Simple syslogd.conf question

[tcn]

Hi,

I am trying to organize my log files. I wish to have server logs separate from my firewall and my multimedia system.

My configuration is pretty simple and to my understanding, should work.

Here is my syslog.conf

# $FreeBSD: src/etc/syslog.conf,v 1.30.4.1.2.1 2011/11/11 04:20:22 kensmith Exp $
#
#       Spaces ARE valid field separators in this file. However,
#       other *nix-like systems still insist on using tabs as field
#       separators. If you are sharing this file between systems, you
#       may want to use only tabs as field separators here.
#       Consult the syslog.conf(5) manpage.

!-192.168.13.1,192.168.13.6
*.err;kern.warning;auth.notice;mail.crit                /dev/console
*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err   /var/log/messages
security.*                                      /var/log/security
auth.info;authpriv.info                         /var/log/auth.log
mail.info                                       /var/log/maillog
lpr.info                                        /var/log/lpd-errs
ftp.info                                        /var/log/xferlog
cron.*                                          /var/log/cron
*.=debug                                        /var/log/debug.log
*.emerg                                         *
# uncomment this to log all writes to /dev/console to /var/log/console.log
#console.info                                   /var/log/console.log
# uncomment this to enable logging of all log messages to /var/log/all.log
# touch /var/log/all.log and chmod it to mode 600 before it will work
#*.*                                            /var/log/all.log
# uncomment this to enable logging to a remote loghost named loghost
#*.*                                            @loghost
# uncomment these if you're running inn
# news.crit                                     /var/log/news/news.crit
# news.err                                      /var/log/news/news.err
# news.notice                                   /var/log/news/news.notice

!ppp
*.*                                             /var/log/ppp.log


!+192.168.13.1
local0.*                                        /var/log/modem/firewall
local1.*                                        /var/log/modem/vpn
local2.*                                        /var/log/modem/activity
local3.*                                        /var/log/modem/dialup
local4.*                                        /var/log/modem/wan
local5.*                                        /var/log/modem/dsl
local6.*                                        /var/log/modem/other


!+192.168.13.6
*.*                                             /var/log/playonhd

Now, from the manual, I have four blocks, one that shouldn't include hosts 192.168.13.1 and 192.168.13.6, one that is for the program ppp, one for host 192.168.13.1 and finally, one for 192.168.13.6.

The problem is that /var/log/messages keeps on logging 192.168.13.6 (probably 192.168.13.1 would be also if the assigned facilities were sent).

Is this normal behavior? Is the '*' grabbing both programs and hosts despite the block's rules?

Thanks,

tcn

 

[tcn]

[solved]

Just wanted to share in case people were wondering what I was talking about. The problem is in the syntax. Programs are followed with a '!' but not hosts. The proper syslog.conf syntax becomes:

# $FreeBSD: src/etc/syslog.conf,v 1.30.4.1.2.1 2011/11/11 04:20:22 kensmith Exp $
#
#       Spaces ARE valid field separators in this file. However,
#       other *nix-like systems still insist on using tabs as field
#       separators. If you are sharing this file between systems, you
#       may want to use only tabs as field separators here.
#       Consult the syslog.conf(5) manpage.

-192.168.13.1,192.168.13.6
*.err;kern.warning;auth.notice;mail.crit                /dev/console
*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err /var/log/messages
security.*                                      /var/log/security
auth.info;authpriv.info                         /var/log/auth.log
mail.info                                       /var/log/maillog
lpr.info                                        /var/log/lpd-errs
ftp.info                                        /var/log/xferlog
cron.*                                          /var/log/cron
*.=debug                                        /var/log/debug.log
*.emerg                                         *
# uncomment this to log all writes to /dev/console to /var/log/console.log
#console.info                                   /var/log/console.log
# uncomment this to enable logging of all log messages to /var/log/all.log
# touch /var/log/all.log and chmod it to mode 600 before it will work
#*.*                                            /var/log/all.log
# uncomment this to enable logging to a remote loghost named loghost
#*.*                                            @loghost
# uncomment these if you're running inn
# news.crit                                     /var/log/news/news.crit
# news.err                                      /var/log/news/news.err
# news.notice                                   /var/log/news/news.notice
+*

!ppp
*.*                                             /var/log/ppp.log
!*

+192.168.13.1
local0.*                                        /var/log/modem/firewall
local1.*                                        /var/log/modem/vpn
local2.*                                        /var/log/modem/activity
local3.*                                        /var/log/modem/dialup
local4.*                                        /var/log/modem/wan
local5.*                                        /var/log/modem/dsl
local6.*                                        /var/log/modem/other


+192.168.13.6
*.*                                             /var/log/playonhd

Note that I also added +* and !* to reset the block's behavior.