Based on several net searches, I am running the following syslog-ng config in an attempt to consolidate Cisco PIX logs (23 of them) to a RH 9 server. Syslog-ng appears to be working and is in the running process list. I am very new to syslog-ng so I have no idea how to check into this in more detail. Is there a service log file or configuration validator? I have read the docs but I seem to be missing something that will help to piece this all together. I was expecting the following results: Syslog-ng to listen on UDP 514 for syslog messages. Incoming messages get filtered on host IP and a new directory is created for each host with a filename consisting of the month and day followed by pix.log. I previously had all my PIX firewalls logging to local 7 on HPUX using syslog without a problem (albeit to the same file). I have made no changes to the pix save the change in IP address to the new server. I have turned off RH 9's syslog service and am still getting logs from the server so I believe that syslog-ng is working but no directories are created for the firewalls. I have verified that the server is listening on UDP 514 and no firewall is currently being run on the server. options { sync (0); time_reopen (10); log_fifo_size (1000); long_hostnames (off); use_dns (no); use_fqdn (no); create_dirs (yes); keep_hostname (yes); }; source net { udp(); }; source s_sys { pipe ("/proc/kmsg" log_prefix("kernel: ")); unix-stream ("/dev/log"); internal(); }; destination d_csco { file("/var/log/$HOST/$MONTH.$DAY.pix.log"); }; destination d_cons { file("/dev/console"); }; destination d_mesg { file("/var/log/messages"); }; destination d_auth { file("/var/log/secure"); }; destination d_mail { file("/var/log/maillog"); }; destination d_spol { file("/var/log/spooler"); }; destination d_boot { file("/var/log/boot.log"); }; destination d_cron { file("/var/log/cron"); }; destination d_mlal { usertty("*"); }; filter f_filter1 { facility(kern); }; filter f_filter2 { level(info) and not (facility(mail) or facility(authpriv) or facility(cron)); }; filter f_filter3 { facility(authpriv); }; filter f_filter4 { facility(mail); }; filter f_filter5 { level(emerg); }; filter f_filter6 { facility(uucp) or (facility(news) and level(crit)); }; filter f_filter7 { facility(local7); }; filter f_filter8 { facility(cron); }; log { source(net); filter(f_filter7); destination(d_csco); }; #log { source(s_sys); filter(f_filter1); destination(d_cons); }; log { source(s_sys); filter(f_filter2); destination(d_mesg); }; log { source(s_sys); filter(f_filter3); destination(d_auth); }; log { source(s_sys); filter(f_filter4); destination(d_mail); }; log { source(s_sys); filter(f_filter5); destination(d_mlal); }; log { source(s_sys); filter(f_filter6); destination(d_spol); }; log { source(s_sys); filter(f_filter7); destination(d_boot); }; log { source(s_sys); filter(f_filter8); destination(d_cron); }; Thanks for any help you may provide. Also, is there a search-able list archive out there? I downloaded 14MB html file but it was much less than useful. Thanks, Daniel Flick DFMCO dflick@dfmco.com