I have setup syslog-ng version 1.1.27 on a i386 running a (nearly) pure Debian Linux 2.1 install, libol version 0.2. This machine is being used to collect logs sent from NT machines running a program called EventSlog. I am trying to use the match() function to direct logs containing the string "/Security (" to a file bob.security, logs containing the string "/Applications (" to a file bob.app, logs containing the string "/SYSTEM (" to a file called bob.system, and logs that contain none of these strings to a file called bob.misc. My first attempt at this is in the first attachment to this document. It erred by redirecting all of the logs to each of the three files bob.app, bob.security, and bob.system all of the input to port 514. bob.misc was empty. Figuring perhaps that multiple filters aren't and'ed together in a log statement, I then wrote the conditional statements inside the filters, as in the second attachment to this email. This setup erred in the same way. I noticed also that the appropriately syntaxed configurations would behave similarly using syslog-ng version 1.2.23 and libol 0.1.19. Am I misusing the match() call? Or perhaps the logical connectors? Thanks for a great program! PS if there is a syntactical error in the files it is because I copied them wrong...syslog-ng always ran without explicit error... PPS I noticed the version-printing command line option syslog-ng -V does not work...though it is listed in the man page. _______________________________________________ Nathaniel Couper-Noles Department of Information Techonology School of Social Administration University of Chicago options { long_hostnames(off); sync(0); }; # sources source ntboxes { udp ( port(514) ); }; source sysl-ng { internal(); }; # destinations destination bob.security { file ("/var/log/bob.security"); }; destination bob.system { file ("/var/log/bob.system"); }; destination bob.app { file ("/var/log/bob.app"); }; destination bob.misc { file ("/var/log/bob.misc"); }; # filters filter f_security { match ("/Security ("); }; filter f_app { match ("/Application ("); }; filter f_system { match ("/SYSTEM ("); }; filter f_misc { not match ("/Security (") and not match ("/SYSTEM (") and not match ("/Application ("); }; filter f_bob { host ("bob"); }; # logs log { source (ntboxes); filter (f_bob); filter (f_security); destination (bob.security); }; log { source (ntboxes); filter (f_bob); filter (f_system); destination (bob.system); }; log { source (ntboxes); filter (f_bob); filter (f_app); destination (bob.app); }; log { source (ntboxes); filter (f_bob); filter (f_misc); destination (bob.misc); }; options { long_hostnames(off); sync(0); }; # sources source ntboxes { udp ( port(514) ); }; source sysl-ng { internal(); }; # destinations destination bob.security { file ("/var/log/bob.security"); }; destination bob.system { file ("/var/log/bob.system"); }; destination bob.app { file ("/var/log/bob.app"); }; destination bob.misc { file ("/var/log/bob.misc"); }; # filters filter f_bob_security { host ("bob") and match ("/Security ("); }; filter f_bob_app { host ("bob") and match ("/Application ("); }; filter f_bob_system { host ("bob") and match ("/SYSTEM ("); }; filter f_bob_misc { host ("bob") and not match ("/Security (") and not match ("/SYSTEM (") and not match ("/Application ("); }; # logs log { source (ntboxes); filter (f_bob_app); destination (bob.security); }; log { source (ntboxes); filter (f_bob_security); destination (bob.system); }; log { source (ntboxes); filter (f_bob_system); destination (bob.app); }; log { source (ntboxes); filter (f_bob_misc); destination (bob.misc); };