CUPS Printing Systemcupsd -f -c /path/to/cupsd.testing.conf -t
slapd (OpenLDAP)slapd -Tt
varnishdvarnishd -C -f /path/to/wordpress.vlc
exim MTAexim -bV
Bash/Ksh scriptsbash -n ./myscript
ksh -n /path/to/script.ksh
BSD pf firewallpfctl -nf /etc/pf.conf
proftpdproftpd -t -c /path/to/proftpd.testing.conf
Perl scriptsperl -c /path/to/script.pl
perl -wc /path/to/script.pl

I hope you find these tips useful. Have a favorite command to check the Unix / Linux / BSD server config file for any syntax errors and warnings? Let's hear about it in the comments.

26 comment

    1. Thanks for the heads up. To read the proftpd configuration file, report any syntax errors, and exit, run:

      proftpd -t
      proftpd -t -c /path/to/proftpd.testing.conf

      Hope this helps!

      1. Noop. No automatic check exits for IPTables. But, iptables-apply command will try to apply a new ruleset (as output by iptables-save/read by iptables-restore) to iptables, then prompt the user whether the changes are okay. If the new ruleset cut the existing connection, the user will not be able to answer affirmatively. In this case, the script rolls back to the previous ruleset after the timeout expired. The timeout can be set with -t.

        ssh [email protected]
        iptables-apply -t 30 < /root/mynew.rules
  1. Hi Vivek,

    Typo here ? (copy-and-paste not edited, I think)

    Finally update the syntax, enter:
    PermitRootLogin Naa

    Shouldn’t it be :

    PermitRootLogin no 

    Shouldn’t it ?

    — Philippe

  2. Vivek..,
    It’s quite interesting.. I came to know about it through your facebook comment.

    What about this;

    [email protected] ~# /etc/init.d/tomcat7 -t
    Usage: tomcat7 {start|stop|restart|status}

    root ~# /etc/init.d/tomcat7 -T
    Usage: tomcat7 {start|stop|restart|status}

    [[email protected] ~]# /etc/init.d/postgresql-9.1 -t
    Usage: /usr/local/pgsql_9.1/installer/server/startupcfg.sh {start|stop|restart|condrestart|status}

    [[email protected] ~]# /etc/init.d/postgresql-9.1 -T
    Usage: /usr/local/pgsql_9.1/installer/server/startupcfg.sh {start|stop|restart|condrestart|status}

    tomcat7 is manually configured service file for apache tomcat(version 7)

    Is there any way to handle this ?

  3. Hi,
    Thanks a lot …very nice & useful article..

    if possible, send a new article about other well known services

  4. Alternative to @smilyface suggested “-T” option, is just use service without an option. This gives all possible options similar to the previous mentioned “-T” option, which helps discover the check syntax/config options.

    $ service postfix
    Usage: /etc/init.d/postfix {start|stop|restart|reload|abort|flush|check|status|condrestart}

    $ service postfix check
    [ OK ]

    # service httpd
    Usage: httpd {start|stop|restart|condrestart|try-restart|force-reload|reload|status|fullstatus|graceful|help|configtest}

    # service httpd configtest
    httpd: apr_sockaddr_info_get() failed for xx.xx.xx
    httpd: Could not reliably determine the server’s fully qualified domain name, using for ServerName
    Syntax OK

    1. The service command can be useful but you should be aware of what you are actually running. Check the /etc/init.d/servicename file and verify that its not sending kill signals to the app if you are just wanting to test your config file.

  5. Very good article. THis will mantain my servers active when modifying config files. Little Typo: In the second command-line code after OpenSHH, isn’t it “# /usr/sbin/sshd -t” instead of “# usr/sbin/sshd -t”?

  6. #5: BIND (named) DNS Server

    Checking binds configuration and all zones can be done in a single step with

    named-checkconf -z
  7. Logrotate is often forgotten. Syntax errors may result in log rotation failing for some or all logs.

    The standard configuration file is /etc/logrotate.conf and includes the files in /etc/logrotate.d/. Logrotate will also attempt to process any backup files left in /etc/logrotate.d/. Syntactical errors will result in logrotate quitting at the file containing the error and not continuing. Duplicate log entries will also result in logrotate stopping.

    Fortunately, there’s an easy test:

    logrotate -d /etc/logrotate.conf
  8. Verifying configs for invalid characters – Take your “cat” to the -vet.

    Sensitive configuration files, like RHCS cluster.conf, do not play well with invalid characters in the file. Viewing the file with ‘cat’ and the -vet flags “show-nonprinting, display $ at end of each line, and display TAB characters as ^I” will reveal potential, unexplainable problems.

    # cat -vet cluster.conf

Leave a Comment