Hi, We run a rather large network, and are looking at running a secured machine for syslog, running syslog-ng hopefully. Obviously, we want to seperate out the log files for each host. Due to the number of hosts, this looks most easily done with the latest beta having the $HOST variable. So its syslog-ng 1.3.6 on debian running 2.2.12 . I made a rough fast configuration (see below). The idea is that the files end up in /syslog/hostname/file. Now, I've turned long_hostnames(on) which I guessed (docs are rather vague on most things) would make it use long host names for comparisons. To test, I didn't create the /syslog/name directories, and ran syslog-ng -d -v and it came up with "unable to open /syslog/max1/debug". Obviously this is incorrect as I wanted it to have a long host name. I thought the obvious method here, is to just remove hostnames all together, and use ip addresses (we use ip's for all radius related stuff, to stop dns dependency). So I remove resolv.conf and restart it with syslog-ng -d -v, this time it comes up with "unable to open /syslog/1.1.1.1/debug" which is fine. So I create the directory 1.1.1.1 and restart the daemon, now it comes up with "unable to write to /syslog/1.1.1.1/debug, its a directory". I switch the names back on and try, and it writes the file fine under /syslog/max1/debug. Turn names off again, and once again it will not write the file. Any ideas ? or is this a bug that may be fixed soon =) The program looks great from where I am standing, if I could sort out this problem. My other annoyance, is that it does partial name matches, unless there is some way to turn this off that I havn't come across. Even with ip addresses, using host(1.1.1.1) matches 1.1.1.1 and 1.1.1.10,100,101 etc etc. Any help greatly appreciated. --- Nigel Bovey IHUG Network Operations Team -------------------------------------------------------------------------- options { long_hostnames(on); sync(0); }; source src { unix-stream("/dev/log"); internal(); udp(ip(0.0.0.0) port(514)); }; # filters filter f_auth { facility(auth, authpriv); }; filter f_cron { facility(cron); }; filter f_daemon { facility(daemon); }; filter f_kern { facility(kern); }; filter f_lpr { facility(lpr); }; filter f_mail { facility(mail); }; filter f_user { facility(user); }; filter f_uucp { facility(cron); }; filter f_news { facility(news); }; filter f_debug { not facility(auth, authpriv, news, mail); }; filter f_messages { level(info..warn); }; filter f_emergency { level(emerg); }; # destinations destination auth { file("/syslog/$HOST/auth"); }; destination cron { file("/syslog/$HOST/cron"); }; destination daemon { file("/syslog/$HOST/daemon"); }; destination kern { file("/syslog/$HOST/kern"); }; destination lpr { file("/syslog/$HOST/lpr"); }; destination mail { file("/syslog/$HOST/mail"); }; destination user { file("/syslog/$HOST/user"); }; destination uucp { file("/syslog/$HOST/uucp"); }; destination news { file("/syslog/$HOST/news"); }; destination debug { file("/syslog/$HOST/debug"); }; destination emergency { file("/syslog/$HOST/emergency"); }; destination messages { file("/syslog/$HOST/messages"); }; # log statements log { source(src); filter(f_auth); destination(auth); }; log { source(src); filter(f_cron); destination(cron); }; log { source(src); filter(f_daemon); destination(daemon); }; log { source(src); filter(f_kern); destination(kern); }; log { source(src); filter(f_lpr); destination(lpr); }; log { source(src); filter(f_mail); destination(mail); }; log { source(src); filter(f_user); destination(user); }; log { source(src); filter(f_uucp); destination(uucp); }; log { source(src); filter(f_news); destination(news); }; log { source(src); filter(f_debug); destination(debug); }; log { source(src); filter(f_messages); destination(messages); }; log { source(src); filter(f_emergency); destination(emergency); };