Can anyone see anything blatantly wrong with this? The goal is to syslog as usual, but to forward firewall messages to a different server. Thanks for looking all. James @version:3.3.5 options { use_dns(no); flush_lines(0); stats_freq(43200); }; source s_local { unix-stream("/dev/log"); udp(ip(0.0.0.0) port(514)); tcp(ip(0.0.0.0) port(514)); file("/proc/kmsg"); }; destination d_file { file("/var/log/messages"); }; destination d_syslogserver { udp ("x.x.x.x", port(7514)); }; filter f_syslogfilter { not ( message("0x0004") or message("169\.254\.") or message("192\.168\.") ); }; filter f_firewall { message("ASA-4-71005") or message("ASA-2-106100") }; log { source(s_local); filter(f_syslogfilter); destination(d_file); }; log { source(s_local); filter(f_firewall); destination(d_syslogserver); };