Dan, It's true that syslog-ng continues to log after a match was found and this is a necessary function of the software. It logs as long as a match is found. Your best bet on filtering out the things you don't want in the log by using the boolean operators in you filters: filter f_host_ip { facility(daemon) and not host("10.10.10.10"); }; Something of this nature and then add your host in a filter: filter f_myhost { facility(daemon) and host("10.10.10.10"); }; Like that. Hope that helps. Regards, Drew -----Original Message----- From: Nijs, Daniel [mailto:NijsD@telergy.net] Sent: Tuesday, July 10, 2001 9:28 PM To: 'syslog-ng@lists.balabit.hu' Subject: [syslog-ng]syslog-ng.conf Hello, I am relatively new to syslog-ng (only been running it for a month) and love the software. I would like to congratulate the author on doing such a great job. This is a powerful product, and with this comes complexity, and I have a few questions I am not able to find an answer for. I have a webserver logging to a centralized host, and I filter the logs using specific criteria (i.e. document name). Let's give this file a name to make this question easier to understand. I log this data to hits.log. Now, I want to filter out a certain IP to a separate file (ip.log), and not show the entries that were logged to ip.log in hits.log. It seems that syslog-ng keeps processing all rules, even after there was a match. I was hoping that there was an option to stop processing any further rules for that matched data to solve this problem, but am unable to find any solution. Does anyone have any suggestions on how to do this? Thanks. Best regards, Dan _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng