I am running syslog-ng 1.8.6 on my central syslog server. The syslog clients run standard syslog daemons that come with the operating systems. Solaris, Cisco, etc. I have noticed in my syslog-ng database (mysql) that there are many entries like these. (two separate rows) | 192.168.11.27 | kern | info | info | 06 | 2005-11-05 | 22:37:20 | scsi | scsi: [ID 365881 kern.info] /sbus@2,0/QLGC,isp@1,10000 (isp0): | 512925 | ------------------------------------------------------------------------- | Firmware | kern | info | info | 06 | 2005-11-05 | 22:37:20 | Version | Version: v1.37.5, Customer: 15, Product: 0 | 512926 | These seem to be the result of syslog-ng incorrectly (or the remote client) parsing the syslog message. This is the original syslog messages that the Solaris 9 client logs to its logs. Nov 5 22:37:20 lefou scsi: [ID 365881 kern.info] /sbus@a,0/QLGC,isp@1,10000 (isp1): Nov 5 22:37:20 lefou Firmware Version: v1.37.5, Customer: 15, Product: 0 As you can see the original is two separate messages as well but what gets logged to syslog-ng's database doesn't contain the hostname for the second message. In the second entry.. the hostname is listed as "Firmware" I have found many examples of these multiline messages being parsed incorrectly if you need more. Any ideas? Thanks, Mike Another example... Nov 5 22:37:20 lefou scsi: [ID 365881 kern.info] /sbus@3,0/SUNW,fas@3,8800000 (fas0): Nov 5 22:37:20 lefou rev 2.2 FEPS chip | 192.168.11.27 | kern | info | info | 06 | 2005-11-05 | 22:37:20 | scsi | scsi: [ID 365881 kern.info] /sbus@3,0/SUNW,fas@3,8800000 (fas0): | 512932 | | rev | kern | info | info | 06 | 2005-11-05 | 22:37:20 | | 2.2 FEPS chip | 512933 |