Hello, Are syslog rules position dependend? Is "flags(final);" position dependend? Is example #1 different from #2 in what it logs? Theory: # example 1 log { source; filter1; destination1; } log { source; filter1; filter2; destination2; flags(final); } # example 2 log { source; filter1; filter2; destination2; flags(final); } log { source; filter1; destination1; } Let's say, that filter2 matches only a sub set of the messages caught by filter1 and define: set1 := messages that matched by filter1 set2 := messages that matched by filter2 setLeftover := set1 without messages of set2 which means set1 == setLeftover + set2 In example #2 destination1 receives the messages of setLeftover and destination2 receives set2. But if rules+final are position dependend, then destination1 in example #1 will log _all_ messages of source1, _including_ those of filter2. So, destination1 receives the messages of set1 If they are not position dependend both destinations will receive the same message sets as in example #2. Is syslog-ng implemented in a way to Or as a practical example from my configuration: Will this configuration do what it is intended to? ## in pseudo code of what I am trying to do. if ( is it from "ssh" ) { if ( is loglevel equal or worse than "error" ){ send it to D_udp_network and D_tty_all } send it to D_ssh final ; # ie: dont send it any place else } ## I'll try to solve that with two different rules, one with a flag(final) and one without. I try to log all messages of ssh into one file and all messages of ssh above a certain log level (error or worse) shall be send to another destination (network + alert tty), too. All messages caught by the second rule must be logged to the first destination and No message from ssh shall be logged any place else, and I don't want to write a filter(f_no_ssh); into each and every log{} rule. # A message from ssh with loglevel emergency If syslog rules are postion dependend #### options { long_hostnames(off); sync(0); }; source S_local { unix-stream("/dev/log"); file("/proc/kmsg"); internal();}; ## destination D_udp_network{ udp( 192.168.51.2 port(514)); }; destination D_ssh { file("/var/log/ssh" perm(0640) owner(root) group(log)); }; ## filter l_normal_or_worse { level(normal..emerg); }; filter l_err_or_worse { level(err..emerg); }; ## filter f_ssh { program("ssh.*") or program("su"); }; ##### TWO RULES accepting messages from ssh ##### first without "final", second with "final" ## ## selected ssh messages of level error or worse ## send critical ssh messages to all tty's log { source(S_local); filter(f_ssh); filter(l_err_or_worse); destination( D_udp_network ); destination(D_tty_net); }; ## secure login / ssh / su ... ## shall store all messages (normal ... emerg) of ssh log { source(S_local); filter(f_ssh); filter(l_normal_or_worse); destination(D_ssh); flags(final); }; What kind of output on D_ssh and D_udp_network should I expect if there are these two messages? ## example messages #loglevel message [normal] datum host sshd[550]: some normal message of sshd [error] datum host sshd[550]: some error output of sshd Thank you, Volker Apelt -- Volker Apelt volker_apelt .@. yahoo.de (remove the dots, please) Dipl. Chem. +49 6172 31126