On Mon, Oct 01, 2018 at 10:50:02AM +0200, Joel Carnat wrote: > Thank you very much for this detailed explanation. > This makes it very clear now. I'll write my patterns the "syslog-ng way" :) you're welcome! If you're in a hurry, there *is* a grok parser in the syslog-ng incubator…