Whenever I combine 2 filters with a 'OR', it matches just about anything. (except if those 2 filters are of different kind, like program & facility, etc.. )

For exemple : destination trylog { file("/var/log/CransMisc/try.log" owner("root") group("adm") perm(0640)); }; filter f_stunnel { program("stunnel"); }; filter f_squid { program("squid"); }; filter f_try { filter(f_stunnel) or filter (f_squid); }; #(bug1) log { source(src); filter(f_try); destination(trylog); };

will put all kinds of stuff in try.log, with program names that contain neither 'tunnel' nor 'squid'. (eg: 'cucipop' lines end up in try.log... )

Same thing if I define f_try directly, without using f_stunnel and f_squid, as : filter f_try { program("stunnel") or program("squid"); }; #(bug2) Also, the 'or' does strange thing with other filters than 'program', like : filter f_try { program("local2") or facility("local3"); }; #(bug3)

hmm.. Could you send me the exact messages going to wrong place? because I couldn't reproduce the problem, the filters were working fine. I tried the following messages: Jan 18 21:04:04 bzorp squid: Modem hangup 1 Jan 18 21:04:04 bzorp pppd[1911]: Modem hangup 2 Jan 18 21:04:04 bzorp cucipop: Modem hangup 2 Jan 18 21:04:04 bzorp stunnel[1911]: Modem hangup 3 syslog-ng correctly filtered squid and stunnel, others were dropped. I also tried deleting the PID value, but it didn't change.

Isn't that a bug in syslog-ng ??

-- Sam PS: this aside, syslog-ng is really great, so much better than the old awkward syslogd..

thanks -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 url: http://www.balabit.hu/pgpkey.txt