I am working on setting up a central syslog-ng server running on FreeBSD 6-STABLE. I have local logging setup. I also have the service listening on udp and tcp ports. I need help to figure out how to have a filter so it filters by hostname then by service. syslog-ng.conf #################### # Options #################### options { keep_hostname(yes); long_hostnames(off); sync(0); }; #################### # Sources #################### source local { file("/dev/klog" log_prefix("kernel: ")); unix-dgram("/var/run/log"); internal(); tcp(keep-alive(yes)); udp(); }; #################### # Destinations #################### # Destination Files from Local Host destination all { file("/var/log/all.log"); }; destination la_cron { file("/var/log/cron.log"); }; destination la_sudo { file("/var/log/sudo.log"); }; destination ld_sshd { file("/var/log/sshd.log"); }; destination ls_kernel { file("/var/log/kernel.log"); }; #################### # Filters #################### filter fa_cron { match("cron[\[0-9]+\]"); }; filter fa_sudo { match("sudo:"); }; filter fd_sshd { match("sshd[\[0-9]+\]") and match("Server listening") or match("Connection from") or match("client software version") or match("Accepted password") or match("Failed password") or match("Connection closed") or match("Closing connection") or match("subsystem request") or match("Received signal 15"); }; filter f_kernel { match("kernel: "); }; filter f_status { host("status"); }; filter f_terms { not match("cron[\[0-9]+\]") and not match("sudo:") and not match("sshd[\[0-9]+\]") and not match("kernel: "); }; #################### # Logs #################### # Logs for Local Host log { source(local); filter(f_status); filter(f_terms); destination(all); }; log { source(local); filter(f_status); filter(fa_cron); destination(la_cron); }; log { source(local); filter(f_status); filter(fa_sudo); destination(la_sudo); }; log { source(local); filter(f_status); filter(fd_sshd); destination(ld_sshd); }; log { source(local); filter(f_status); filter(f_kernel); destination(ls_kernel); }; ---------- With the above I can sort by the local machine which is named status, then it filters by service. I would like logs to go in the following format. /storage/logs/$YEAR/$MONTH/$DAY/$HOST/$service_filter.log So, I could use my service level filters like for sshd or whatever. Examples would be like the following. FQDN: server1.test.com, running sshd FQDN: server2.test.com, running named /storage/logs/2007/05/02/server1.test.com/sshd.log /storage/logs/2007/05/02/server2.test.com/named.log How would I go about doing this? I would appreciate any suggestions. Thanks. Phusion