hi all, I have run into an issue when trying to process structured data from IETF syslog messages. According to syslog-ng administrators guide (I am using syslog-ng 3.0.7), the SDATA.SDID.SDNAME macro can be used for referring structured data. However, when I tried to test the example from the administrator guide, I found that only the $SDATA macro works fine. The example is somewhat confusing, since the SDATA.EXAMPLE.EVENTSOURCE macro allegedly points to the SD ID "exampleSDID@0" (which contains the name eventSource). In order to test syslog-ng with a clearer case, I created the following messages with nc: echo -n '<165>1 2010-06-09T18:00:00.000000+02:00 192.168.1.1 myproc - - [timeQuality tzKnown="0" isSynced="0"] This is a test' | nc -w 1 -u localhost 8514 The syslog-ng configuration looks like this: template format { template("$DATE $HOST [$FACILITY.$LEVEL] $MSG StructuredData = ${SDATA.TIMEQUALITY.TZKNOWN}\n"); }; #template format { template("$DATE $HOST [$FACILITY.$LEVEL] $MSG StructuredData = ${SDATA}\n"); }; source ietfmsg { syslog(ip(0.0.0.0) port(8514) transport(udp)); }; destination netlog { file("/var/log/syslog-ng.log" template(format)); }; log { source(ietfmsg); destination(netlog); }; If the second template definition is active (i.e., the first definition is commented out), everything works fine and I have the following messages in the log: Jun 9 18:00:00 localhost [local4.notice] This is a test StructuredData = [timeQuality tzKnown="0" isSynced="0"] However, when the first template definition is activated, I will get the following output from syslog-ng: Incoming log entry; line='<165>1 2010-06-09T18:00:00.000000+02:00 192.168.1.1 myproc - - [timeQuality tzKnown="0" isSynced="0"] This is a test' No such value known; value='SDATA.TIMEQUALITY.TZKNOWN' Also, the log messages look like this: Jun 9 18:00:00 localhost [local4.notice] This is a test StructuredData = What am I doing wrong? The example from the manual does not seem to work, neither does my simple test case. kind regards, risto