Syslog-ng and firewall filtering

So, I use Sagan to pipe firewall hits to a database.  One of the challenges is filtering out certain IP addresses.  The below filter worked for me:

filter f_firewall {
        not (
        program ("firewall" flags(ignore-case))
                and message("Deny" flags(ignore-case))
                        and (
                                message('192.168.' type(string) flags(substring))
                                or message('169.254.' type(string) flags(substring))

                              )
                );
};