diff --git a/deploy/syslog-ng-btest.conf b/deploy/syslog-ng-btest.conf
index dffb991..ad698ae 100644
--- a/deploy/syslog-ng-btest.conf
+++ b/deploy/syslog-ng-btest.conf
@@ -3,22 +3,25 @@
 #
 # Copy to: /var/data/syslogng/config/conf.d/btest.conf
 # Or append to your main syslog-ng.conf
+#
+# Note: uses message-based matching (not program()) because
+# MikroTik sources use flags(no-parse) which skips program extraction.
 
 # Filter for btest-rs messages
 filter f_btest {
-    program("btest-rs");
+    match("btest-rs:" value("MESSAGE"));
 };
 
 # Filter subcategories
 filter f_btest_auth {
-    program("btest-rs") and (
+    match("btest-rs:" value("MESSAGE")) and (
         match("AUTH_SUCCESS" value("MESSAGE")) or
         match("AUTH_FAILURE" value("MESSAGE"))
     );
 };
 
 filter f_btest_test {
-    program("btest-rs") and (
+    match("btest-rs:" value("MESSAGE")) and (
         match("TEST_START" value("MESSAGE")) or
         match("TEST_END" value("MESSAGE")) or
         match("TEST_RESULT" value("MESSAGE"))