The square brackets are special characters in a pcre expression and need to be escaped. The other tricky thing is that pcre expressions are greedy. By that I mean that this will match the first [ and then the LAST ] so in your example the following would be removed [*09/12/2024 11:39:31.9055] bwar: [7649:I:CN_ML] Or more if there is another ] in the message. The expression you are looking for is subst( '^\[\*\d{2}/\d{2}/\d{4} \d{2}:\d{2}:\d{2}\.\d+\]\s', '', type(pcre), value("MESSAGE")); -- Evan ________________________________ From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Wilson, Jonathan L <jonathan.wilson@vumc.org> Sent: September 12, 2024 4:49 AM To: syslog-ng@lists.balabit.hu <syslog-ng@lists.balabit.hu> Subject: [syslog-ng] rewrite in syslog-ng You don't often get email from jonathan.wilson@vumc.org. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification> Running OSE version 3.38.1 and having difficulty with a rewrite rule. The logs that I’m trying to modify look like: 2024-09-12T06:39:31-05:00 hostname kernel: [*09/12/2024 11:39:31.9055] bwar: [7649:I:CN_ML] … What I am trying to do is remove the extra timestamp in square brackets (the first field in square brackets above.) My rewrite rule looks like: rewrite r_bracketed_ts { subst( '^[.+]\s', '', type(pcre), value("MESSAGE")); }; It is invoked from this log statement: log { source(s_BSD_UDP_514); filter(f_something); rewrite(r_bracketed_ts); destination(d_something); flags(final,flow-control); }; The problem is that the rewrite appears to do nothing; log entries come out unmodified. Am I missing something? Thank you – Jon Wilson