Hi, You can try to use hostnames, but if the message does not have hostname info, then you can't decide. Without any additional information in the log message coming from the hosts I don't know how to do it. But for this you would need to control the message format of every hosts that can send message to your server.... Otherwise it would be easy using tags locally at the specific sources: https://syslog-ng.com/documents/html/syslog-ng-ose-latest-guides/en/syslog-n... Regards, Gabor On Wed, Mar 28, 2018 at 6:29 PM, Scot <scotrn@gmail.com> wrote:

Pretty sure I know the answer but just maybe..

Anyone have a solution OS fingerprint type filters ? Solaris, Linux vs Cisco for example.

Immediate need is to pluck all Linux host from 514.

Thanks ! Scot

____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq