Hello list, the following problem occured when trying to filter messages generated by the program NT-syslog running on several win2k-servers and some Cisco-Routers with syslog-ng on a central loghost: - The messages from the cisco devices are logged accordingly to the log path in syslog-ng.conf. - The messages from NT-syslog end up in the "catch-all" destination and the destination in the log path is "ignored". Checking the arriving udp-packets with tcp-dump on loghost the following was observed: - Packets coming from cisco-devices have source port 514 and the IP "don't fragment" flag is not set. - Packets coming from NT-syslog have source ports above 1024 and the IP "don't fragment" flag is not set. A "handcrafted" UDP syslog-message packet with Source-Port !=514 and a source adress of one of the NT-hosts and the IP "don't fragment" flag set will be logged according to the log path in syslog-ng.conf !! If IP "don't fragment" is not set, the message will end up in the fallback- destination. Has anyone else noticed a similar behaviour of syslog-ng? Maybe someone has a hint where to start debugging this problem? The problem is observed with syslog-ng version 1.6.0rc1 / libol 0.3.9 syslog-ng version 1.4.17 / libol 0.2.23 running on NetBSD-1.6 (i686) gcc-2.95.3 20010315 NetBSD linux-2.4.20 (stock source) / glibc-2.2.5 (i686) gcc 2.96 20000731 RedHat linux-2.4.20-pre4 (kernel.org) / glibc-2.3.1 (i686) gcc 3.2.1 Gentoo Relevant excerpt from syslog-ng.conf: =============<snip>================= # source source s_net { udp(); }; # destinations # cisco destination d_cons_pix { file("/dev/tty3"); }; # for special reasons ... destination d_pix { file("/var/log/pixlog_$YEAR_$MONTH_$DAY"); }; destination d_liss { file("/var/log/lisslog_$YEAR_$MONTH_$DAY"); }; destination d_router { file("/var/log/routerlog_$YEAR_$MONTH_$DAY"); }; # NT-syslog test destination d_rrwk { file("/var/log/rrwk_$YEAR_$MONTH_$DAY"); }; destination d_prt2 { file("/var/log/prt2_$YEAR_$MONTH_$DAY"); }; destination d_neko { file("/var/log/neko_$YEAR_$MONTH_$DAY"); }; # fallback destination d_netrest { file("/var/log/netrest"); }; # filters # cisco filter f_pix { host("192.168.10.1"); }; filter f_liss { host("192.168.10.3"); }; filter f_router { host(192.168.201.5) or host(192.168.250.10); }; # NT-syslog test filter f_rrwk { host(192.168.100.192); }; filter f_neko { host(192.168.100.190); }; filter f_prt2 { host(192.168.110.22); }; # log sentences # cisco log { source(s_net); filter(f_pix); destination(d_pix); destination(d_cons_pix); log { source(s_net); filter(f_liss); destination(d_liss); }; log { source(s_net); filter(f_router); destination(d_router); }; # NT-syslog test log { source(s_net); filter(f_rrwk); destination(d_rrwk); }; log { source(s_net); filter(f_prt2); destination(d_prt2); }; log { source(s_net); filter(f_neko); destination(d_neko); }; # fallback log { source(s_net); destination(d_netrest); flags(fallback); }; ==================<snip>================ Any help will be much appreciated. Kind regards Raine Ruecker