In my current syslog setup, some messages are transferred periodically via mail to the central syslog machine, at which time they are formatted into proper syslog packets, then delivered via UDP to the syslog-ng process on the local machine. This setup works well considering the limitations of the network[1], but for the hostname field of the syslog packet, and how syslog-ng process this. The message sent to syslog-ng contains the hostname of the original machine (remote) only. After syslog-ng on the local machine (local) processes the message, the hostname field contains "remote/local". I understand why this change was made and accept it. However, the problem comes when syslog-ng filters this message by host, and the message matches for "local". When writing the message to a file destination, it is stored in the proper directory[2], so syslog-ng clearly understands that the host "remote" generated the message and it was relayed through "local". Any ideas how to avoid this? I understand that there is a configuration command which allows a message to match only one log field, but my messages must be directly both to a SWATCH process and to a file destination. I'd also prefer to rule out complex filter rules which include "remote" and exclude "local" [3]. Since $HOST expands correctly, is it possible to write a filter rule like: filter myFilter { "remote" == $HOST;}? Thanks, Keith Resar. 1: There is no way for the machine that generates the messages to connect to the central log host, unless I rig something up using stunnel, etc. I'm not interested in tackling this problem. 2: Since the message was generated by the machine "remote", $HOST expands to remote. 3: Something like: filter myFilter { host{"remote"} and !host("local"); } Assuming that this syntax is even valid. --