i think it might be a better idea to do it one of these ways: for each match, increment a variable. add a filter(DEFAULT=x) where that filter only matches if the variable is set to that number(or possibly lower?) . this allows you to write a few filter statements and say "ok this packet should be matched by rules #1,2,3 so, the number of matches is 3. now i set filter(DEFAULT=3) to match any other packets" this gives you a bit more control over it in that you can still have multiple matches, and DEFAULT will still log some things or... set the default filter to include a hostname and a variable number like above. this way you can match against several hosts and count the matches as described above. this allows for a bit more flexibility then above. a missing hostname could get interpreted as all hosts. this functionality could also be built into the functions that receive the packets and store the "matched x times" variable" On Wed, Dec 13, 2000 at 03:30:26PM +1000, Andrew Fort wrote: | > So it will have the opposite affect of what I wanted then... anything | > that matches host1 will set match=1 and DEFAULT won't match. Heh, | > somehow I find it amusing that my logic was completely backwards. Or | > maybe I'm up too late. :-) | | Correct :) Your rules have two filter statements, it's only the | | filter(host1); | | and not the filter(DEFAULT); which is causing any action. | | -- | afort | | _______________________________________________ | syslog-ng maillist - syslog-ng@lists.balabit.hu | https://lists.balabit.hu/mailman/listinfo/syslog-ng