I setup a syslog-ng server to get logs from various boxes and devices. I think I am a little confused about the correct way to set this up. I am seeing a lot of logs getting written twice. For instance I have some old Unix boxes logging to it and some Linux boxes. The old Unix boxes log to a syslog file for most stuff and the Linux boxes log most stuff to the messages file. I have some cisco devices that I wanted to log to particular filename but it is getting written to the custom filename and being duplicated to a syslog file, plus it is writing a messages file which is not an exact duplicate for some reason. I am guessing my reason is because I have stuff like filter f_syslog { not facility(auth, authpriv) and not facility(mail); }; filter f_messages { level(info .. warn) and not facility(auth, authpriv, cron, daemon, mail); }; destination syslog { file("/u01/log/$HOST/syslog"); }; destination messages { file("/u01/log/$HOST/messages"); }; Is there a way I can duplicate the name schema the remote box is using or do I need to say all syslog type events goto blah file and such? My conf looks like options { chain_hostnames(no); create_dirs (yes); dir_perm(0750); dns_cache(no); keep_hostname(no); log_fifo_size(2048); log_msg_size(8192); perm(0640); stats(3600); sync(0); time_reopen (10); use_dns(no); use_fqdn(yes); }; source src { unix-dgram("/dev/log"); internal(); udp(); tcp(); }; destination authlog { file("/u01/log/$HOST/auth.log"); }; destination syslog { file("/u01/log/$HOST/syslog"); }; destination cron { file("/u01/log/$HOST/cron.log"); }; destination daemon { file("/u01/log/$HOST/daemon.log"); }; destination kern { file("/u01/log/$HOST/kern.log"); }; destination lpr { file("/u01/log/$HOST/lpr.log"); }; destination user { file("/u01/log/$HOST/user.log"); }; destination uucp { file("/u01/log/$HOST/uucp.log"); }; destination debug { file("/u01/log/$HOST/debug"); }; destination messages { file("/u01/log/$HOST/messages"); }; destination bootlog { file("/u01/log/$HOST/boot.log"); }; destination mail { file("/u01/log/$HOST/mail.log"); }; destination maillog { file("/u01/log/$HOST/maillog"); }; destination mailinfo { file("/u01/log/$HOST/mail.info"); }; destination mailwarn { file("/u01/log/$HOST/mail.warn"); }; destination mailerr { file("/u01/log/$HOST/mail.err"); }; destination cisco_asa { file("/u01/log/$HOST/cisco_asa.log"); }; destination console { usertty("root"); }; filter cr_asa { facility(local5); }; filter pump_renewal { not program("pumpd") or not level(info,debug) ; }; filter imap_debug { not program("imapd") or not level(info,debug) ; }; filter ipop3_debug { not program("ipop3d") or not level(info,debug); }; filter sshd_debug { not program("sshd") or not level(debug); }; filter f_attack_alert { match("attackalert"); }; filter f_ssh_login_attempt { program("sshd.*") and match("(Failed|Accepted)") and not match("Accepted (hostbased|publickey) for (root|zoneaxfr) from (10.4.3.1)"); }; filter f_authpriv { facility(auth, authpriv); }; filter f_syslog { not facility(auth, authpriv) and not facility(mail); }; filter f_cron { facility(cron); }; filter f_daemon { facility(daemon); }; filter f_kern { facility(kern); }; filter f_lpr { facility(lpr); }; filter f_mail { facility(mail); }; filter f_user { facility(user); }; filter f_uucp { facility(cron); }; filter f_news { facility(news); }; filter f_debug { not facility(auth, authpriv, news, mail); }; filter f_messages { level(info .. warn) and not facility(auth, authpriv, cron, daemon, mail); }; filter f_emergency { level(emerg); }; filter f_bootlog { level(emerg); }; filter f_info { level(info); }; filter f_notice { level(notice); }; filter f_warn { level(warn); }; filter f_crit { level(crit); }; filter f_err { level(err); }; filter f_cnews { level(notice, err, crit) and facility(news); }; filter f_cother { level(debug, info, notice, warn) or facility(daemon, mail); }; log { source(src); filter(f_authpriv); destination(authlog); }; log { source(src); filter(f_syslog); destination(syslog); }; log { source(src); filter(f_cron); destination(cron); }; log { source(src); filter(f_daemon); destination(daemon); }; log { source(src); filter(f_daemon); destination(messages); }; log { source(src); filter(f_kern); destination(kern); }; log { source(src); filter(f_kern); destination(messages); }; log { source(src); filter(f_lpr); destination(lpr); }; log { source(src); filter(f_mail); destination(mail); }; log { source(src); filter(f_user); destination(messages); }; log { source(src); filter(f_uucp); destination(uucp); }; log { source(src); filter(f_mail); destination(maillog); }; log { source(src); filter(f_mail); filter(f_info); destination(mailinfo); }; log { source(src); filter(f_mail); filter(f_warn); destination(mailwarn); }; log { source(src); filter(f_mail); filter(f_err); destination(mailerr); }; log { source(src); filter(f_messages); destination(messages); }; log { source(src); filter(f_emergency); destination(console); }; log { source(src); filter(cr_asa); destination(cisco_asa); }; Thanks, Nick