That's right, the value() parameter specifies which part of the message to check. This helps to cut down the performance cost of filtering, because there is no need to process the entire message if you are filtering on the program name, for example.
Also, check the syslog-ng Administrator Guide (http://www.balabit.com/support/documentation/?product=syslog-ng&type=all&language[en]=en&;) if you run into problems. And let me know if you do not find something that should be in the guide so I can add it some time. Regards, Robert Fekete maintainer of the syslog-ng documentation
