What I have tried to do is log each service to its own file. At the very bottom of the conf file I put:

log { source(src); filter(f_host1); filter(DEFAULT); destination(host1_messages); }; etc. for host2 and host3

and finally another log line with ONLY filter(DEFAULT) for things that don't get matched at all (which should never happen).

However, what I am seeing appears to be that my host() filters are being ignored when using the DEFAULT filter with it. In other words, unmatched log entries for host2 and host3 are appearing in host1_messages.

Is that correct behavior?

It's the documented behaviour. Currently, I dont think syslog-ng can do "anything not already caught for this host" type filters; it's filtering logic is a little bit simpler than this.. The filter patch suggested for 1.5.0 (development release) forces the filters to be evaluated in the order they appear in the file, but essentially the logic is: - For each log line, match what is in the filter statement. If we get a hit, set the "match" flag. - Repeat for all futher filters (so multiple filters cause multiple matches, but match still =1). - When syslog-ng tests the "DEFAULT" filter, it only performs its action if match=0. This allows multiple filters to match out to multiple locations (useful), but doesn't allow the (arguably) also useful feature of excluding particular things as we go. I hope I got this right, I hope I'm close (this is the bit of syslog-ng i've been studying lately :) -- afort