I notice that logs from Solaris clients are different than those from Linux: Jan 20 05:46:34 syslog syslog-ng[16592]: STATS: dropped 0 Jan 20 05:46:43 ssh-gateway sshd(pam_unix)[4416]: session closed for user logadm Jan 20 05:48:48 db-0201 su: [ID 366847 auth.info] 'su oracle' succeeded for root on /dev/??? In this sampling db-0201 is a Solaris 9 box, syslog is a SLES9 box, and ssh-gateway is a RH9 box. I noticed that the solaris log entry has [ID 366847 auth.info] whereas the linux entry has syslog-ng[16592]. I'm trying to parse these files and store in a database but don't see what exactly these fields are or what is generating them. I am assuming syslog-ng is adding this field since the copy of the log entry in the local /var/adm/messages file does not contain this. So my question is why is it different for Solaris and Linux and can this behavior be changed? The log entry from the Linux box appears to contain the pid appended to the daemon name but the solaris entry lookgs like some kind of internal syslog-ng message id. What is the breakdown of the fields in a syslog-ng log entry? Is this correct? field 1: <timesamp> field 2: <hostname> field 3: <daemon generating log entry> field 4: ? <unknown> field 5: <log content> Thx CC ===== Chuck Carson - Sr. Systems Engineer Syrrx, Inc. - www.syrrx.com 10410 Science Center Drive San Diego, CA 92121 Work: 858.622.8528 Fax: 858.550.0526