You can use the Adapter Scripting Language (ASL) to modify the functionality of the local copy of my_hook_syslog.asl or to create a new file. The basic components of a custom processing file for the Syslog Adapter are explained below:

debug = FALSE;
ASLNAME = " ".getRuleFileName ().": ";
DISCARD = "TRUE";
CLEAR_SYSLOG = "FALSE";
BATCH_NOTIFY_INTERVAL = 10;
// Output variables : This section has all default settings.
CLASSNAME = "Syslog";
INSTANCENAME = "";
EVENTNAME = "";
SEVERITY = "2";
EVENTTEXT = "";
CATEGORY = "";
EXPIRATION = "7200";
STATE = "";
INMAINTENANCE = "FALSE";
CLEARONACKNOWLEDGE = "TRUE";
EVENTTYPE = "";
USERDEFINED1 = "";
USERDEFINED2 = "";
USERDEFINED3 = "";
USERDEFINED4 = "";
USERDEFINED5 = "";
USERDEFINED6 = "";
USERDEFINED7 = "";
USERDEFINED8 = "";
USERDEFINED9 = "";
USERDEFINED10 = "";
ELEMENTCLASSNAME = "";
ELEMENTNAME = "";
SYSNAMEORADDR = "";
UNKNOWNAGENT = "IGNORE";
LOGFILE = "NONE"; 
// Aggregate Section : 
AGG_EVENTNAME = "";
AGG_ELEMENTNAME = "";
AGG_EVENTTEXT = "";

The values of the output variables populate the attributes of the standard notification created when the syslog message is imported. The variable names correspond directly to the standard notification’s attribute names.

The Syslog Adapter populates these variables when the syslog entry is parsed:

// Input Variables
SYSLOGTIME = "";
HOST = "";
APPLICATION_NAME = "";
PROCESS_ID = "";
MESSAGE = "";

The START rule takes the text parsed from the syslog entry as input, prints a message, calls three other rules, prints another message, and exits after the processing is complete:

START {
  input=MESSAGE;
do {
if (debug) {print(time().ASLNAME."SYSLOGTIME =".SYSLOGTIME);}
if (debug) {print(time().ASLNAME."HOST =".HOST);}
if (debug) {print(time().ASLNAME."APPLICATION_NAME=".APPLICATION_NAME);}
if (debug) {print(time().ASLNAME."PROCESS_ID =".PROCESS_ID);}
if (debug) {print(time().ASLNAME."MESSAGE =".MESSAGE);}
}
    PARSE_MESSAGE
    MODIFY_ATTRIBUTES
    CUSTOM_RULE?
} do {
    if (debug) { print(time().ASLNAME."Done with my_hook_syslog.asl ");}
    return;
}

The CUSTOM rule is an example of a rule which performs more customizations. In this case, it saves a prefix and a message description:

CUSTOM_RULE {
    unusedPrefix:rep(notany(":")) ":" /* consume chars up to : */
    msgDescription:rep(word) eol
} do {
    if (debug) { print(time().ASLNAME."Executing CUSTOM_RULE");}
}

This PARSE_MESSAGE rule saves only the first 30 characters:

PARSE_MESSAGE {
} do {
    // Use a slice of 30 characters as part of EVENTNAME
    slice = substring(MESSAGE, 0, 30);
}

The MODIFY_ATTRIBUTES rule assigns values to the notification created from the syslog entry. The value of InstanceName is composed of HOST, APPLICATION_NAME, and PROCESS_ID. These are values parsed from the syslog entry:

/*
 * MODIFY_ATTRIBUTES Rule:
 * All your customizations are done here. You can use all
 * the Syslog input variables wherever you want them assigned
 * to ICS_Notification attributes.
 * ------------------------------------------------------------ */
MODIFY_ATTRIBUTES {
} do {
  DISCARD = "TRUE";
  CLEAR_SYSLOG = "FALSE";
  BATCH_NOTIFY_INTERVAL = 10;
  CLASSNAME = "Syslog" ? LOG;
  INSTANCENAME = HOST."_".APPLICATION_NAME."_".PROCESS_ID ? LOG;
  EVENTNAME = slice ? LOG;
   SEVERITY = "2" ? LOG;
   EVENTTEXT = MESSAGE ? LOG;
   CATEGORY = "" ? LOG;
   EXPIRATION = "7200" ? LOG;
   STATE = "NOTIFY" ? LOG;
   INMAINTENANCE = "FALSE" ? LOG;
   CLEARONACKNOWLEDGE = "TRUE" ? LOG;
   EVENTTYPE = "DURABLE" ? LOG;
   USERDEFINED1 = "" ? LOG;
   USERDEFINED2 = "" ? LOG;
   USERDEFINED3 = "" ? LOG;
USERDEFINED4 = "" ? LOG;
USERDEFINED5 = "" ? LOG;
USERDEFINED6 = "" ? LOG;
USERDEFINED7 = "" ? LOG;
USERDEFINED8 = "" ? LOG;
USERDEFINED9 = "" ? LOG;
USERDEFINED10 = "" ? LOG;
ELEMENTCLASSNAME = "Host";
ELEMENTNAME = HOST;
SYSNAMEORADDR = HOST;
UNKNOWNAGENT = "CREATE";
LOGFILE = "NONE";
AGG_EVENTNAME = "AggEvent-".INSTANCENAME;
AGG_ELEMENTNAME = HOST;
AGG_EVENTTEXT = "This is an Aggregate Test"
}

You can optionally add logic that compares the input variables and sets the output variables based on them.

Whenever you modify the hook script file, you must restart the adapter for the changes to take effect.