I am Stefano Tanfoglio, I work from one bank in Italy. I use syslog-ng for archive the log of 176 computer. ( 2 router - 125 windows server - 51 linux server ). In Windows server i use ntsyslog service. protocol = udp destination server = ip syslog-ng server destination port = 514 Ntsyslog send all log In Linux server i use the syslog auth.* @syslog01.xxxx.it authpriv.* @syslog01.xxxx.it kernel.=err;kernel.=warn @syslog01.xxxx.it mail.=err;mail.=warn @syslog01.xxxx.it daemon.=err;daemon.=warn @syslog01.xxxx.it local7.=err;local7.=warn @syslog01.xxxx.it ... ... Configuratione syslong-ng.conf: Versione: syslog-ng-1.4.14-2mdk options { sync (0); time_reopen (10); log_fifo_size (3000); long_hostnames (on); use_dns (yes); use_fqdn (yes); create_dirs (yes); keep_hostname (yes); }; source remote { udp(); }; destination linux { file("/var/log/HOSTS/LINUX/$HOST/$FACILITY" dir_perm(0755) perm(0655)); }; destination windows { file("/var/log/HOSTS/WINDOWS/$HOST/$FACILITY" dir_perm(0755) perm(0655)); }; destination router { file("/var/log/HOSTS/ROUTER/$HOST/$FACILITY" dir_perm(0755) perm(0655)); }; filter f_linux { host("name1.domain.tld|name2.domain.tld|name3.domain.tld|...........|51"); } ; filter f_windows { host("name1.domain.tld|name2.domain.tld|name3.domain.tld|...........|125"); }; filter f_router { host("name1.domain.tld|name2.domain.tld"); }; log { source(remote); filter(f_linux); destination(linux); }; log { source(remote); filter(f_windows); destination(windows); }; log { source(remote); filter(f_router); destination(router); }; Problem: 1) In the windows section I have 125 machine and only 80 recording. I try to move the last hostname in first position: filter f_windows { host("125|name1.domain.tld|name2.domain.tld|name3.domain.tld|...........|124 "); }; the test it ok, hostname logger and recording. 2)Every 10-15 minutes the syslog-ng system it down. 3) I try the new version but I have not obtained the positive information. 4) I have modified the syslog-ng.conf: .... .... destination tem { file("/var/log/HOSTS/ALL/$HOST" dir_perm(0755) perm(0655)); }; ... ... ... log { source(remote); destination(tem); }; .. .. The all machine recording and the server don' t crash with this solution. I don't try the DB recording. Thanks for the collaboration. Stefano Tanfoglio Assyrus Srl www.assyrus.it ICQ:146827274