Hello, I'm writing patterndb.xml files to filter syslog messages from servers and CISCO routers. Currently, CISCO sends syslog with that format: Nov 3 15:36:02 srv01.dom.test 36779: .Nov 3 14:50:30.403: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: user01] [Source: 10.0.0.1] [localport: 22] at 15:50:30 CET Wed Nov 3 2010 Nov 3 15:39:02 srv01.dom.test 36780: .Nov 3 14:53:30.255: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: user01] [Source: 10.0.0.1] [localport: 22] at 15:53:30 CET Wed Nov 3 2010 Nov 3 15:42:01 srv01.dom.test 36781: .Nov 3 14:56:30.378: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: user01] [Source: 10.0.0.1] [localport: 22] at 15:56:30 CET Wed Nov 3 2010 The problem comes from the program name which changes for each message: 36779, 36780, 36781, etc. For this reason, I can't use patterndb mechanism. How may I solve my problem? I think it's not allowed to change the program name with the "rewrite" rule. I have the same problem with switches from Alcatel... Regards, Yann I.