I have a very simple rewrite rule, which just figures out the short hostname and populates a macro SHORTHOST with the short host name. # --- to produce a short host macro SHOST filter f_short_host_at { match('^[^@]+@([^.]+)\.' value("HOST") type(pcre) flags("store-matches" "nobackref")); }; filter f_short_host { match('^([^.@]+)\.' value("HOST") type(pcre) flags("store-matches" "nobackref")); }; rewrite r_short_host { set("$1", value("SHORTHOST") condition(filter(f_short_host_at) or filter(f_short_host) ) ); }; I have two different config files (they are complicated, but the rewrite portion is not). log { source(unix_network_tcp); source(unix_network_udp); rewrite(r_short_host); log { destination(d_archive); flags(flow-control); }; }; In one config everything works as expected (-Fdv output) Syslog connection accepted; fd='20', client='AF_INET(142.104.141.3:34573)', local='AF_INET(142.104.141.3:514)' Incoming log entry; line='<134>2013-02-04T15:28:46-08:00 pangolin.comp.uvic.ca/pangolin.comp.uvic.ca action-handler[24020]: starting' Filter node evaluation result; result='not-match' Filter node evaluation result; result='not-match', type='filter(f_short_host_at)' Filter node evaluation result; result='match' Filter node evaluation result; result='match', type='filter(f_short_host)' Filter node evaluation result; result='match', type='OR' Rewrite expression evaluation result; value='SHORTHOST', new_value='pangolin', rule='r_short_host', location='/usr/local/etc/syslog-ng/syslog-ng.server.conf:173:2' On the other config (same host and all versions of software) Syslog connection accepted; fd='19', client='AF_INET(142.104.141.3:46021)', local='AF_INET(142.104.141.3:514)' Incoming log entry; line='<134>2013-02-04T15:28:46-08:00 pangolin.comp.uvic.ca/pangolin.comp.uvic.ca action-handler[24020]: starting' Filter node evaluation result; result='not-match' Filter node evaluation result; result='not-match', type='filter(f_short_host_at)' ** ERROR:logmsg.c:535:log_msg_set_value_indirect: assertion failed: (!log_msg_is_write_protected(self)) and syslog-ng dies. Can anyone shed any light on this? Under what conditions does the log_msg become write protected? Evan.