Okay! We have 2 problems; 1- The hostname of the syslog receiver is SECU-Rcv1 and SECU-Rcv2 So with a destinations like destination: d_std { file("/export/disk1/log/$HOST/$YEAR/$MONTH/messages.log"); }; We receive the log in /export/disk1/log/SECU-Rcv2 on the local host why not the ip like other host ?? 2- We have 2 syslog collector and a big config file with each host (customer) defined line by line and a rule with unknown, the problem is that each host log correctly to the respective directory but they also log to my unknown directory, I want to be able to say, if no filter match, log to unknown... Thanx a lot! Kéven Belanger Analyste en solutions de sécurité Logicon Inc. - Division Sécurité 819.825.8049 x7717 800.567.6399 x7717