I am thinking of a way to use regular expressions more efficiently by adding a fixed string match along with the regular expression. filter f_xntp_filter_no_regexp { # original line: "xntpd[1567]: time error -1159.777379 is way too large (set clock manually); program("xntpd") and match("time error .* is way too large .* set clock manually"); }; which will evaluate the regular expression for all messages. The syslog-ng FAQ recommends the filter filter f_xntp_filter_no_regexp { # original line: "xntpd[1567]: time error -1159.777379 is way too large (set clock manually); program("xntpd") and match("time error") and match("is way too large") and match("set clock manually"); }; but that would match the message "xntpd[1234]: length is way too large of a time error to make set clock manually succeed." which isn't what I want to match. I would like to do filter f_xntp_filter_no_regexp { # original line: "xntpd[1567]: time error -1159.777379 is way too large (set clock manually); program("xntpd") and match("time error") and match("is way too large") and match("set clock manually") and match("time error .* is way too large .* set clock manually"); }; So, the question is if the message does not match any of the fixed strings, does the regular expression get evaluate, or does the first non-matching fixed string cause the filter evaluation to abort? Anyone have any insights?