Sorry to keep harping on this guys, but this is a ^%$#@ mystery! Once again, my mail log restarted at around 10:30pm tonight. Lest you think I'm just whining and not making an effort to solve this one, here's what I've come up with: 1) I've checked all of my crontabs and at jobs, and there's nothing that runs around that time. 2) Went through all the long-running processes. Nothing that would interact with syslog-ng or the log files directly. No processes started or restarted around that time in ps. No weird logins around that time that would seem to indicate operator error. 3) My /var/adm/messages file did NOT restart, just the mail logs coming in from the remote SSH tunnels. 4) I changed my syslog-ng.conf to not use macros for the filename, but rather to log to a static filename "current.log". Didn't help. 5) I added a second destination, breaking out the logs by hour: destination inboundlog { file("/system/inbound_mail/logs/current.log"); file("/system/inbound_mail/logs/$YEAR/$MONTH/$DAY/$HOUR.log"); }; current.log had the entire day's logs, and was truncated and restarted at 22:33:04, however the hourly log 2003/01/29/22.log was NOT, it kept right on ticking. 6) total size of messages logged up to 22:33:04 was approximately 29mb, so largefile issues should not be a factor. I'm at a loss here, folks. I'm ready to consult an exorcist. I seem to have a workaround in that my logs split out by hour don't appear to be getting truncated, but I'd love to track this one down. Any suggestions for things I've haven't considered or should I start shopping for goats and black candles? Thanks, Brian P.S. sorry for the threading issues, was reading through the web archives but I've now joined the list since I'm busily replacing Solaris syslog everywhere with syslog-ng! -- "We've heard that a million monkeys at a million keyboards coud produce the complete works of Shakespeare; now, thanks to the Internet, we know that is not true."