It seems like there are a LOT of these. Isn't it possible to make some options to handle them? I was thinking of options, but... what about this? Check the hostname of the message against the hostname using DNS and see if they match. If not, shift the message over and put the hostname in - and perhaps label it to show that it was inserted.... So a message from 192.168.3.3 (hostname folly) that contained no hostname but said: "last message repeated 5 times" would then become: Jun-XX XX:XX:XX folly* last message repeated 5 times ...and the log might look like this: Jun-XX XX:XX:XX folly su: access denied Jun-XX XX:XX:XX folly* last message repeated 5 times Jun-XX XX:XX:XX folly --mark-- Well? Only problem I could see is if the hostname in the syslog entry doesn't match the name of the host as a normal event; I don't see this happening. This does, however, generate more DNS traffic, unless you cache the entries - maybe within syslog-ng.