Hi, Im new to syslogng and want to replace the normal syslogd in solaris with -ng because of the filters. I run postfix on 2 loadbalanced machines and i want to get rid of the healthchecks log entries. I setup a conf file that looks like this: options { long_hostnames(off); # doesn't actually help on Solaris, log(3) truncates at 1024 chars log_msg_size(8192); # buffer just a little for performance sync(1); # memory is cheap, buffer messages unable to write (like to loghost) log_fifo_size(2048); # The time to wait before a dead connection is reestablished (seconds) time_reopen(10); }; ############################################################### source src { sun-stream("/dev/log" door("/etc/.syslog_door")); internal(); }; ############################################################### destination alteon { file("/var/log/alteon"); }; destination notalteon { file("/var/log/notalteon"); }; destination ipf { file("/var/log/ipf.log"); }; ############################################################### filter f_mail { facility(mail); }; filter f_not_mail { not facility(mail); }; filter f_ipf { facility(local0); }; filter f_alteon { match("10.155.68.2") or match("10.155.68.3"); }; filter f_notalteon { not match("10.155.68.2") or not match("10.155.68.3"); }; ############################################################### log { source(src); filter(f_alteon); destination(alteon); }; log { source(src); filter(f_notalteon); destination(notalteon); }; log { source(src); filter(f_ipf); destination(ipf); }; According to this i should log everything that contains 10.155.68.2 or .3 to /var/log/alteon and if it doesnt contain .2 or .3 to /var/log/notalteon and it will also send the ip filter logs to its own log (which works). It seems that f_alteon och f_ipf works. But f_notalteon logs both stuff that does contain .2 and .3 and stuff that doesnt contain .2 and .3 What have i missed? // Kenneth