Hi all, I have had an ongoing problem with snarecore and syslog-ng, this is also happening with loglogics lasso agent too. For some services it makes sense that the system just store the messages without the syslog header. For example IIS logs, apache logs and other misc application logs. Wanting to save having to perform any post processing I figured I would setup a specific listener for those applications, allowing syslog to log to /someplace/with/lots/of/storage/YYYY/MM/DD/raw.program.servername. Using both the windows agents mentioned above, the macros $PROGRAM and $MSGONLY break. $PROGRAM is expanded into some ungodly form (MSWinEventLog\0110\011System\011325\011Mon....) and the MSGONLY macro is garbled. My logic tells me this is due to sysl;og-ng not detecting the syslog header being sent by snare or lasso properly... or it is snare and lasso sending the incorrect header format. I can survive without the $PROGRAM macro working correctly. The MSGONLY macro is a bit more of a pain though, I would rather use the native capabilities of syslog-ng. I have just updated to 2.0.9 (from Debian Lenny) to confirm this is still a problem for me, I see 3.0.x is out but not sure if this is something that would be corrected if I went down that path. Thanks, Stewart