Physically dragging the thread back on topic... I really am going crazy, trying to deal with the hourly logs from the loghost. We've got 170+ servers and workstations... but a *very* large percentage of what's showing up is from his bloody new fedora 22, with its idiot systemd logging of *ever* selinux message to /var/log/messages. I tried creating a rule, /etc/rsyslog.d/audit.conf, that reads: if $msg contains "audit" and $msg,contains,'res=success' then - but that seemed to send *everything* to /dev/null. That was my best guess, based on googling (yahooing?) and man pages. Can anyone tell me what's wrong with that syntax? mark _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos