I have an idea for a filter function: I would like to filter messages through an external program, ideally spawned as a child process like the 'program()' destination target. This could serve 2 functions: 1. Perform more complex filtering, or dynamic filtering based on input from a database or other 3rd source. 2. Reformat the messages as they pass through the filter. A message could be sent to the external process via STDIN, it is evaluated and conditionally sent back via STDOUT. If a message is to be dropped according to the filter criteria of the external process, it would have to sendback a NULL character to syslog-ng as an indicator. A process could send an excessively verbose or obscure message to syslog- ng, and the external filter process could re-write the message and pass it back to syslog-ng for continued routing and handling. This would be extremely handy for handling syslog input from Windows NT/2K event logs. For example, right now, events from my Windows boxes start like this in syslog: Dec 4 16:04:02 host 275891:Tue Dec 04 16:04:02 2001: host/process... The message itself contains the time stamp, host name, and process; and the process name supplied to syslog-ng is actually the event ID in the event log. There is no way to modify the output on the Windows end, but I would like to rewrite the message on my end. Also the event log output can be quite verbose: "A trusted logon process has registered with the Local Security Authority. This logon process will be trusted to submit logon requests. Logon Process name:... " This could easily be condensed by either hard coding a translation, or writinga filter to drop extraneous words: 'a, the', and abbreviating others: 'proc., w/,req.'. I realize that you could set up a program as a destination, and have that program filter and format and re-send those messages to syslog, but that seems cumbersome, and also could potentially double the processing that syslog-ng would have to do. Comments? P.S.: For the curious: I'm using Adiscon Event Reporter http://www.eventreporter.com/ Having evaluated a few event log/syslog wedges, this is the best.