Hello, I'm having some trouble with a BSD relay host, and wonder if anyone out there may have a solution. The relay picks up messages from routers, switches, PIXes, etc and sends them via UDP (standard syslog daemon) to a central syslog-ng host. The messages 'on the wire' look like this (tcpdump output): Forwarded from host.domain: Oct 27 2003 09:43:47: %PIX-4-106023: Msg ... So the hostname in the syslog message is 'Forwarded from host.domain'. This appears to be interpreted by syslog-ng as 'Forwarded', which adheres (as it should) to RFC 3164. I'm splitting up the logs based on hostname, so I'd like to be able to log to a file named after the host which sent the log. So far all of my playing around with options has resulted in either: 1) logs go to a file named relayhost with the entry: relayhost from host.domain: Oct 27 2003 09:43:47: %PIX-4-106023: Message so this is just the message on with wire with the 'relayhost' in place of 'Forwarded', 2) logs go to a file named 'Forwarded' with the entry: Forwarded from host.domain: Oct 27 2003 09:43:47: %PIX-4-106023: Message so the word 'Forwarded' is taken to be the hostname, or 3) logs go to a file named 'Forwarded' with the entry: Forwarded/relayhost from host.domain: Oct 27 2003 09:43:47: %PIX-4-106023: Message so the hostname still appears to be 'Forwarded', but the chaining options also show the relay host. What I would like is to have the logs placed in a file named after the original sender (host.domain in the tcpdump output above). Is this possible? All my attempts have relied around using global options and file templates - I haven't looked at using filters yet, so maybe this is what I need to do. This appears to be a BSD problem, as it modifies the actual message before relaying it on, but I cannot find an option to stop BSD syslog from doing this. Any thoughts? Thanks Phil