I found a clean way to use swatch to watch all your syslog messages from syslog-ng. Normally you need to tell swatch to tail a file, so if you want swatch to watch all your logs you have to either send all messages to one file or run multiple instances of swatch. I came up with this tonight: # hack to get swatch to read from stdin destination swatch { program("/usr/bin/swatch --read-pipe=\"cat /dev/fd/0\""); }; # send all logs to swatch log { source(src); destination(swatch); }; The source "src" is all my logs on that box. This works like a charm, and if syslog-ng is restarted, so is swatch, so you don't need to worry about HUP'ing/restarting swatch - ever! This way you can let swatch monitor your logs instead of using match() directives - since swatch has built in throttling on alerts I find it nicer to use. swatch keeps my pager from going nuts after the first message which caused the alarm, subsequent messages are ignored for a defined amount of time, using the "throttle feature". -- Nate Campi http://www.campin.net GnuPG key: 0xC17AEF79 Key fingerprint = BF12 722F 8799 E614 33CC FAB7 5A90 C464 C17A EF79 "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former" -- Albert Einstein.