With the following configuration source local { unix-stream("/dev/log" max-connections(200)); file("/proc/kmsg" log_prefix("kernel: ")); internal(); }; template standard_file { template("$ISODATE $FULLHOST $FACILITY.$LEVEL $PRI $MESSAGE\n"); template_escape(no); }; destination auth.log { file("/var/syslog/auth.log.$YEAR$MONTH$DAY.000000" perm(0640) template(standard_file) ); }; destination unknown.log { file("/var/syslog/unknown.log.$YEAR$MONTH$DAY.000000" perm(0640) template(standard_file) ); }; destination test.log { file("/var/syslog/test.log.$YEAR$MONTH$DAY.000000" perm(0640) template(standard_file) ); }; filter f_auth { facility(auth); }; filter f_local1 { facility(local1); }; filter f_ldap { program(^slapd); }; # ****** PROBLEM LOG LINE **** log { source(local); filter(f_local1); filter(f_ldap); destination(test.log); }; # ****** PROBLEM LOG LINE **** log { source(local); filter(f_auth); destination(auth.log); }; # safegaurd to catch anything missed by other filters log { source(local); destination(unknown.log); flags(fallback); }; all of the log messages with the facility of auth go into the unknown.log file. If I remove the problematic log line (to test.log) or change the order of its filters or change the first filter to be other than f_local1 (even changing the f_local1 filter to match a different facility) then everything works as expected. All of these work fine # ----------------------------------------------------- filter f_auth { facility(auth); }; filter f_local1 { facility(local1); }; filter f_ldap { program(slapd); }; log { source(local); filter(f_auth); filter(f_ldap); destination(test.log); }; # ----------------------------------------------------- filter f_auth { facility(auth); }; filter f_local1 { facility(local1); }; filter f_ldap { program(slapd); }; # log { source(local); filter(f_local1); filter(f_ldap); destination(test.log); }; # ----------------------------------------------------- filter f_auth { facility(auth); }; filter f_local1 { facility(local0); }; filter f_ldap { program(^slapd); }; log { source(local); filter(f_local1); filter(f_ldap); destination(test.log); }; # ----------------------------------------------------- filter f_auth { facility(auth); }; filter f_local1 { facility(local1); }; filter f_ldap { program(^slapd); }; filter f_test { facility(local1) and program(^sldapd); }; log { source(local); filter(f_test); destination(test.log); }; So, how is the first example going wrong? Evan.