Got it. Here is the final working rule (taken out of context): pass in log first quick on bge0 proto tcp from any to <ip_addr> port = 22 flags S keep state group 2 set-tag (log=1)
The question still stands, though - is anyone using this functionality? I think it's great and will help immensely with my log parsing scripts. -jwb
