Hi! I'm trying to mask out snmptrap from different hosts.... I've created: filter f_snmptrapd_test { program(snmptrapd) and match("snmptrapd\[[0-9]{1,5}\]: (192.168.0.230|192.168.0.231|192.168.1.230|192.168.1.231|192.168.1.232): "); }; The question is just the match() statement.... Is snmptrapd included for usage with match (since snmptrapd is the program) ? If not, how much of the message below is the string used for the regular expression with match() ? Jun 25 11:26:56 sigma snmptrapd[16138]: 192.168.1.230: Enterprise Specific Trap (1) Uptime: 121 days, 21:32:17.60, OLD-CISCO-TS-MIB::tslineSesType.1.1 = INTEGER: telnet(5), RFC1213-MIB::tcpConnState.192.168.1.230.23.192.168.1.178.43819 = INTEGER: synReceived(4), OLD-CISCO-TCP-MIB::loctcpConnElapsed.192.168.1.230.23.192.168.1.178.43819 = Wrong Type (should be Timeticks): INTEGER: 1150, OLD-CISCO-TCP-MIB::loctcpConnInBytes.192.168.1.230.23.192.168.1.178.43819 = INTEGER: 110, OLD-CISCO-TCP-MIB::loctcpConnOutBytes.192.168.1.230.23.192.168.1.178.43819 = INTEGER: 420, OLD-CISCO-TS-MIB::tsLineUser.1 = "" Or how do I mask traps from specific hosts into a seperate logfile ? Regards, /Brian