I have been playing with macros to ensure messages are reformatted to a consistent format. I am viewing the events on the wire using tcpdump on the syslog-ng relay. The first event comes from snort. The second event is sent from syslog-ng. Note the sent message is [|syslog]. This same macro (the syslog-ng.conf file is pasted below) works with other syslog sources. Any thoughts on what the problem is? 10:39:29.810836 IP (tos 0x0, ttl 63, id 60806, offset 0, flags [DF], proto UDP (17), length 183) 192.168.14.13.syslog > 192.168.17.212.syslog: SYSLOG, length: 155 Facility local5 (21), Severity alert (1) Msg: snort[433]: [1:466:5] ICMP L3retriever Ping [Classification: Attempted Information Leak] [Priority: 2]: <eth2> {ICMP} 192.168.17.220 -> 192.168.14.44\012 10:39:29.810968 IP (tos 0x0, ttl 64, id 10591, offset 0, flags [DF], proto UDP (17), length 178) 192.168.17.212.32848 > 192.168.17.198.syslog: [|syslog] # Options options { chain_hostnames(no); keep_hostname(no); use_time_recvd(no); }; # network syslog listener source s_udp { udp(); unix-stream("/dev/log"); }; # Strip headers because syslog-ng wants to add them template strip_header { template("$MSG\n"); template_escape(no); }; #hosts that should have headers stripped filter strip_header_hosts { host("192.168.14.5")or host("example") or host("example.com") or host("mail.example.com") or host("mail") or host("192.168.14.13") or host("snort") or host("snort.example.com") ; }; destination d_test {udp("192.168.17.198"); }; destination d_strip_test {udp("192.168.17.198" template (strip_header)); }; log { source(s_udp); filter(strip_header_hosts); destination(d_strip_test); flags(final); }; log { source(s_udp); destination(d_test); flags(final); };