Whenever I combine 2 filters with a 'OR', it matches just about anything. (except if those 2 filters are of different kind, like program & facility, etc.. ) For exemple : destination trylog { file("/var/log/CransMisc/try.log" owner("root") group("adm") perm(0640)); }; filter f_stunnel { program("stunnel"); }; filter f_squid { program("squid"); }; filter f_try { filter(f_stunnel) or filter (f_squid); }; #(bug1) log { source(src); filter(f_try); destination(trylog); }; will put all kinds of stuff in try.log, with program names that contain neither 'tunnel' nor 'squid'. (eg: 'cucipop' lines end up in try.log... ) Same thing if I define f_try directly, without using f_stunnel and f_squid, as : filter f_try { program("stunnel") or program("squid"); }; #(bug2) Also, the 'or' does strange thing with other filters than 'program', like : filter f_try { program("local2") or facility("local3"); }; #(bug3) On the other hand, Those work as intended: filter f_try { program("(stunnel)|(squid)"); }; #(ok1) filter f_try { program("stunnel") or facility(local3); }; #(ok2) Isn't that a bug in syslog-ng ?? -- Sam PS: this aside, syslog-ng is really great, so much better than the old awkward syslogd..