In PAN tarffic, where we are trying to exclude events with "block-untst-rule" string. PAN traffic logs are configured to receive in syslog server. I tried to use filter in syslog-ng config as shown below.  filter exclogs { not match("block\\-untst\\-rule"); }; log {source(s_syslog_pa_cloud); filter {exclogs}; destination(d_syslog_pa_cloud); }; Other way we tried is by using props.conf and transforms.conf props.conf [pan:traffic] TRANSFORMS-set = setnull transforms.conf [setnull] REGEX = block\\-untst\\-rule DEST_KEY = queue FORMAT = nullQueue Both ways we are not able to exclude the events from ingesting. Please do assist. ... View more