I'm trying to parse cron, mail, and everything else into 3 files but getting 3 copies of each log entry. I also want copies of each log message to be placed in a subdirectory based on each hostname. (So I should have 2 copies of each log message, one in the appropriate master file and then one in the appropriate file under a directory with same name as the source host) Here is my conf: <snip> # Catch All Filter For Mail and Everything Else filter f_master_syslogs { not facility(mail) and not facility(cron); }; filter f_master_maillogs { facility(mail); }; filter f_master_cronlogs { facility(cron); }; destination master_syslogs { file("/var/log/syrrx/master_syslog", owner(root), group(root), perm(0640), dir_perm(0750), create_dirs(yes), ); }; destination master_maillogs { file("/var/log/syrrx/master_maillog", owner(root), group(root), perm(0640), dir_perm(0750), create_dirs(yes), ); }; destination master_cronlogs { file("/var/log/syrrx/master_cronlog", owner(root), group(root), perm(0640), dir_perm(0750), create_dirs(yes), ); }; destination host_logs { file("/var/log/syrrx/$HOST/syslog", owner(root), group(root), perm(0640), dir_perm(0750), create_dirs(yes), ); }; destination host_mail { file("/var/log/syrrx/$HOST/maillog", owner(root), group(root), perm(0640), dir_perm(0750), create_dirs(yes), ); } destination console { file("/dev/tty10"); }; log { source(src); filter(f_console); destination(console); }; destination xconsole { pipe("/dev/xconsole"); }; log { source(src); filter(f_console); destination(xconsole); }; destination root { usertty("root"); }; log { source(src); filter(f_alert); destination(root); }; # Catch All log { source(src); filter(f_master_syslogs); destination(master_syslogs); }; log { source(src); filter(f_master_maillogs); destination(master_maillogs); }; log { source(src); filter(f_master_cronlogs); destination(master_cronlogs); }; # Host Based Log Files log { source(src); filter(f_file-0202); destination(host_logs); }; log { source(src); filter(f_file-0201); destination(host_logs); }; .... log { source(src); filter(f_db-0201_mail); destination(host_mail); }; log { source(src); filter(f_db-0202_mail); destination(host_mail); }; .... Currently I get 3 copies of each log in both places. (the master log and then the one under the host's subdirectory) Any ideas what I missed? ===== Chuck Carson - Sr. Systems Engineer Syrrx, Inc. - www.syrrx.com 10410 Science Center Drive San Diego, CA 92121 Work: 858.622.8528 Fax: 858.550.0526