I have successfully written parsers for unstructured logs, but would like to be able to leverage SDATA. Based on what I have researched so far, I have built the following skeleton conf file for writing to mongodb #####Filter##### filter f_session_close {message("RT_FLOW_SESSION_CLOSE");}; #####Destinations##### destination d_mongodb_close { mongodb( collection("close") value-pairs( scope(rfc5424 sdata) ) ); }; #####Log##### log { source(s_network); filter(f_session_close); destination(d_mongodb_close); }; With this in mind, I get the following logs with only the rfc5424 scope: "DATE" : "Oct 5 20:40:21", "FACILITY" : "user", "HOST" : "192.168.199.2", "MESSAGE" : "2012-10-05T20:40:20.444 SRX100 RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.2.36 source-address=\"192.168.199.207\" source-port=\"55625\" destination-address=\"130.57.4.24\" destination-port=\"80\" service-name=\"junos-http\" nat-source-address=\"50.193.12.149\" nat-source-port=\"28178\" nat-destination-address=\"130.57.4.24\" nat-destination-port=\"80\" src-nat-rule-name=\"source-nat-rule\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"trust-to-untrust\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"61189\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"vlan.0\"]", "PRIORITY" : "info", "PROGRAM" : "1", "_id" : ObjectId("506fa825817f52de65000001") When using the SDATA scope, I only get an object id. None of the structured data is ever parsed. Is there something special I need to do to parse the structured portion of the messge? Chris