Hi,

  I want to drop all log lines having keyword "INTERNET", I tried following scenario:

scenario-1

filter f_log   { facility(local3); };
filter f_nointernet   { not message("INTERNET"); };

log { source(s_sys); filter(f_nointernet); filter(f_log); destination(d_log); };

scenario-2

filter f_internet   { message("INTERNET"); };
filter f_log   { facility(local3); and not filter(f_internet); };

log { source(s_sys); filter(f_log); destination(d_log); };

scenario-3

filter f_log   { facility(local3); };
filter f_internet   { message("INTERNET"); };
filter f_nointernet   { not filter(f_internet); };

log { source(s_sys); filter(f_nointernet); filter(f_log); destination(d_log); };

But none of them is working.

Please help.