USER.DEBUG: Jul 15 18:23:44 DPRASSyslogAudit3 [system][debug] trans(383): cpu usage: 57%(10 sec) 57%(1 min) 57%(10 min) 56%(1 hour) 58%(1 day)
In syslog wire protocol the field immediately after the timestamp is the hostname, so this message would be interpreted as being from a host called DPRASSyslogAudit3. Your filters are not matching these messages because match() only matches elements of the message body and the text you're looking for does not appear in the message body.
Joe.
That's actually what thought (but forgot to mention in my earlier email), but when I try to match on host it doesn't catch anything either. Neither of these catch anything: filter group_syncDPextest { host("DP[:digit:]+Syslog") or host("DPRASSyslogAudit[:digit:]+") ;}; filter group_syncDPextest { host("DP") ;}; Is this because the host filter actually comes from the source host of the packet and not the message itself? Are DataPower's syslog messages just broken or non-rfc complient? Should I just give up and try to match on other strings in the message? Thanks again for all your help on this weird problem. Adam