I spent some time yesterday working out the proper regexes to handle the many ways Cisco sends its timestamps, depending on how the device is configured. However, I feel like my solution can be improved upon, so I'd like to see if there's a better way. Here's what I've got so far that seems to be working, though there seems to be a 10-15% CPU penalty at the moment: #4w4d: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/15, changed state to down #1y46w: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet0/1 (1), with S-COR-02 GigabitEthernet2/15 (40). filter f_rewrite_cisco_program_3 { match('^\d+[ywdh]\d+[ywdh]: (%[^:]+): ([^\n]+)' value("MSGONLY") type("pcre") flags("store-matches" "nobackref")); }; #Feb 6 16:43:32.219: %LINK-3-UPDOWN: Interface FastEthernet2/0/42, changed state to up filter f_rewrite_cisco_program_2 { match('^[\*\.]?(?:Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s+\d{1,2}\s\d{1,2}:\d{1,2}:\d{1,2}(?:\.\d+)?(?: [A-Z]{3})?: (%[^:]+): ([^\n]+)' value("MSGONLY") type("pcre") flags("store-matches" "nobackref")); }; # Others where MSGONLY starts with PROGRAM filter f_rewrite_cisco_program { match('^(%[A-Z]+\-\d\-[0-9A-Z]+): ([^\n]+)' value("MSGONLY") type("pcre") flags("store-matches" "nobackref")); }; rewrite r_cisco_program { set("$1", value("PROGRAM") condition(filter(f_rewrite_cisco_program) or filter(f_rewrite_cisco_program_2) or filter(f_rewrite_cisco_program_3))); set("$2", value("MESSAGE") condition(filter(f_rewrite_cisco_program) or filter(f_rewrite_cisco_program_2) or filter(f_rewrite_cisco_program_3))); }; This works, but is there a better way?