Hi there I brought this up a couple of weeks ago ("How does regex work with HOST definitions?") and I now think it's a bug. Basically if you call HOST as part of a template call such as: template("$R_ISODATE $HOST $FACILITY $PRIORITY $MSG\n") or file("/var/log/syslog/$HOST/$YEAR/$MONTH/$DAY") then HOST is *the first syslog client* sending the syslog record (assuming keep_hostname is set). i.e. HOST might be the actual client that physically sent the record - or it might be the client gatewayed through a previous syslog server. However, if you are referring to the remote syslog client via a regex in a filter, such as filter f_process_TIBS { host("-ids-") } then it appears that "host" is literally *the last syslog client* - instead of *the first syslog client*. e.g. if you have a syslog client (clientA) that forwards to serverB, and serverB forwards to serverC, then for a particular clientA record, HOST on serverC is "clientA", but "host" refers to "serverB". I can see this by using lsof. I can see that the likes of /var/log/syslog/clientA/2005/10/17/filename is open for write, although clientA hostname doesn't match the filter associated with that path - but the serverB that clientA gateway's through does... Can someone check if this is true? My problem is that the above filter on "serverC" basically matches all syslog clients, whereas running the same config on serverB only matches the appropriate clientA hosts - as I want. Thanks -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1