Thanks for the reply! I started it in Foreground and sent only one log from my mac.. this is the result. And at the bottom i pasted my conf which is very basic and short as i am testing this. Incoming log entry; line='<190>Nov 20 12:22:20 Gandalf brahama[90151]: test mymac\x0a' Filter rule evaluation begins; rule='f_casper', location='/usr/local/etc/syslog-ng.conf:58:18' Filter node evaluation result; result='not-match' Filter rule evaluation result; result='not-match', rule='f_casper', location='/usr/local/etc/syslog-ng.conf:58:18' Filter rule evaluation begins; rule='f_my_mac', location='/usr/local/etc/syslog-ng.conf:54:18' Filter node evaluation result; result='match' Filter rule evaluation result; result='match', rule='f_my_mac', location='/usr/local/etc/syslog-ng.conf:54:18' Initializing destination file writer; template='/var/log/mymac', filename='/var/log/mymac' Initializing destination file writer; template='/var/log/messages', filename='/var/log/messages' Incoming log entry; line='<142>Nov 20 12:44:49 Gandalf brahama[90207]: test mymac\x0a' Filter rule evaluation begins; rule='f_my_mac', location='/usr/local/etc/syslog-ng.conf:54:18' Filter node evaluation result; result='match' Filter rule evaluation result; result='match', rule='f_my_mac', location='/usr/local/etc/syslog-ng.conf:54:18' syslog-ng shutting down; version='3.4.0alpha3' Closing log transport fd; fd='7' Closing log transport fd; fd='20' Closing log transport fd; fd='21' Running application hooks; hook='4' ------------ And this is my configuration. the entire file @version: 3.4 @include "scl.conf" options { keep_hostname(yes); normalize_hostnames(yes); threaded(yes); ts_format(iso); use_fqdn(yes); }; source s_local { system(); internal(); }; source s_network { udp(so_rcvbuf(1048576)); }; destination d_my_mac { file("/var/log/mymac"); }; destination d_casper { file("/var/log/$HOST"); }; filter f_my_mac { netmask(10.24.18.0/255.255.255.0); }; filter f_casper { netmask(10.24.150.192/255.255.255.255); }; log { source(s_network); filter(f_my_mac); destination(d_my_mac); flags(final); }; destination d_local { file("/var/log/messages"); }; log { source(s_network); destination(d_local); }; ------------------------------------------------- Still seeing the log on both files messages and mymac :S Thanks! 2012/11/20 Balazs Scheidler <bazsi77@gmail.com>

**

hi,

if you reference a source from two log statements both will get a copy of the same message. in the 2nd statement you request to send messages to d_local without filtering. that includes your ip too.

ahh, i see you are using flags(final), that should do the trick if the message is received on the same source (e.g. s_network). are you sure this is the case?

also, you can start syslog-ng in the foreground, enabling debug messages which should help you to narrow the problem further down.

# syslog-ng -Fedv

----- Original message -----

...

Hi guys,

Just new, and created the following conf for testing purposes. The problem is that i get the logs in both destinations despite the filter.

@version: 3.4 @include "scl.conf"

options { keep_hostname(yes); normalize_hostnames(yes); threaded(yes); ts_format(iso); # Adds TZ #use_fqdn(yes); use_dns(no); };

source s_local { system(); internal(); };

source s_network { udp(); };

destination d_local { file("/var/log/messages"); };

destination d_my_mac { file("/var/log/mymac"); };

filter f_my_mac { netmask(10.24.18.2/255.255.255.255); };

log { source(s_network); filter(f_my_mac); destination(d_my_mac); flags(final); };

log { source(s_local); # uncomment this line to open port 514 to receive messages source(s_network); #destination(d_central_udp); destination(d_local); };

as netmask i also tried cidr /24 and same thing. The problem is that i get the logs in both destinations. I only want to have them in my_mac

Thanks!