Just have syslog-ng put them in a separate file. Add something like this to
your /etc/syslog-ng/syslog-ng.conf:

destination relay_denied { file("/var/log/relay_denied"); };

# Filters that "flag" a message--<key phrase> will be part of the
# message that is produced, like "RELAY DENIED" or something like that
filter f_relay_denied { match("<key phrase>"); };

log { source(src); filter(f_relay_denied); destination(relay_denied); };
log { source(src); filter(DEFAULT); destination(messages); };


Also, if in the future you want to just /dev/null the relay denied messages,
replace:

destination relay_denied { file("/var/log/relay_denied"); };

with:

destination relay_denied { program("/bin/cat >/dev/null"); };

Once you've edited that file, restart syslog-ng.

You also might want to check out the syslog-ng reference:
http://www.balabit.com/products/sysl...nce/book1.html


Stu

Michael Thompson wrote:

> I use Syslog-ng, and after opening my mailserver to the world after making
> it secure started top notice logs in syslog about relays denied.
>
> How can I have a filterd view of syslog, like when running tail
> -f /var/log/messages, showing only the relay denied SMTP mesages. So that
> I can see how often they are coming?