Hey all, Here's what I have...one source: source s_local { unix-stream("/dev/log"); udp(ip(0.0.0.0) port(514)); tcp(ip(0.0.0.0) port(514)); file("/proc/kmsg"); }; three destinations: destination d_file { file("/var/log/messages"); }; destination d_syslogserver { udp ("x.x.x.x", port(514)); }; destination d_logontype { udp ("x.x.x.x", port(515)); }; and a few filters: filter f_syslogfilter { message("0x0004") }; filter f_firewall { program("firewall") }; filter f_logontype { message("Logon") }; With the below log entry running with -F -d, I will only get the first 2 of the three filters evaluated: log { source(s_local); filter(f_syslogfilter); destination(d_file); filter(f_firewall); destination(d_syslogserver); filter(f_logontype); destination(d_logontype); }; but after splitting them out I see all three evaluated: log { source(s_local); filter(f_syslogfilter); destination(d_file); }; log { source(s_local); filter(f_firewall); destination(d_syslogserver); }; log { source(s_local); filter(f_logontype10); destination(d_logontype10); }; Is there a reason or limit or documentation for this? I can verify that the log entry passed for "Logon" in my testing didn't match the previous two filters. Version is 3.3.11. Thank you. James