Hello, First of all, i started to use syslog-ng on Ubuntu a few days ago and it seams a great syslog server. But today i stumble on a problem. I configured snmptrapd with TRAPDOPTS='-Lsd ' and this means that snmptrapd will send the trap received to syslog-ng. Now, syslog-ng puts those traps by default in /var/log/syslog because of this default configurations: source s_src { unix-dgram("/dev/log"); internal(); file("/proc/kmsg" program_override("kernel")); destination d_syslog { file("/var/log/syslog"); }; filter f_syslog3 { not facility(auth, authpriv, mail) and not filter(f_debug); }; log { source(s_src); filter(f_syslog3); destination(d_syslog); }; What i want to acomplish is to have traps from diferent host put in diferent files, not all together in the same file like it happens now. At first i tried to filter based on the host's ip address that was sending the trap, but i realized that the snmptrapd process is the one that sends the trap to syslog-ng process, not the device directly: Aug 29 11:42:48 Dell *snmptrapd*[3801]: 2011-08-29 11:42:43 10.90.0.252 [UDP: [10.90.0.252]:49364->[192.168.53.151]]: iso.3.6.1.2.1.1.3.0 = Timeticks: (1563318974) 180 days, 22:33:09.74 iso.3.6.1.6.3.1.1.4.1.0 = OID: iso.3.6.1.4.1.9.9.41.2.0.1 iso.3.6.1.4.1.9.9.41.1.2.3.1.2.31 = STRING: "LINK" iso.3.6.1.4.1.9.9.41.1.2.3.1.3.31 = INTEGER: 4 iso.3.6.1.4.1.9.9.41.1.2.3.1.4.31 = STRING: "UPDOWN" iso.3.6.1.4.1.9.9.41.1.2.3.1.5.31 = STRING: "Interface Serial0/0/0, changed state to down" iso.3.6.1.4.1.9.9.41.1.2.3.1.6.31 = Timeticks: (1563318974) 180 days, 22:33:09.74 So maibe you have done this - how can i filter based on the program that it sending the message (like snmptrapd). And also, can filters based on the text itself can be used? Like: - if the mesage contains "10.90.0.252 [UDP: [10.90.0.252]:XXXXX->[192.168.53.151]" put the mesage in "this" file - if the mesage contains "10.90.1.22 [UDP: [10.90.1.22]:XXXXX->[192.168.53.151]" put the mesage in "that" file Thanks --