Just realised the example tha were provided only contain IPSec SA data - apoologies, but I think you get the idea. Darten -----Original Message----- From: email lists Sent: Sunday, 11 May 2003 6:06 PM To: 'syslog-ng@lists.balabit.hu' Subject: syslog-ng-1.6.0rc3 - problem with incorrect separation of syslog messages from Cisco PIX <snip> May 10 11:51:02 192.168.100.252 May 10 2003 01:51:02: %PIX-7-702301: lifetime expiring, (sa) sa_dest= 10.0.0.1, sa_prot= 50, sa_spi= 0xe859748d(3898176653), sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 1, (identity) local= 10.0.0.1, remote= 10.1.1.1, local_proxy= 192<166>May 10 2003 01:51:02: %PIX-6-602302: deleting SA, (sa) sa_dest= 10.0.0.1, sa_prot= 50, sa_spi= 0xe859748d(3898176653), sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 1 The same syslog message SQL formated to file - same template as program(): BEGIN; INSERT INTO rawlogs (host, datetime, facility, priority, level, tag, program, msg) VALUES ('192.168.100.252', '2003-05-10 11:51:02', 'local4', 'debug', 'debug', 'a7', 'May', 'May 10 2003 01:51:02: %PIX-7-702301: lifetime expiring, (sa) sa_dest= 10.0.0.1, sa_prot= 50, sa_spi= 0xe859748d(3898176653), sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 1, (identity) local= 10.0.0.1, remote= 10.1.1.1, local_proxy= 192<166>May 10 2003 01:51:02: %PIX-6-602302: deleting SA, (sa) sa_dest= 10.0.0.1, sa_prot= 50, sa_spi= 0xe859748d(3898176653), sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 1'); COMMIT; <snip>