Howdy- I think that there might be an inconsistency between the behavior determined by syslog.conf and that by syslog-ng.conf.RedHat (from syslog-ng-1.4.12.tar.gz and syslog-ng-1.5.9.tar.gz). The stock syslog.conf file sends a message to /var/log/messages if it is of level info or higher unless it comes from facility mail, authpriv, or cron: # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none /var/log/messages whereas, if I understand it correctly, the relevant lines from syslog-ng.conf.RedHat destination d_mesg { file("/var/log/messages"); }; filter f_filter2 { level(info) or facility(mail) or facility(authpriv); }; log { source(s_sys); filter(f_filter2); destination(d_mesg); }; send a message to /var/log/messages if it is exactly of level info, or if it comes from facility mail or authpriv. I am not sure about the the internals of filter evaluation (is it lazy?) so as to write the fastest rule but filter f_filter2 { not level(debug) and not (facility(mail) or facility(authpriv) or facility(cron)); }; seems to work. Also, thanks for such a nice package. Regards, james -- Dr. James Riordan email: rij@zurich.ibm.com IBM Research notes: James Riordan/Zurich/IBM Säumerstrasse 4 Tel +41 (0) 1 724 89 81 CH-8803 Rüschlikon, Switzerland Fax +41 (0) 1 724 89 53