James, Well, I'm not sure if you are still making an error in your cut and paste, but the destination and filter you put in the message don't match your log line. You mention that they are set correctly but you didn't post the correct one. Not sure we can help without the correct line. The idea you put forth is sound and should work with what you have. What exactly is happening? Is it not logging? As a first look take off the hostname part of the filter to see what you are getting in the DEFAULT filter. I do this on occasion and sometimes will surprise you that you aren't getting what you expect. Regards, Drew -----Original Message----- From: James Hamilton [mailto:jamesh@swcp.com] Sent: Friday, May 18, 2001 8:08 PM To: syslog-ng@lists.balabit.hu Subject: Re: [syslog-ng]filter question: already matched And yes the destination and filter is set correctly in my rules. I just did a poor copy and paste job in my email :-) On Fri, May 18, 2001 at 11:42:16AM -0600, James Hamilton wrote:

Hi, I'm having some trouble setting up a filter. In plain english the

rule would read something like below, any suggestions?

Match everything for this host except things that have already been

matched for this host then drop them into a messages file.

## ## hosts messages log ## destination d_messages { file("/var/log/$MONTH/$HOST/$HOST_messages.$MONTH-$DAY-$YEAR" owner(root) group(staff) perm(0640) dir_perm(0750) create_dirs(yes)); };

filter f_messages { (filter(DEFAULT) and host("somehostname")); };

log { source(root); filter(f_cron);

^^^^^^^^^^^^^^^^^^^^

destination(d_cron);

^^^^^^^^^^^^^^^^^^^^

};

--

James Hamilton

_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng

-- James Hamilton _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng