Using the $1 .. $n syntax for back substitution into the template can be problematic when multiple filter functions are used. For example, if I wanted to make a template that used the short hostname and a portion of a message I could use host(^([^\.]+)\.) and use $1 to get the short hostname match(bad login from ([^ ]+) ) and use $1 to get the ip address that originated the login. The final filter would be filter fail_login { host(^([^\.]+)\.) and match(bad login from ([^ ]+) ); }; To create a template that used both of these, I need to use $1 twice :-( Suggestion: allow syntax that specified user definable macro names for expansion. host("^([^\.]+)\." fullmatch shorthost) match("bad login from ([^ ]+) " fullmatch ip) and the filter becomes filter fail_login { host("^([^\.]+)\." shorthost) and match("bad login from ([^ ]+) " ip); }; and then a template can be written as template my_template{ template("$ISODATE $HOST $shorthost is being attacked from $ip\n"); template_escape(no)); }; The "fullmatch" is in keeping with the regexp matching syntax of many languages. An additional concern is that users might attempt to use new macronames that conflict with existing ones, but that should be easy to handle. -- Evan Rempel erempel@uvic.ca Senior Programmer Analyst 250.721.7691 Computing Services University of Victoria