Better still, you can use iptables' log-prefix option to make it easier for syslog-ng to regex match iptables entries. Something like: iptables -t filter -N droplog iptables -t filter -A droplog -j LOG --log-prefix "iptables: warning: DROP: " --log-level warning iptables -t filter -A droplog -j DROP And then in syslog-ng.conf: filter iptables { match("^iptables: "); }; or similar should work I believe. This assumes fine grained total control over all the syslogging iptables entities of course - if you're just capturing logs from Smoothwall or some other embedded Linux product you may not be quite so lucky. Ted ************************************************************************************************ This E-mail message, including any attachments, is intended only for the person or entity to which it is addressed, and may contain confidential information. If you are not the intended recipient, any review, retransmission, disclosure, copying, modification or other use of this E-mail message or attachments is strictly forbidden. If you have received this E-mail message in error, please contact the author and delete the message and any attachments from your computer. You are also advised that the views and opinions expressed in this E-mail message and any attachments are the author's own, and may not reflect the views and opinions of FLEXTECH Television Limited. ************************************************************************************************