Hi All. I'm trying to setup central syslog-ng server for my Exchange servers. On windows servers I use Epilog agent (brother of Snare) forwarding tracking logs to central syslog. And I want to feed the logs into MySQL. Problem is that event sended by Epilog consists from four fields: Date, System, Type and Strings. But I don't need them. Actual content of tracking log -- some 20 fileds -- is hidden in the String. So I need to parse the String to obtain the fields I'm interested in. According to syslog-ng admin guide: The host(), match(), and program() filter functions accept extended regular expressions (also called POSIX modern regular expressions) as parameters. The regular expressions can use up to 255 regexp matches ($1 ... $255). For case-insensitive searches, start the expression with the (?i) string. So I tried regexps to do this, but without success. My idea was to use grouping regexp, which would remmember matches in $1 .. $20 and use these in template section. Say the format is: filed1\011field2\011, so fields in String are separated by '\011'. I tried: filter f_parse { match("([^\\011]*)\\011([^\\011]*)\\011"); }; but when i try use $1 and $2 afterwards in template they seem empty Am I completely wrong with this approach, or I missed something? Thanks in advance Jan