I did try doing this for the daemon filter:
filter f_daemon { facility(daemon) and not filter(f_ftpd) and not filter(f_named); };
...but this does not work. I still get the ftpd and named messages in daemonlog (as well as ftpdlog and namedlog). This is exactly what Un
L'Unique
experienced last month when he said that the "not filter" did not appear to be working for him. I get the same behavior -- it does not work for me. This is,
First of all, I tried this, and it DID work, at least for my local source tree. Maybe I've commited a fix sometimes and didn't release it? Here's the configuration I tried: options { keep_hostname(yes); }; source src { unix-stream("proba2"); internal(); }; destination ftpd { file("ftplog"); }; destination named { file("namedlog"); }; destination daemon { file("daemonlog"); }; filter f_ftpd { match("ftp"); }; filter f_named { match("named"); }; filter f_daemon { facility(daemon) and not filter(f_ftpd) and not filter(f_named); }; log { source(src); filter(f_ftpd); destination(ftpd); }; log { source(src); filter(f_named); destination(named); }; log { source(src); filter(f_daemon); destination(daemon); }; And the lines I logged: balabit:~/src/syslog-ng-1.4/src$ logger -u proba2 -p daemon.info "ftp" balabit:~/src/syslog-ng-1.4/src$ logger -u proba2 -p daemon.info "named" balabit:~/src/syslog-ng-1.4/src$ logger -u proba2 -p daemon.info "qqq" All of them went to the desired location. I'll go on and test the DEFAULT filter. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 url: http://www.balabit.hu/pgpkey.txt