On Sat, 2 May 2015 16:03:51 -0700 Philip Guenther <guent...@gmail.com> wrote:
> On Sat, May 2, 2015 at 3:55 PM, Marko Cupać <marko.cu...@mimar.rs> > wrote: > > I have a pair of firewalls with identical syslog.conf files. Nothing > > special, just removed all the comments, and added a few lines for > > npppd log redirection: > ... > > If I rsync syslog.conf from one firewall to another and restart > > syslogd, everything works as expected. However, if I list file > > contents with cat in ssh session on one firewall and paste it in vi > > in ssh session on another one, although I get expected terminal > > output: > ... > > Only syslogd exiting (and not consequent start) is logged: > > May 3 00:36:57 nat2 syslogd: exiting on signal 15 > > > > After this syslogd is shown as running but nothing gets logged > > to messages, authlog etc. > ... > > Is this just my system or someone can reproduce this? What could be > > the reason for this? > > So the results for a file scp'ed differs from one copy-n-pasted. Did > you consider using diff on the resulting files to see how they > differed? > > The syntax of syslog.conf treats tabs differently than spaces. When > you cat, then copy and paste, you're almost certainly converting the > tabs to spaces. > > Or it could be something completely different that diff will reveal. > > > Philip Guenther Hi Philip, thank you for looking into it. Here's the diff: pacija@nat2:~ $ diff -u syslog.conf syslog.conf.copy --- syslog.conf Sun May 3 01:05:33 2015 +++ syslog.conf.copy Sun May 3 01:06:03 2015 @@ -1,15 +1,15 @@ -# $OpenBSD: syslog.conf,v 1.17 2005/05/25 07:35:38 david Exp $ +# $OpenBSD: syslog.conf,v 1.17 2005/05/25 07:35:38 david Exp $ # npppd by pacija !!npppd -*.* /var/log/npppd +*.* /var/log/npppd !* -*.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none /var/log/messages -kern.debug;syslog,user.info /var/log/messages -auth.info /var/log/authlog -authpriv.debug /var/log/secure -cron.info /var/cron/log -daemon.info /var/log/daemon -ftp.info /var/log/xferlog -lpr.debug /var/log/lpd-errs -mail.info /var/log/maillog -*.emerg * +*.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none /var/log/messages +kern.debug;syslog,user.info /var/log/messages +auth.info /var/log/authlog +authpriv.debug /var/log/secure +cron.info /var/cron/log +daemon.info /var/log/daemon +ftp.info /var/log/xferlog +lpr.debug /var/log/lpd-errs +mail.info /var/log/maillog +*.emerg * So, clearly there are differences (probably tabs and spaces as you say). I see in syslog.conf man page that "The selector field is separated from the action field by one or more tab characters." Spaces aren't mentioned. So, while I agree I should read man page and respect instruction about tabs, it appears it is quite easy to make a mistake and end up with system that does not log, without obvious reason. Is 'tabs only' really necessary? Why are spaces bad? pf for example does not seem to care if I use spaces or tabs. Also, wouldn't it be good to have a mechanism to parse conf file and warn that no logging will be done instead of just throw 'syslogd (ok)' and quit all the logging? Regards, -- Marko Cupać https://www.mimar.rs
