You don't need the filter f_autres. Use flags(final) in the first two log() statements, which means "if you take this path do not evaluate any subsequent ones". That way, only messages that do not match the first two log() statements will ever reach the third log() statement. In the third log() statement you should have no filter because you want to log everything that got this far. Joe. ________________________________ From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Julien Vermet Sent: 16 April 2009 17:01 To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] Regex and Syslog-ng Hello I have a problem with syslog-ng using match() in my filters. Here is the part of my syslog-ng.cong: " ###### # sources # all known message sources source s_all { file("/etc/syslog-ng/logtest" follow_freq(1)); }; ###### # destinations destination d_apache { file("/etc/syslog-ng/logapache"); }; destination d_system { file("/etc/syslog-ng/logsystem"); }; destination d_autres { file("/etc/syslog-ng/logautres"); }; ###### # filters filter f_apache { match(apache); }; filter f_system { match(system); }; filter f_autres { match((?!apache)); }; ###### # logs log { source(s_all); filter(f_apache); destination(d_apache); }; log { source(s_all); filter(f_system); destination(d_system); }; log { source(s_all); filter(f_autres); destination(d_autres); " As you can see, I want to search in lines if the string apache is present, if system is present or if apache is not present. The first two filters are OK, but the third doesn't work. Can you help me to solve the problem? Thanks.