syslog-ng seems to work quite well for sorting logs by facility and/or priority to the nth degree....but I'm struggling to do something that one would expect to be fairly simple (perhaps it is, and I'm even more simple...). I'm trying to setup a syslog server that sorts input by hostname and throws that input into /var/log/HOSTS/$hostname file. It's strictly for a backup copy of each system log for audit puposes in case a host is compromised, but I'd prefer to have each host have its own file. Easier to find stuff that way. I was expecting to setup the syslog servers syslog.conf file (not using syslog-ng) to pipe to a shell or perl script that did the parsing, but everything I ran across looked like it was aimed at intrusion detection. A quick search convinced me that syslog-ng was my best bet so I compiled and replaced syslogd with syslog-ng, but it is still logging my client logs to /var/log/messages (yes, I killed syslogd first), even though I setup the following at the end of the syslog-ng.conf file: # automatic host sorting (usually used on a loghost) # destination std { file("/var/log/HOSTS/$HOST/$YEAR/$MONTH/$DAY/$FACILITY_$HOST_$YEAR_$MONTH_$D AY" owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes) ); }; # log it log { source(src); destination(std); }; I obviously need to spend some more time on this, but perhaps someone has a quick suggestion or knows of a better way to do what I'm looking for. In the meantime I'll read 'til my eyes bleed....... I'm not on the list, so please reply to mschipper@lightsurf.com Thanks.