Hi folks, the documentation (https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.4-guid...) states multiple times that program patterns and message patterns work the same way. "You can also use parsers in the program pattern if needed, and use the parsed results later. For example: <pattern>postfix\@ESTRING:.postfix.component:[@</pattern>" I try to achieve exactly this behaviour. But my foobar.pdb (see attachment or http://pastebin.com/aZKMKmkc) seems not to work. I tested it with pdbtool: pdbtool -v test foobar.pdb Testing message program='imapd(foo)' message='connect from 192.168.2.179 (192.168.2.179)' Match name='.classifier.rule_id', value='foobaz', expected='foobaz' Match name='IPA', value='192.168.2.179', expected='192.168.2.179' Match name='IPB', value='192.168.2.179', expected='192.168.2.179' Wrong match name='FOOA', value='', expected='foo' Wrong match name='FOOB', value='', expected='foo' What I am doing wrong? How can I use the parsed results from program pattern later? Tested with syslog version: syslog-ng 3.4.3 Installer-Version: 3.4.3 Revision: ssh+git://algernon@git.balabit/var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.4#no_branch#64d670f3cbfb90769f3c7f0fdd9c70bb9136ec5b Compile-Date: Aug 27 2013 17:55:45 Available-Modules: afsocket-tls,cryptofuncs,affile,afsocket,syslogformat,dbparser,afsocket-notls,basicfuncs,json-plugin,system-source,afmongodb,afamqp,afprog,afuser,confgen,csvparser Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-IPv6: on Enable-Spoof-Source: off Enable-TCP-Wrapper: off Enable-Linux-Caps: on Enable-Pcre: on And: syslog-ng 3.3.9 Installer-Version: 3.3.9 Revision: 3.3.9-1 (/) Compile-Date: May 26 2013 11:36:00 Default-Modules: affile,afprog,afsocket,afuser,afsql,basicfuncs,csvparser,dbparser,syslogformat Available-Modules: afsocket-notls,basicfuncs,confgen,afsocket,convertfuncs,syslogformat,afuser,csvparser,dbparser,affile,afsocket-tls,afprog Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-IPv6: on Enable-Spoof-Source: on Enable-TCP-Wrapper: on Enable-Linux-Caps: on Enable-Pcre: on Best Regards, Daniel