diff --git a/conf.d/11-firewall.conf b/conf.d/11-firewall.conf
index e57e1bb262435cfca4bd6c75dec72456b3d1b595..e4c680de0f7a2a094431d70a2a81c293f7c3c4d5 100644
--- a/conf.d/11-firewall.conf
+++ b/conf.d/11-firewall.conf
@@ -1,6 +1,6 @@
 # 11-firewall.conf
 filter {
-  if "pf" in [tags] and [application] =~ /^filterlog$/ {
+  if "pf" in [tags] and [syslog_program] =~ /^filterlog$/ {
     mutate {
       remove_field => [ "msg", "datetime" ]
     }