I have searched the whole archive but I have not found any solution to my problem. ----------------- destination messages { file("/var/log/messages.log"); };  filter f_messages { level(info..warn) and not macht("snort") and not facility(auth, news, mail); }; log { source(s_tcp); filter(f_messages); destination(messages); }; ---------------------- I want logs that contain word "snort" not to be directed to /var/log/messages but it seems that filter not match("snort") does not work. Thank you in advance for your help marbo