Hello: We have a system that sends messages to syslog-ng (Latest version 2.0.8..but this has occurred on all 2.x versions so far) This is what is happening.... An application has a message that us too long for syslog.. .so it breaks the message into 2 separate syslog messages. The first one is a length seen in wireshark of 1066 bytes. The second packet is either 69 or 70 bytes and it it simply the leftover characters 0/n/n The problem is that the filter in my syslog-ng.conf file is not catching the second smaller messages Instead of going to the file i direct it to. It goes to the default file (which i do not want) What is causing this packet to not be processed by my filter? Attached is a copy of the relevant syslog-ng.conf data as well as the actual wireshark trace information Please advise and thanks ! -Chris syslog-ng.conf file source all_devices { udp(ip(0.0.0.0) port(514)); }; destination d_catch_all_others{ file("/var/log/syslog-ng-logs/everything_else.1" perm(0644) template(t_default)); }; destination d_pt_network_device{ file("/var/log/syslog-ng-logs/pt_network_device.1" perm(0644) template(t_default)); }; filter f_all_devices { not (host(1.2.3.4) or host(2.3.4.5)); }; filter f_pt_network_device{ (host1.2.3.4) or host(2.3.4.5)); }; log { source(all_devices); filter(f_all_devices); destination(d_catch_all_others); }; log { source(all_devices); filter(f_pt_network_device); destination(d_pt_network_device); }; here is the wireshark capture No. Time Source Destination Protocol Packet length Info 1 09:14:23.073515 1.2.3.4 9.8.7.6 Syslog 1066 LOCAL2.ERR: Feb 1 09:14:23 auditd: Feb 1 14:14:23 2008 GMT f_system a_hmon t_geninfo p_major pid: 1372 ruid: 0 euid: 0 pgid: 1372 fid: 0 logid: 0 cmd: 'monitord' domain: HMON edomain: HMON hostname: perfjupiterb.bwc.state.oh.us +|health monitor|MON_INFO|MAJOR|SYS|HMONINFO\n=Health Monitor data follows\n\nuptime_util:\t 32 days\t 5:59\nload_avg:\t 0.10\nmem_percent:\t 6.09\ncpu_percent:\t 0\ntcp_count:\t 19\nudp_count:\t 8\nproxy_info:\t syslogd \t1\nproxy_info:\t named \t7\nproxy_info:\t squid \t6\nproxy_info:\t ntpd \t2\nproxy_info:\t snmpp \t2\nproxy_info:\t pudp \t63\nproxy_info:\t entrelayd \t3\nproxy_info:\t dnsp \t2\nproxy_info:\t tcpgsp:(1425) \t2\nproxy_info:\t warder_auth \t5\nproxy_info:\t sshd \t2\ntcp_data:\t ESTABLISHED\t13\ntcp_data:\t TIME_WAIT\t6\ntcp_data:\t FIN_WAIT_1\t0\ntcp_data:\t FIN_WAIT_2\t0\ntcp_data:\t CLOSE_WAIT\t0\nipf_data:\t TCP Total\t\t0\nipf_data:\t UDP Total\t\t0\nipf_total:\t Frame 1 (1066 bytes on wire, 1066 bytes captured) Arrival Time: Feb 1, 2008 09:14:23.073515000 [Time delta from previous packet: 0.000000000 seconds] [Time since reference or first frame: 0.000000000 seconds] Frame Number: 1 Packet Length: 1066 bytes Capture Length: 1066 bytes [Frame is marked: False] [Protocols in frame: eth:ip:udp:syslog] [Coloring Rule Name: UDP] [Coloring Rule String: udp] Ethernet II, Src: Cisco_12:b4:4a (00:0f:f8:12:b4:4a), Dst: CompaqHp_41:c6:af (00:0b:cd:41:c6:af) Destination: CompaqHp_41:c6:af (00:0b:cd:41:c6:af) Address: CompaqHp_41:c6:af (00:0b:cd:41:c6:af) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) Source: Cisco_12:b4:4a (00:0f:f8:12:b4:4a) Address: Cisco_12:b4:4a (00:0f:f8:12:b4:4a) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) Type: IP (0x0800) Internet Protocol, Src: 1.2.3.4 (1.2.3.4), Dst: 9.8.7.6 (9.8.7.6) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 1052 Identification: 0xa1db (41435) Flags: 0x00 0... = Reserved bit: Not set .