Running OSE version 3.38.1 and having difficulty with a rewrite rule. The logs that I'm trying to modify look like: 2024-09-12T06:39:31-05:00 hostname kernel: [*09/12/2024 11:39:31.9055] bwar: [7649:I:CN_ML] ... What I am trying to do is remove the extra timestamp in square brackets (the first field in square brackets above.) My rewrite rule looks like: rewrite r_bracketed_ts { subst( '^[.+]\s', '', type(pcre), value("MESSAGE")); }; It is invoked from this log statement: log { source(s_BSD_UDP_514); filter(f_something); rewrite(r_bracketed_ts); destination(d_something); flags(final,flow-control); }; The problem is that the rewrite appears to do nothing; log entries come out unmodified. Am I missing something? Thank you - Jon Wilson