Michael, Syslog-ng is supposed to do this. As long as the message matches any filter, which in your case it does, syslog-ng will log the message. The only way to prevent this is to make your filters unique. Your configuration looks good but several of your filters will cause your messages to match more than once and will log multiple times. Regards, Drew -----Original Message----- From: Michael Hargadon [mailto:MHargadon@ITDepartment.com] Sent: Friday, August 03, 2001 7:34 PM To: 'syslog-ng@lists.balabit.hu' Subject: [syslog-ng]Ok, I think I've got it now... Good afternoon. Some time ago I posted a question about matching RegExes and filtering log messages using Syslog-NG. After some investigation, I've determined the following: 1) My regexp's are defined properly 2) Messages are being matched and diverted to the appropriate location 3) The matched messages are still showing up in /var/log/syslog anyways. Since I'm attempting to monitor about fifty Windows NT computers I need some way by which I can filter out the more useless messages (document x was printed, some sucker logged off, etc.). My configuration is as follows: options { long_hostnames(off); sync(0); }; source src { unix-stream("/dev/log"); internal(); udp(); file("/proc/kmsg"); }; destination authlog { file("/var/log/auth.log" owner("root") group("adm") perm(0640)); }; destination syslog { file("/var/log/syslog" owner("root") group("adm") perm(0640)); }; destination cron { file("/var/log/cron.log" owner("root") group("adm") perm(0640)); }; destination daemon { file("/var/log/daemon.log" owner("root") group("adm") perm(0640)); }; destination kern { file("/var/log/kern.log" owner("root") group("adm") perm(0640)); }; destination lpr { file("/var/log/lpr.log" owner("root") group("adm") perm(0640)); }; destination mail { file("/var/log/mail.log" owner("root") group("adm") perm(0640)); }; destination user { file("/var/log/user.log" owner("root") group("adm") perm(0640)); }; destination uucp { file("/var/log/uucp.log" owner("root") group("adm") perm(0640)); }; destination null { file("/var/log/filtered" owner("root") group("root") perm(0666)); }; destination mailinfo { file("/var/log/mail.info" owner("root") group("adm") perm(0640)); }; destination mailwarn { file("/var/log/mail.warn" owner("root") group("adm") perm(0640)); }; destination mailerr { file("/var/log/mail.err" owner("root") group("adm") perm(0640)); }; destination debug { file("/var/log/debug" owner("root") group("adm") perm(0640)); }; destination messages { file("/var/log/messages" owner("root") group("adm") perm(0640)); }; destination console { usertty("root"); }; destination console_all { file("/dev/tty8"); }; destination xconsole { pipe("/dev/xconsole"); }; destination ppp { file("/var/log/ppp.log" owner("root") group("adm") perm(0640)); }; # Filters here filter f_authpriv { facility(auth, authpriv); }; filter f_syslog { not facility(auth, authpriv); }; filter f_cron { facility(cron); }; filter f_daemon { facility(daemon); }; filter f_kern { facility(kern); }; filter f_lpr { facility(lpr); }; filter f_mail { facility(mail); }; filter f_user { facility(user); }; filter f_uucp { facility(uucp); }; filter f_news { facility(news); }; filter f_debug { not facility(auth, authpriv, news, mail); }; filter f_messages { level(info .. warn) and not facility(auth, authpriv, cron, daemon, mail, news); }; filter f_emergency { level(emerg); }; filter f_info { level(info); }; filter f_notice { level(notice); }; filter f_warn { level(warn); }; filter f_crit { level(crit); }; filter f_err { level(err); }; filter f_cnews { level(notice, err, crit) and facility(news); }; filter f_cother { level(debug, info, notice, warn) or facility(daemon, mail); }; filter ppp { facility(local2); }; # Begin NT Event Log Filters Here # Successful Logon # one sample only please filter f_nt0014 { match("POP3 connection accepted from"); }; # Log destinations now please log { source(src); filter(f_nt0014); destination(null); }; log { source(src); filter(f_authpriv); destination(authlog); }; log { source(src); filter(f_syslog); destination(syslog); }; #log { source(src); filter(f_cron); destination(cron); }; log { source(src); filter(f_daemon); destination(daemon); }; log { source(src); filter(f_kern); destination(kern); }; log { source(src); filter(f_lpr); destination(lpr); }; log { source(src); filter(f_mail); destination(mail); }; log { source(src); filter(f_user); destination(user); }; log { source(src); filter(f_uucp); destination(uucp); }; log { source(src); filter(f_mail); filter(f_info); destination(mailinfo); }; log { source(src); filter(f_mail); filter(f_warn); destination(mailwarn); }; log { source(src); filter(f_mail); filter(f_err); destination(mailerr); }; log { source(src); filter(f_news); filter(f_crit); destination(newscrit); }; log { source(src); filter(f_news); filter(f_err); destination(newserr); }; log { source(src); filter(f_news); filter(f_notice); destination(newsnotice); }; log { source(src); filter(f_debug); destination(debug); }; log { source(src); filter(f_messages); destination(messages); }; log { source(src); filter(f_emergency); destination(console); }; #log { source(src); filter(f_cnews); destination(console_all); }; #log { source(src); filter(f_cother); destination(console_all); }; log { source(src); filter(f_cnews); destination(xconsole); }; log { source(src); filter(f_cother); destination(xconsole); }; log { source(src); filter(ppp); destination(ppp); }; Now, if I receive a message as follows: Aug 3 12:55:40 Mail Application 236515 Fri Aug 03 12:53:55 2001 1073818460 MSExchange Pop3 Interface N/A N/A Information xxxxxxx POP3 connection accepted from xxx.xxx.xxx.xx I'll see that message pop up in /var/log/filtered. I'll also see exactly the same message pop up in /var/log/syslog. I know I've got to be overlooking something quite obvious here -- can anyone offer any assistance with this? Regards, Michael Hargadon _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng