Thank you! That was the issue! VP ________________________________ From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Evan Rempel <erempel@uvic.ca> Sent: Tuesday, June 6, 2017 9:24:14 AM To: syslog-ng@lists.balabit.hu Subject: Re: [syslog-ng] Filter Not Working (too many or's?) I agree with what Attila wrote, but to answer your question the first rexpression host("*.abca.*") is invalid. you have a "*." where you needed a ".*" Evan On 06/06/2017 05:07 AM, Szalai, Attila wrote: Hi, First of all, the content of the host() is a regular expression, so adding .* to the beginning and/or to the end of the expression adds nothing, just pain/slowness. Second, it would help a lot if we can see the actual error message. I found no obvious mistake, but because this is not the original line, maybe something lost in the translation. From: syslog-ng [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of wiskbroom@hotmail.com<mailto:wiskbroom@hotmail.com> Sent: Tuesday, June 06, 2017 12:59 AM To: syslog-ng@lists.balabit.hu<mailto:syslog-ng@lists.balabit.hu> Subject: [syslog-ng] Filter Not Working (too many or's?) Here is an example of what I am trying to do, these hostnames are not real; the real ones have no common pattern. filter f_xyz { host("*.abca.*") or host(".*abcb.*") or host(".*abcc.*") or host(".*abcd.*") or host(".*abce.*") or host(".*abcf.*") or host(".*abcg.*") or host(".*abch.*"); }; The filter above is for any host containing a hostname with what is contained within the .* and *.; i.e. hostabca01 will be matched by host("*.abca.*") When I have this filter in my config, syslog fails to restart. Eyes hurt, obvious mistake?