For some reason for the sonicwall lines the "sonicwall" line doesn't seem to filter messages taht have proto=http even though I specify not match. source local { sun-streams("/dev/log" door("/etc/.syslog_door")); internal (); }; source network { udp(ip(0.0.0.0) port(514)); tcp(ip(0.0.0.0) port(514));}; destination messages { file("/var/adm/messages"); }; destination non-catch { file("/var/syslog/non-catch"); }; destination console { usertty("root"); }; destination auth { file("/var/log/authlog"); }; destination mail { file("/var/log/syslog"); }; destination debug { file("/var/log/debug"); }; destination console_all { usertty("*"); }; destination sonicwall { file("/var/syslog/sonicwall"); }; destination sonicwall-www { file("/var/syslog/sonicwall-www"); }; filter f_sonicwall { host("sonicwall") and not match("proto=http"); }; filter f_sonicwall-www { host("sonicwall") and match("proto=http"); }; filter f_auth { facility(auth); }; filter f_syslog { not facility( mail); }; filter f_cron { facility(cron); }; filter f_daemon { facility(daemon); }; filter f_kern { facility(kern); }; filter f_mail { facility(mail); }; log { source(network); filter(f_sonicwall-www); destination(sonicwall-www); }; log { source(network); filter(f_sonicwall); destination(sonicwall); }; log { source(local); filter(f_auth); destination(auth); }; log { source(local); filter(f_syslog); destination(messages); }; log { source(local); filter(f_daemon); destination(messages); }; log { source(local); filter(f_kern); destination(messages); }; log { source(local); filter(f_mail); destination(mail); }; log { source(network); filter(DEFAULT); destination(non-catch); _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com