Looks fine to me. Although, I do not know what this line does: source network { udp(); tcp(); }; Since you do not have a log line that references the "network" source, I don't know wht its there. Maybe more stuff in your config, I can't see. Everything else looks okay. --- 22 April 2004 "As nightfall does not come all at once, neither does oppression. In both instances, there is a twilight. And it is in such twilight that we all must be aware of change in the air, however slight, lest we become unwitting victims of darkness." (William O. Douglas, 1939-1975) --- Robert V. Coward UNIX System Administrator Computer Science Corporation "Andrews, Glenn J (Glenn)" <gjandrews@lucent.com> on 04/22/2004 02:33:01 PM To: "'syslog-ng@lists.balabit.hu'" <syslog-ng@lists.balabit.hu> cc: "'Coward, Robert (Contractor)'" <Robert.Coward@deploymenthealth.osd.mil> Subject: RE: [syslog-ng]syslog-ng 1.6.1 Excellent. So just to be sure I understand ya.. **************************************************** options { sync (0); time_reopen (10); log_fifo_size (1000); long_hostnames (off); use_dns (no); use_fqdn (no); create_dirs (no); keep_hostname (no); }; source local { sun-streams ("/dev/log" door("/etc/.syslog_door")); internal (); }; source network { udp(); tcp(); }; destination networklog { file("/var/log/network"); }; destination syslog@10.100.40.1 { tcp("10.100.40.1" port(514)); }; filter f_network_logs { facility(local1) and level(info); }; filter f_network_logs2 { facility(local1) and level(warning); }; log { source(local); filter(f_network_logs); destination(networklog); }; log { source(local); filter(f_network_logs2); destination(syslog@10.100.40.1); }; **************************************************** Is this correct ? Glenn -----Original Message----- From: Coward, Robert (Contractor) [mailto:Robert.Coward@deploymenthealth.osd.mil] Sent: Thursday, April 22, 2004 1:15 PM To: syslog-ng@lists.balabit.hu Subject: RE: [syslog-ng]syslog-ng 1.6.1 Glenn, What you need is a filter, I think. Heres how: source src { unix-stream ("/dev/log"); internal (); }; destination network_logs { file("/var/log/network.log"); }; filter f_network_logs { facility(local1) and level(info); }; Now do the logging: log { source(src); destination(network_logs); filter(f_network_logs); }; I think that should work for the first one. For the second one i think you will need to set a filter like the first but set the destination like so: destination syslog@10.100.40.1 { tcp("10.100.40.1" port(514)); }; I think thats about it. --- 22 April 2004 "Allow the President to invade a neighboring nation whenever he shall deem it necessary to repel an invasion and you allow him to do so whenever he may choose to say he deems it necessary for such purpose, and you allow him to make war at pleasure.... If today he should choose to say he thinks it necessary to invade Canada to prevent the British from invading us, how could you stop him? You may say to him, "I see no probability of the British invading us," but he will say to you, "Be silent; I see it, if you don't." (Abrham Lincoln, 1809-1865) --- Robert V. Coward UNIX System Administrator Computer Science Corporation _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html