Hi list A system XYZ produces "csv-like" logs. Fields are separated by whitespace and different columns have different meanings. The column titles are not included in log messages. I would like to rewrite the log messages so that the column title is prefixed to each column contents. For example: qwerty asdfg zxcvb 12345 would be rewritten to system=qwerty action=asdfg flags=zxcvb result=12345 In perl that would be accomplished by backreferences, e.g. s/(\S+)\s+(\S+)\s+(\S+)\s+(\S+)/system=$1 action=$2 flags=$3 result=$4/ This does not seem to work with syslog-ng rewrite rules out of the box. This is what I have tried: rewrite test_columns{subst("(\S+)\s+(\S+)\s+(\S+)\s+(\S+)", "system=$1 action=$2 flags=$3 result=$4", value("MESSAGE"));}; The rewriting works without regexp, so I assume that the configuration syntax is correct. Is this possible with syslog-ng? If not using rewrite engine, does syslog-ng support feeding the logs through an external script? The system that produces the logs cannot be changed. The syslog-ng version is 3.0.4 Thanks .................................................................... Luukku Plus -paketilla pääset eroon tila- ja turvallisuusongelmista. Hanki Luukku Plus ja helpotat elämääsi. http://www.mtv3.fi/luukku