Thanks, that explains a lot. I was having both of those issues yesterday. Everything was going to /dev/null, not just the messages I assumed were being accepted by the first log path. I see why now. Also, when I was trying to use embedded log paths instead of if/else everything was being accepted by the top-level log path regardless. The messages going to /dev/null are just some firewall messages that we are not concerned with and that would fill up our disk space very quickly if they aren’t filtered out. -Mark From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> On Behalf Of Péter, Kókai Sent: Wednesday, March 27, 2019 1:58 AM To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] Filtering out messages before any other action Hello, Without the other part - where you do not expect the message to be received, and its connection to this logpath it is kinda hard to say much. Logpath on the same level: log { filter { message("boo"); }; flags(final); }; log { flags(final); }; In this case if the first logpath "accepts" the message ( filter matches in this example ), the other logpath never going to see the message. Otherwise it will. But if you use *if* in the first logpath: log { if { filter { message("boo"); }; }; flags(final); }; It does not matter if the *filter* matches or not, as either way the logpath "accepts" the log, so other logpath (not speaking about embedded logapths) won't see the message. If you use embedded logpath: log { if { filter { message("boo"); }; }; log { #inner path }; flags(final); }; Despite the result of the previous *if* the inner logpath is going to get the message. Do you have a specific use case to *drop* the message via writing it into "/dev/null" ? -- Kokan On Tue, Mar 26, 2019 at 2:14 PM Faine, Mark R. (MSFC-IS40)[NICS] <mark.faine@nasa.gov<mailto:mark.faine@nasa.gov>> wrote: I have the following as the first log path in my configuration, however, My understanding is that this should match any message with the text 'type=traffic' AND any of the listed policyid=## or a message with the text 'action=timeout'. Flags(final) indicates that it should not be further processed by any other log path. However, I'm still seeing messages that should be discarded, am I doing something wrong? log { if { filter { message('type=traffic') }; filter { ( message('policyid=35 ') or message('policyid=37 ') or message('policyid=38 ') or message('policyid=40_D ') or message('policyid=5 ') or message('policyid=10 ') or message('policyid=12 ') or message('policyid=50 ') or message('policyid=3 ') or message('action=timeout ') ) }; destination { file("/dev/null"); }; }; flags(final); }; Thanks, -Mark ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.balabit.hu_mailman_listinfo_syslog-2Dng&d=DwMFaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=zMyZvtxRXMBKZZYKVMke9zplWK320p3d51BzuU4jwWo&m=b2Kd9YiHl2Lc23iugr52Sfn1m40gHtsV4_mUdQ68E_k&s=I92j05MpRuWxDkA8RxzUV2znnCdEH67ia3kbhO36qEI&e=> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.balabit.com_support_documentation_-3Fproduct-3Dsyslog-2Dng&d=DwMFaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=zMyZvtxRXMBKZZYKVMke9zplWK320p3d51BzuU4jwWo&m=b2Kd9YiHl2Lc23iugr52Sfn1m40gHtsV4_mUdQ68E_k&s=F-YOz4eoFBYMLYthf9ycQQko2OwwRcYmlNdxVvcgqcA&e=> FAQ: http://www.balabit.com/wiki/syslog-ng-faq<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.balabit.com_wiki_syslog-2Dng-2Dfaq&d=DwMFaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=zMyZvtxRXMBKZZYKVMke9zplWK320p3d51BzuU4jwWo&m=b2Kd9YiHl2Lc23iugr52Sfn1m40gHtsV4_mUdQ68E_k&s=SNB_7j6EyWSzHYGe5XeOl_IMfjdEtygZ1q3LDWAF_D0&e=>