define two filter that way : filter webfarm { netmask("128.128.1.0/24");}; filter webfarm2 { netmask("128.128.2.0/24");}; and send them to different destinations just remember that netmask will always (afaik) match against source ip ( i.e. if you have a forwarder it will THAT ip ) Amodiovalerio [Hypo] Verde ----- Original Message ----- From: "Wayne Sweatt" <sweatt@lanl.gov> To: <syslog-ng@lists.balabit.hu> Sent: Wednesday, October 15, 2003 8:11 PM Subject: [syslog-ng]Sort/filter logs on source IP address I've asked this question before in a slightly different manner (Can I run multiple instances of Syslog-NG - One for Mac OS X, one for other UNIX...), but still have not a satisfactory answer to that on, so.. I'd thought I'd ask a similar question and hope for a more definitive answer: Is there a way to filter or regexp match an incoming UDP log by IP Address so that logging clients from certain networks go to certain log directories/destinations ? For example, I want to log everything from 128.128.1.0 in /var/log/NetworkA, and log everything from 128.128.2.0 in /var/log/NetworkB/. I know host() will operate on hostname, but I don't want to have to maintain a list of hosts to match against - I want it be dynamic, so when a new client is added, it can log automatically to the appropriate directory. Syslog-ng has the source IP with each log, so this shouldn't be a problem, right? I am using the latest version of syslog-ng, and UDP as the protocol. Reminder: I do not want to know about TCP Wrappers, I don't want to block IPs, just direct logs from certain IP subnets to certain directories/file-systems. Wayne Sweatt Sr. UNIX System Administrator Comforce Technical Services LANL SCC Team _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html