Hallo, I tried to use the filter(DEFAULT); expression but failed. Entries like <<datum>> www imapd[27520]: open: user va opened INBOX.misc.Tipps-und-Tricks <<datum>> www imapd[27520]: open: user va opened INBOX.OS.Netware.Tools <<datum>> www imapd[27520]: open: user va opened INBOX.Abfall <<datum>> www imapd[27555]: login: apelt-pc.in-house[192.168.51.2] va plaintext <<datum>> www imapd[27555]: seen_db: user va opened /var/imap/user/v/va.seen <<datum>> www imapd[27555]: open: user va opened user.va.Listen.SuSE.Security go to the default destination, too, although they have been written to some other destination already _and_ are explicitly excluded in the DEFAULT expression. Here is the log expression, which is responsible for the mysterious filter results. #all, not yet handled, should be low traffic log { source(src); filter(l_warn_or_worse); filter(F_not_mail); filter(F_not_news); filter(F_not_syslog); filter(f_not_kommunikation); filter(DEFAULT); destination(daemon); }; Is this a case of docu missinterpretation ? I have appended a shortend version of my syslog-ng.conf file a below. Thanks Volker Apelt -- Volker Apelt Group of Prof. Dr. Ch. Griesinger Dipl. Chem. Johann Wolfgang Goethe Universität +49 6172 31126 Frankfurt am Main, Germany va .@. org.chemie.uni-frankfurt.de (remove the dots, please) ###### part of syslog-ng.conf options { long_hostnames(off); sync(0); }; source src { unix-stream("/dev/log"); file("/proc/kmsg"); unix-stream("/cache/chroot/named/dev/log"); internal(); }; destination daemon { file("/var/log/daemon"); }; destination mailstore_info { file("/var/log/mail/mail_store.info"); }; destination mailstore_warn { file("/var/log/mail/mail_store.warn"); }; destination mailstore_err { file("/var/log/mail/mail_store.err"); }; filter F_news { facility(news); }; filter F_not_mail { not facility(mail); }; filter F_not_user { not facility(user); }; filter F_not_news { not facility(news); }; ### Levels # debug, info, notice, warning, err, crit, alert, emerg filter l_debug { level(debug); }; filter l_debug_or_worse { level(debug..emerg); }; filter l_info { level(info); }; filter l_info_or_worse { level(info..emerg); }; filter l_normal { level(info..notice); }; filter l_not_debug { level(info..emerg); }; filter l_notice { level(notice); }; filter l_notice_or_worse { level(notice..emerg); }; filter l_warn { level(warn); }; filter l_warn_or_worse { level(warn..emerg); }; filter l_err { level(err); }; filter l_err_or_worse { level(err..emerg); }; filter l_crit { level(crit); }; filter l_crit_or_worse { level(crit..emerg); }; filter l_alert { level(alert); }; filter l_alert_or_worse { level(alert..emerg); }; filter l_emergency { level(emerg); }; filter f_mailstore { not program("postfix.*") and ( program("imapd.*") or program("imap.*") or program("popper.*") or program("procmail.*") ) ; }; filter f_not_kommunikation { not program("imap.*") and not program("imapd.*") and not program("leafnode.*") and not program("mailfw.*") and not program("popper.*") and not program("postfix.*") and not program("procmail.*") and not program("qmgr.*") and not program("sendmail.*") and not program("test_filter.*") and not program("fetchnews") and not program("imapd.*") and not program("postfix.*") and not program("texpire"); }; # # a lot of other log {}; destinations .. # ## mail store server log { source(src); filter(F_mail);filter(f_mailstore); filter(l_debug_or_worse); destination(dev_null);}; log { source(src); filter(F_mail);filter(f_mailstore); filter(l_normal); destination(mailstore_info);}; log { source(src); filter(F_mail);filter(f_mailstore); filter(l_warn_or_worse); destination(mailstore_warn);}; log { source(src); filter(F_mail);filter(f_mailstore); filter(l_err_or_worse); destination(mailstore_err);}; #all, not yet handled, should be low traffic log { source(src); filter(l_warn_or_worse); filter(F_not_mail); filter(F_not_news); filter(F_not_syslog); filter(f_not_kommunikation); filter(DEFAULT); destination(daemon); };