Syslog.conf issue

jnojr · October 25, 2013, 3:07pm

I'm trying to get all ipfw logs going to ipfw.log I've managed that, but ipfw.log is also getting stuff that shows up in system.log

!-ipfw
*.notice;authpriv,remoteauth,ftp,install,internal.none  /var/log/system.log
kern.*                                                  /var/log/kernel.log

# Send messages normally sent to the console also to the serial port.
# To stop messages from being sent out the serial port, comment out this line.
#*.err;kern.*;auth.notice;authpriv,remoteauth.none;mail.crit            /dev/tty.serial

# The authpriv log file should be restricted access; these
# messages shouldn't go to terminals or publically-readable
# files.
auth.info;authpriv.*;remoteauth.crit                    /var/log/secure.log

lpr.info                                                /var/log/lpr.log
mail.*                                                  /var/log/mail.log
ftp.*                                                   /var/log/ftp.log
install.*                                               /var/log/install.log
install.*                                               @127.0.0.1:32376
local0.*                                                /var/log/appfirewall.log

*.emerg                                                 *

!ipfw
*.*                                                     /var/log/ipfw.log

I've seen various examples with a !* at the end, or before !ipfw, or after the system.log line, but none seem to work.

DGPickett · November 7, 2013, 3:20pm

Yes, syslog can send the same message to many files. Each file has to filter for itself.

jnojr · November 7, 2013, 3:50pm

Sorry, I'm not grokking what you're saying

DGPickett · November 7, 2013, 3:58pm

If one log file gets *.* then it will capture all the messages in other files. This allows files with varying levels of detail.

jnojr · November 7, 2013, 6:02pm

Still not following.

AFAIK, the "!-ipfw" is saying, "Anything but ipfw logs" And then, at the bottom, "!ipfw" would be, "OK, start worrying about those logs again"

The last line to log *.* to ipfw.log works the way I would expect... only ipfw logs are left, so *.* goes to ipfw.log and all is well. My issue is that the ipfw logs are also showing up in system.log. I'm probably not understanding exactly what the "!-ipfw" and "!ipfw" are doing, but I haven't found any docs that specifically talk about them, only vague references.

DGPickett · November 11, 2013, 3:20pm

The config is message-centric, the sections are just for organization. Levels of detail always include coarser levels: syslog.conf(5)

The comparison flags may be used to specify exactly what is logged. The default comparison is "=>" (or, if you prefer, ">="), which means that messages from the specified facility list, and of a priority level equal to or greater than level will be logged. Comparison flags beginning with "!" will have their logical sense inverted. Thus "!=info" means all levels except info and "!notice" has the same meaning as "<notice".