Hi, I don't know why is this happening, but spurious path is the following: https://github.com/syslog-ng/syslog-ng/blob/52ef5c7072c651807cc2778000b3b8fe... For each opened file, syslog-ng checks some malicious patterns in the file name for security reason. If an attacker could inject `../../../` like macros, that could lead to write some unwanted system critical files. File paths containing `../` or `/..` are called spurious paths in syslog-ng. Br, Antal ________________________________ From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Pal, Laszlo <vlad@vlad.hu> Sent: Monday, March 2, 2020 10:42 To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: [syslog-ng] Spurious path, logfile not created; path= CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe. Hi, For one of my hosts, I can see lots of these messages Spurious path, logfile not created; path= What does it mean exactly? I'm creating files with this macro file("/var/log/netlog/unix/${HOST}/${YEAR}/${MONTH}/${HOST}-${YEAR}${MONTH}${DAY}.log" and even for this host, I have all the logs regardless of this message I also have messages for the same host like this Resource temporarily unavailable (11) Here is some more details may help to find out the reasons behind this - issue started 9th February (I have a total of 160K entries like this) - the filename/path was incorrect during the whole event 2020/02/servername-20200210.log - on 29th the server gone south by consuming lots of CPU and disappeared from the network, console was frozen, so we had to reset the vm The host running an old syslog-ng PE (syslog-ng-premium-edition 4 LTS (4.0.5a) Installer-Version: 4.0.5a Revision: ssh+git://ganesa@git.balabit//var/scm/git/syslog-ng/syslog-ng-pe--mainline--4.0#master#457ec2f494a46d62ecf8cd938f12f02cd0ae9e63) on RHEL5 Log sources are simple plain text files contains tomcat and other web server logs I have a twin-host with the exact same config and log sources, but I never seen messages like this from that one Do you have any idea? To me it looks very mysterious Thanks Laszlo