Hi, all -- I'm trying to get a little bit of help getting a filter to work. I've looked around a little bit, but haven't found a clear indication as to priority order and the like. I've got a network source set up for syslog-ng, that accepts messages from a whole bunch of different machines: source netsrc { udp(ip("0.0.0.0") port(514)); }; All of the messages that I'm interested in come from a specific application, which is configured to log everything on local5: filter f_myapp { facility(local5); }; I've got a general filter set up that sends these messages to a single log file: destination central { file("/opt/central/central"); }; log { source(netsrc); filter(f_myapp); destination(central); }; All of the above is working fine. Now, I have need to get rid of a couple of error messages that appear on a single host. BUT, I need to do this in such a way as to avoid masking those errors if they should appear somewhere else. So, basically, I need to add a second filter that eliminates from consideration anything where: host("hostX") AND (match("ERROR 1: error 1 text") or match("ERROR 2: error 2 text")) I can think of a couple of different ways to do this, but I'm not positive if either syntax will work, or if there's another that'll work better, or what...: First attempt: source netsrc { udp(ip("0.0.0.0") port(514)); }; destination central { file("/opt/central/central"); }; filter f_myapp { facility(local5); }; filter f_errors1 { not host("hostX") and not (match("ERROR 1:") or match("ERROR 2")); }; log { source(netsrc); filter(f_myapp); filter(f_errors1); destination(central); }; Second attempt: source netsrc { udp(ip("0.0.0.0") port(514)); }; destination central { file("/opt/central/central"); }; filter f_myapp { facility(local5); }; filter f_errors2 { host("hostX") and match("ERROR 1:") or match("ERROR 2"); }; log { source(netsrc); filter(f_myapp); not filter(f_errors1); destination(central); }; Will either of these work as written? What are the alternate methods that might work better? (Perhaps more to the point, what am I totally messing up? :-)) Thanks! - Ian