I came across a reference awhile back on a paper discussing log checking. It discussed the right way to exclude syslog msgs along the lines of exclude everything that is known so that you will be left with the unknown as opposed to something like the opposite. Ring a bell with anyone?
Don