Guys something shit the bed with 3.0.3 on 8.0-PL: ----- config ---------------- source src { unix-dgram("/var/run/log"); filter f_security { facility(security); }; filter f_auth { facility(auth); }; destination security { file("/var/log/security" template(cfi_template)); }; destination authlog { file("/var/log/auth.log" template(cfi_template)); }; log { source(src); filter(f_security); destination(security); flags(final); }; log { source(src); filter(f_auth); destination(authlog); flags(final); }; ------------------------- # /usr/local/sbin/syslog-ng -p /var/run/syslog.pid -tevdF Syslog connection established; fd='5', server='AF_INET(192.168.128.XXX:514)', local='AF_INET(0.0.0.0:0)' Running application hooks; hook='1' Running application hooks; hook='3' syslog-ng starting up; version='3.0.3' ^Z [5]+ Stopped /usr/local/sbin/syslog-ng -p /var/run/syslog.pid -tevdF [root@cfi-db-corp ~]# bg [root@cfi-db-corp ~]# echo test | logger -p auth.info Incoming log entry; line='<38>Mar 18 15:57:40 bseklecki: test' Filter rule evaluation begins; filter_rule='f_ams' Filter node evaluation result; filter_result='not-match', filter_type='level' Filter node evaluation result; filter_result='not-match', filter_type='AND' Filter node evaluation result; filter_result='not-match', filter_type='AND' Filter rule evaluation result; filter_result='not-match', filter_rule='f_ams' Filter rule evaluation begins; filter_rule='f_auth' Filter node evaluation result; filter_result='match', filter_type='facility' Filter rule evaluation result; filter_result='match', filter_rule='f_auth' Filter rule evaluation begins; filter_rule='f_ams' Filter node evaluation result; filter_result='not-match', filter_type='level' Filter node evaluation result; filter_result='not-match', filter_type='AND' Filter node evaluation result; filter_result='not-match', filter_type='AND' Filter rule evaluation result; filter_result='not-match', filter_rule='f_ams' Filter rule evaluation begins; filter_rule='f_authpriv' Filter node evaluation result; filter_result='not-match', filter_type='facility' Filter rule evaluation result; filter_result='not-match', filter_rule='f_authpriv' Filter rule evaluation begins; filter_rule='f_kern' Filter node evaluation result; filter_result='not-match', filter_type='facility' Filter rule evaluation result; filter_result='not-match', filter_rule='f_kern' Filter rule evaluation begins; filter_rule='f_user' Filter node evaluation result; filter_result='not-match', filter_type='facility' Filter rule evaluation result; filter_result='not-match', filter_rule='f_user' Filter rule evaluation begins; filter_rule='f_mail' Filter node evaluation result; filter_result='not-match', filter_type='facility' Filter rule evaluation result; filter_result='not-match', filter_rule='f_mail' Filter rule evaluation begins; filter_rule='f_security' Filter node evaluation result; filter_result='match', filter_type='facility' Filter rule evaluation result; filter_result='match', filter_rule='f_security' Initializing destination file writer; template='/var/log/security', filename='/var/log/security' The two fixes I can find are: - Move: "log { source(src); filter(f_security);.." below "log { source(src); filter(f_auth);..." ...wait, what?! - Remove reference to LOG_SECURITY /usr/include/syslog.h defines for Facility->index mappings haven't changed since RELENG_6, so I'm not sure what to make of this. Very strange, ~BAS