Good morning all, I'm having difficulties getting my rewrite statement to work properly. I've been spending more hours than I care to admit pouring through docs, examples, etc and just can't get it. (I really thought I was on the right track from a post in the May archives) In short, I am using syslog-ng 3.4.2 to receive my Windows event logs. There are several common Windows events that includes a detailed description of the event EVERY TIME that I am trying to drop before writing to my syslog server, leaving just the meat. I originally wanted to start my testing by replacing a single word (i.e. the word "interactive" so that I could make sure the re-write rule was working before I tweaked my regex.) However, whenever I add my rule it's not logging any event that matches at all, and I'm not sure why. I'm doing a tail on the log file and it just doesn't write (literally) anything at all. My examples... source s_syslog { udp(ip(0.0.0.0) port(514)); }; destination d_allwindows { file("/syslog/log/windows/hosts/$HOST/$R_YEAR/$R_MONTH/$R_DAY/$HOST$YEAR$MONTH$DAY" create_dirs(yes)); }; rewrite r_rewrite_4624_2 { subst("interactive", "QuackApple", value("MSGONLY"));}; ("interactive" is contained in the message, so it was an easy one to pickout for testing, and I used the string "QuackApple" as the replacement as I know it won't naturally appear, so I can search on it easily) log { source(s_syslog); filter(f_allwindows); rewrite(r_rewrite_4624_2); destination(d_allwindows); }; With these rules in place, the log is actually dropped, not re-written. If I change my rewrite rule to be something not found (i.e. replace "interactive" with "ZZowkr" then the events start showing up in the tail again) Thanks! Dave Vernon