From 7bc54a977c4bb3e9420863a2448f652365f0a5b7 Mon Sep 17 00:00:00 2001
From: Siavash Sameni <manwe@MacBook-Air.local>
Date: Wed, 1 Apr 2026 08:56:48 +0400
Subject: [PATCH] Fix syslog-ng filter: match on MESSAGE not program()

With flags(no-parse) on the source, syslog-ng doesn't extract
the program name. Use match("btest-rs:" value("MESSAGE")) instead.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 deploy/syslog-ng-btest.conf | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/deploy/syslog-ng-btest.conf b/deploy/syslog-ng-btest.conf
index dffb991..ad698ae 100644
--- a/deploy/syslog-ng-btest.conf
+++ b/deploy/syslog-ng-btest.conf
@@ -3,22 +3,25 @@
 #
 # Copy to: /var/data/syslogng/config/conf.d/btest.conf
 # Or append to your main syslog-ng.conf
+#
+# Note: uses message-based matching (not program()) because
+# MikroTik sources use flags(no-parse) which skips program extraction.
 
 # Filter for btest-rs messages
 filter f_btest {
-    program("btest-rs");
+    match("btest-rs:" value("MESSAGE"));
 };
 
 # Filter subcategories
 filter f_btest_auth {
-    program("btest-rs") and (
+    match("btest-rs:" value("MESSAGE")) and (
         match("AUTH_SUCCESS" value("MESSAGE")) or
         match("AUTH_FAILURE" value("MESSAGE"))
     );
 };
 
 filter f_btest_test {
-    program("btest-rs") and (
+    match("btest-rs:" value("MESSAGE")) and (
         match("TEST_START" value("MESSAGE")) or
         match("TEST_END" value("MESSAGE")) or
         match("TEST_RESULT" value("MESSAGE"))