Good afternoon. I use a linux box as a concentration point for the system logs of several NT servers I monitor. This is done through services running on the NT machine which provide standard syslog functionality -- they forward any messages written to the NT event log to a destination I specify. The format in which the messages are received is somewhat irritating, eg: Jul 12 17:36:25 1.2.3.4 Thu Jul 12 17:34:00 2001: SOMEHOST/Security (528) - "Successful Logon: User Name: xservice Domain: SOMEDOMAIN Logon ID: (0x0,0x34616CAB) Logon Type: 3 Logon Process: NtLmSsp Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Workstation Name: SOMESTATION" A large number of the messages we receive we'd prefer not to log to disk. I set up a destination pointing to /dev/null for this purpose. My intention is to use regular expressions to separate useful messages from the useless (and repetitive) ones. As an example of the above, I defined a filter as follows: filter f_nt0001 { match("Security (528)"); }; As well as a log rule as follows: log { source(src); filter(f_nt0002); destination(null); }; However, I'm having issues getting the match rule to work. I suspect it's the parantheses, since AFAIK they're supposed to be a regexp-reserved character. If, however, I escape them with \( messages received which fall into this category don't hit the filter. I know there's something fundamentally obvious that I'm overlooking here but I can't figure it out. Can anyone offer any assistance? Regards, Michael Hargadon mhargadon@itdepartment.com