shorewall logging, but not to syslog

I have a Debian 9.1 installation I'm using as a NAT router. Shorewall version 5.0.15.6-1, linux kernel version 4.9+80+deb9u1. There are two network interfaces. The routing functions are all working correctly. I would like to log connections and rejections to a log file, but not via syslog, as *everything* else goes there. I've read http://shorewall.org/shorewall_logging.html and followed it as well as I may, and other documents I've found are all about peripheral cases. However, my ulog log file is empty, and netfilter msgs are still going to /var/log/kern.log. here are some excerpts from relevant config files: /etc/shorewall/params ETH1=br1 LOG="NFLOG(1,,)" /etc/shorewall/shorewall.conf LOGFILE=/var/log/shorewall-run.log LOGFORMAT="Shorewall:%s:%s:" MACLIST_LOG_LEVEL=$LOG RPFILTER_LOG_LEVEL=$LOG SFILTER_LOG_LEVEL=$LOG SMURF_LOG_LEVEL=$LOG STARTUP_LOG=/var/log/shorewall-init.log TCP_FLAGS_LOG_LEVEL=$LOG /etc/shorewall/rules ACCEPT:$LOG loc $FW tcp 5509 ACCEPT:$LOG net $FW tcp 5509 ACCEPT loc $FW udp 53 ACCEPT loc $FW tcp 53 the /etc/ulogd.conf is stock, it's the same as from /usr/share/doc/ulogd2/examples/ulogd.conf.gz I'm not getting any compilation errors when I run shorewall restart, and, as in the rules sample above, I am getting syslog messages for connections to 5509, but not 53. The log entries are just going to the wrong place. What am I doing wrong ?