Hi all, I am trying to configure a pattern for the following log entry in syslog-ng 3.6.4: idpsnort01 09/03-13:18:41.935109 [**] [3:19187:6] PROTOCOL-DNS TMG Firewall Client long host entry exploit attempt [**] [Classification: Attempted User Privilege Gain] [Priority: 1] [AppID: dns] {UDP} 80.58.61.250:53 -> 10.196.0.67:60941 My pattern is: <pattern>@ESTRING:s3: @@ESTRING:: @@ESTRING:: [**]@ @QSTRING:s0:[]@ @ESTRING:s1: [**] [@Classification:@QSTRING:s2: ]@ [Priority : @NUMBER:i0:@] @@[AppID: @QSTRING:s4: ] @QSTRING:i1:{}@ @IPv4:i2:@:@NUMBER:i3:@ -> @IPv4:i4:@:@NUMBER:i5:@</pattern> If you try it, you can see it doesn't works. Problem is with the following part of the message: [Priority: 1] [AppID: dns] I need to escape "] [AppID:" and catch "dns" field, but I have tried some configs withut luck. Any idea?? Many thanks.