I am guess from your email that all of the or's in the filter work correctly and it is just the 'not facility(local7)' that is the probel area. I have done some very basic testing with the not filter and suggest that you try spliting the not into it's own filter then combine them in the log statement as follows. It works for me with matching in an error message.

My intent with the following filter, etc. is to exclude messages coming in from facility local7 from being logged to /var/adm/messages. It does not seem to work as those messages are making it there. Can anyone spot what might be wrong with the filter/destination/log stanza(s)?

filter f_var_adm { level(emerg,alert,crit,err) or ( facility(kern) and level(debug) ) or ( facility(daemon) and level(notice) ) or ( facility(local2) and level(notice) ) or ( facility(auth) and level(notice,info) ) or ( facility(mail) and level(crit) ) ; };

filter not_local7 { not facility(local7) ; };

destination d_var_adm { file("/var/adm/messages"); };

# Log all messages conforming to the f_var_adm filter to /var/adm/messages log { source(stdlog);

filter(not_local7);

filter(f_var_adm); destination(d_var_adm); };

_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng