Untitled

## SPLUNK
#*** Configure local destinations for syslog here. ***
#
## SPLUNK
#
#
destination d_wlc { file("/var/log/syslog-ng/splunk/wlc/$FACILITY"); };
destination d_NetworkGear { file("/var/log/syslog-ng/splunk/Network_Gear/$FACILITY"); };
destination d_bitbucket { file("/var/log/syslog-ng/splunk/bit_bucket/$FACILITY"); };

#*** Configure filter for the network device IP address here. ***
#
# NOTE:  Make sure there is a space after the ) following the IP address #
#
#
filter f_wlc { netmask(172.16.91.0/24)
or netmask(10.26.141.18/32)
or netmask(10.255.22.18/32)
or netmask(172.16.91.0/24)
or netmask(172.16.92.0/22); };

filter f_NetworkGear { netmask(10.255.0.0/16)
or netmask(10.40.0.0/16)
or netmask(172.16.252.0/16)
or netmask(172.26.252.0/16)
or netmask(172.26.253.0/16)
or netmask(172.26.254.0/16)
or netmask(172.26.255.0/16); };

filter f_bitbucket { netmask(129.255.0.0/16)
or netmask(10.0.0.0/8)
or netmask(192.168.0.0/16)
or netmask(172.16.0.0/12); };

#
# Combine log destination and filter
#
#
log { source(s_syslog-ng); filter(f_wlc); destination(d_wlc); };
log { source(s_syslog-ng); filter(f_NetworkGear); destination(d_NetworkGear); };
log { source(s_syslog-ng); filter(f_bitbucket); destination(d_bitbucket); };


#
# END SPLUNK
#*** Section ends. ***
# vim:ft=syslog-ng:ai:si:ts=4:sw=4:etc

=============================

So the theory is that everything that doesnt get caugh by the first two filters, gets caught by the "bitbucket"
But what is happening is that it seems logs are being filtered into BOTH filter f_NetworkGear and filter f_bitbucket.

Is there a way to have syslog not put it in both ? The filter f_bitbucket is intended to be a catch all that is for anything not filtered above.