I seem to be doing something wrong with my pattern matching and was hoping that some one would help me. I am trying to filter out the following: Dec 13 18:31:48 src@system.domain.com kernel: keyboard.c: can't emulate rawmode for keycode 272 Here are the matching filters that I am using: filter f_db { not match("emulate rawmode for keycode") or not match("kernel: keyboard.c: "); }; filter f_discard { match("emulate rawmode for keycode") or match("kernel: keyboard.c: "); }; The first filter f_db does not seem to prevent these messages from being written, while the second filter f_discard seems to work just perfectly in grabbing only those matches. I would like to filter out these messages since they are not really of any use to me, but cannot filter based off of facility, nor level since other messages which are useful to me would be lost. Richard