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 61 Protocol: UDP (0x11) Header checksum: 0xf7a4 [correct] [Good: True] [Bad : False] Source: 1.2.3.4 (1.2.3.4) Destination: 9.8.7.6 (9.8.7.6) User Datagram Protocol, Src Port: syslog (514), Dst Port: syslog (514) Source port: syslog (514) Destination port: syslog (514) Length: 1032 Checksum: 0xf9d3 [correct] [Good Checksum: True] [Bad Checksum: False] Syslog message: LOCAL2.ERR: Feb 1 09:14:23 auditd: Feb 1 14:14:23 2008 GMT f_system a_hmon t_geninfo p_major pid: 1372 ruid: 0 euid: 0 pgid: 1372 fid: 0 logid: 0 cmd: 'monitord' domain: HMON edomain: HMON hostname: perfjupiterb.bwc.sta 1001 0... = Facility: LOCAL2 - reserved for local use (18) .... .011 = Level: ERR - error conditions (3) Message [truncated]: Feb 1 09:14:23 auditd: Feb 1 14:14:23 2008 GMT f_system a_hmon t_geninfo p_major pid: 1372 ruid: 0 euid: 0 pgid: 1372 fid: 0 logid: 0 cmd: 'monitord' domain: HMON edomain: HMON hostname: perfjupiterb.bwc.state.oh.u No. Time Source Destination Protocol Packet length Info 2 09:14:23.073537 1.2.3.4 9.8.7.6 Syslog 69 LOCAL2.ERR: Feb 1 09:14:23 0\n\n Frame 2 (69 bytes on wire, 69 bytes captured) Arrival Time: Feb 1, 2008 09:14:23.073537000 [Time delta from previous packet: 0.000022000 seconds] [Time since reference or first frame: 0.000022000 seconds] Frame Number: 2 Packet Length: 69 bytes Capture Length: 69 bytes [Frame is marked: False] [Protocols in frame: eth:ip:udp:syslog] [Coloring Rule Name: UDP] [Coloring Rule String: udp] Ethernet II, Src: Cisco_12:b4:4a (00:0f:f8:12:b4:4a), Dst: CompaqHp_41:c6:af (00:0b:cd:41:c6:af) Destination: CompaqHp_41:c6:af (00:0b:cd:41:c6:af) Address: CompaqHp_41:c6:af (00:0b:cd:41:c6:af) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) Source: Cisco_12:b4:4a (00:0f:f8:12:b4:4a) Address: Cisco_12:b4:4a (00:0f:f8:12:b4:4a) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) Type: IP (0x0800) Internet Protocol, Src: 1.2.3.4 (1.2.3.4), Dst: 9.8.7.6 (9.8.7.6) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 55 Identification: 0xa1dc (41436) Flags: 0x00 0... = Reserved bit: Not set .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 61 Protocol: UDP (0x11) Header checksum: 0xfb88 [correct] [Good: True] [Bad : False] Source: 1.2.3.4 (1.2.3.4) Destination: 9.8.7.6 (9.8.7.6) User Datagram Protocol, Src Port: syslog (514), Dst Port: syslog (514) Source port: syslog (514) Destination port: syslog (514) Length: 35 Checksum: 0xec1c [correct] [Good Checksum: True] [Bad Checksum: False] Syslog message: LOCAL2.ERR: Feb 1 09:14:23 0\n\n 1001 0... = Facility: LOCAL2 - reserved for local use (18) .... .011 = Level: ERR - error conditions (3) Message: Feb 1 09:14:23 0\n\n