Greetings! I am trying to rewrite syslog-ng.conf to create files based on facilities; one way for non-auth messages, another for all authentication messages (ssh, su, sudo, and console logins). I believe I have two issues with my statements below: 1. My ${HOST}- might be incorrect. 2. Am I able to write two filters for a single source? My single source in this case are Linux boxes, all sending their syslog traffic to my syslog-NG server with *.*. My statements below, comments and criticism very welcome. filter f_linux_secure { facility(authpriv) and level(info..emerg); }; filter f_linux_messages { level(info..emerg); }; destination d_linux_secure { file("/data/Linux/${HOST}-secure.log" owner("root") group("systems") perm(0640) dir_perm(0750) create_dirs(yes)); destination d_linux_messages { file("/data/Linux/${HOST}-messages.log" owner("root") group("systems") perm(0640) dir_perm(0750) create_dirs(yes)); log { source(s_remote); filter(f_linux_secure); destination(d_linux_secure); flags(final); }; log { source(s_remote); filter(f_linux_messages); destination(d_linux_messages); flags(final); }; Regards, Vadim Anatoly Pushkin