Hey all, I'm new to the list, and fairly new to syslog-ng, so I hope I'm not asking a VFAQ (although a perusal of the documentation and the mailing list archives suggests that I'm not, so here goes). I have a server (dnps-linux2) that is set up as an SNMP trap receiver (Net-SNMP 5.0.3). Traps are then reformatted and sent to the local host's syslog service (via logger(2), I think). They arrive using facility local0. This part works. The part that sucks is that the IP address of the original trap sender is embedded in the $MSG portion of the entry. Here's an example: Mar 12 15:33:47 dnps-linux2 snmptrapd[797]: 128.206.169.240: Enterprise Specific Trap (blah blah blah) I'm trying to set up a destination that will split these up by sender, but $HOST always returns "dnps-linux2". $PROGRAM will return snmptrapd. I need to do something like this: source s_sys { (all the usual sources) }; filter f_snmptrap { facility(local0) and program(snmptrapd); }; destination d_snmptrap { file("/usr/log/traps/$SENDER/$YEAR.$MONTH.$DAY.traps"); }; log { source(s_sys); filter(f_snmptrap); destination(d_snmptrap); }; In the examples above, $SENDER should resolve to "128.206.169.240", perhaps by somehow matching $MSG against "^(\d+\.\d+\.\d+\.\d+):". Is this possible in any version of syslog-ng? I'm currently running 1.5.25 (on RedHat 7.3), but I don't have any qualms about upgrading if I can get this function (which I assume would go in the filter{} clause?). Any help is appreciated. Thanks! Justin McNutt Network Systems Analyst DNPS, Mizzou Telecom (573) 882-5183 In personal conversations with technical people, I call myself a hacker. But when I'm talking to journalists I just say "programmer" or something like that. -- Linus Torvalds