Okay I think I see my problem. Currently, I am getting the same messages logged to a couple files For instance, the localhost's log directory has the following in it -rw-r----- 1 root root 107 Nov 1 14:39 messages -rw-r----- 1 root root 107 Nov 1 14:39 syslog both files contain the same messages in the log. I guess because of my filter lines the syslog file and the messages file are going to log a lot of the same stuff. Is this correct? filter f_syslog { not facility(authpriv, mail) and not match(ppp.*LCP); }; filter f_messages { level(info..warn) and not facility(auth, authpriv, mail, news); }; destination syslog { file("/u01/logs/$HOST/syslog"); }; destination messages { file("/u01/logs/$HOST/messages"); }; log { source(src); filter(f_syslog); destination(syslog); }; log { source(src); filter(f_messages); destination(messages); }; Is this what most people do? Why not just remove the filter for the messages since the syslog kind of catches it all and the messages drops so little? If I don't want the the same messages logged to both files I would need to remove one of the two filters, right? Thanks, Nick