Okay, I've already posted a message about the bad behaviour of ORing filters on my debian (and got no response, perhaps I should have restrained pine from sending attachments vith MIME, but well.) I realise now that combining filters like this : destination newsnotice { file("/var/log/news/news.notice" owner("news") group("adm") perm(0640)); }; filter f_news { facility(news); }; filter f_notice { level(notice); }; log { source(src); filter(f_news); filter(f_notice); destination(newsnotice); }; will also break syslog (news.notice, suddenly, becomes very quite.. not growing at all.. strangely I suspect syslog-ng) I think combining filters wihtin syslog is broken, at least on my plaform, but not only. In a previous message, by michael.senn@cmg.nl, I read this : """ I have done some very basic testing with the not filter and suggest that you try spliting the not into it's own filter then combine them in the log statement as follows. It works for me with matching in an error message. """ Now, is there any good reason to accept this specificity about the 'not' from syslog-ng ? isnt this rather a sign that syslog-ng is broken when it comes to combining filters ?? I liked syslog-ng very well, but if filters cant be combined properly, it's much less useful.. aren't those a trivial thing to fix ?? or maybe syslog-ng depends on something for combining filters, and this 'something' is not really the same across different distribs ?? -- Samuel