Hi, This filter might be slow down logging of large amount of logs (100k+ EPS), but works fine: filter f_iptables { facility(kern) and message("IN=") and message("OUT="); }; filter f_messages { not facility(news, mail) and not filter(f_iptables); }; This example is from the default openSUSE syslog-ng configuration. You can check the whole file at https://build.opensuse.org/projects/home:czanik:syslog-ng-githead/packages/s... Peter Peter Czanik (CzP) <peter.czanik@oneidentity.com> Balabit (a OneIdentity company) / syslog-ng upstream https://syslog-ng.com/community/ https://twitter.com/PCzanik ________________________________ From: A <dima@anche.no> Sent: Sunday, December 28, 2025 07:05 To: syslog-ng@lists.balabit.hu <syslog-ng@lists.balabit.hu> Subject: [syslog-ng]iptables.log CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe. How to exclude such lines from logging? IN=net0 OUT= SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=xx TOS=0xxx PREC=0xxx TTL=xx ID=xxxx DF PROTO=xxx SPT=xxxx DPT=137 WINDOW=xxxxx RES=0xxx XXX URGP=X -- ______________________________________________________________________________ Member info: %(web_page_url)slistinfo/%(_internal_name)s Documentation: https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=05%7C02%7Cpeter.czanik%40balabit.com%7Caa00c0b1d33742f8eedb08de45d8d0cd%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C639024994695956211%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=b1qUjyqwWGwi5uGP8VN8Y2vfdRaMkPqPOKN0VIOSgYQ%3D&reserved=0<http://www.balabit.com/support/documentation/?product=syslog-ng> FAQ: https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=05%7C02%7Cpeter.czanik%40balabit.com%7Caa00c0b1d33742f8eedb08de45d8d0cd%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C639024994695980735%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=irQf%2BwYy3yLmNOu0aYvoBPjVmZ%2Fp6W7z%2Bhzb6MUfrQc%3D&reserved=0<http://www.balabit.com/wiki/syslog-ng-faq>