Thanks again Len. So I guess the standard conf (in the examples dir) logs a lot of the same stuff to multiple files, ie. messages file and syslog file. Why do this when the syslog statement catches everything the messages catches? It isn't that big of a division of types of events so I guess that was confusing me. If I understand this right in the example file snippet- filter f_syslog { not facility(authpriv, mail); }; filter f_messages { level(info..warn) and not facility(auth, authpriv, mail, news); }; The messages will only log "info, notice and warning and everything but auth, authpriv, mail and news" but the syslog will log "all levels and everything but authpriv and mail"? Is that correct, if you don't specify the level, what does it default to? -Nick On 11/1/06, Leonard Mills <Leonard_Mills@corpnet.sel.sony.com> wrote:

Yes, you've got it exactly correct. Processing of the incoming packet will end when a final flag is encountered. Things that are desired in multiple places shouldn't be allowed encounter the final flag (maybe things like auth.crit should appear in more than one place).

Len