Hi,
I got something in the message that can help, but I'd like to use it with the empty program attribute (being as specific as possible).
So there is no way to filtre an empty program attribute?
I don't think so. When syslog-ng parses the log it has to guess what format is applied to the log line, so it will fill in the program field with the first string which is right after the priority date hostname triplet. So I think at least one word of your log will end up in the program field, and it isn't available for match() later... You could workaround this by combining the program() and the match() into a single filter, or use an external program to do the filtering. Regards, Sandor -------------------------------------------------------- NOTICE: If received in error, please destroy and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error.