diff --git a/conf.d/13-snort.conf b/conf.d/13-snort.conf
index 9b60c2910689abf632500bb42b686a2aaec55f31..e5492ea03c496cf559dda796b4a8b4be6ac33e6c 100644
--- a/conf.d/13-snort.conf
+++ b/conf.d/13-snort.conf
@@ -1,6 +1,6 @@
 # 13-snort.conf
 filter {
-  if "pf" in [tags] and [application] =~ /^snort/ {
+  if "pf" in [tags] and [syslog_program] =~ /^snort/ {
     mutate {
       add_tag => [ "Snort" ]
     }