The syslog parser supports the message_decoder and extract_sd options and automatically detects two formats: RFC-5424 and RFC-3164.

Configuring the message_decoder Option

All common options and the message_decoder option are available for the syslog parser. By default, only the timestamp and appname fields are extracted. Enable the message_decoder option by setting configuration values in your liagent.ini file to be similar to the following example:

[filelog|data_logs]
directory=D:\Logs
include=*.txt
parser=mysyslog

[parser|mysyslog]
base_parser=syslog
message_decoder=syslog_message_decoder
debug=yes

[parser|syslog_message_decoder]
base_parser=kvp
fields=*

Parsing with the message_decoder Option

The following example shows a sample event and the fields that are added to the event by a syslog parser configured to use the message_decoder option:

  • Sample event:

    2015-09-09 13:38:31.619407 +0400 smith01 john: Fri Dec 5 08:58:26 2014 [pid 26123] [jsmith.net] status_code=FAIL oper_
    ation=LOGIN: Client "176.31.17.46"
  • Returned by a syslog parser to which the message_decoder option is applied to run a KVP parser:

    timestamp=2015-09-09T09:38:31.619407 appname=john status_code=FAIL operation=LOGIN:

Configuring the extract_sd Option for Parsing Structured Data

To parse structured data, enable the extract_sd option by setting configuration values in your liagent.ini file to be similar to the following example:

[filelog|simple_logs]
directory=/var/log
include=*.txt
parser=syslog_parser

[parser|syslog_parser]
base_parser=syslog
extract_sd=yes

Parsing with the extract_sd Option

The following example shows a sample event and the fields that are added to the event by a syslog parser configured to use the extract_sd option:

  • The sample event: <165>1 2017-01-24T09:17:15.719Z localhost evntslog - ID47 [exampleSDID@32473 iut="3" eventSource="Application" eventID="1011"][examplePriority@32473 class="high"] Found entity IPSet, display name dummy ip set 1411

  • The following fields are added to the event by the syslog parser:

    timestamp=2017-01-24T09:17:15.719000
    pri_facility=20
    pri_severity=5
    procid="-"
    msgid="ID47"
    iut="3"
    eventsource="Application"
    eventid="1011"
    class="high"
    appname="evntslog"

Fields Extracted By the Parser

The parser automatically extracts the following fields from an event:

RFC Classification

pri_facility

pri_severity

timestamp

appname

procid

msgid

Non-RFC

X

X

RFC-3164

X

X

X

X

RFC-5424

X

X

X

X

X

X

Syslog Parser Options

The following table describes available syslog options.

Option

Description

message_decoder

Defines an additional parser, which is used to parse the message body of an event. It can be a built-in parser, such as 'auto' or any custom-defined parser.

extract_sd

Parses structured data.

Only yes or no values are supported for the extract_sd option. The option is disabled by default. When the extract_sd option is enabled, it simply extracts all key-value pairs from the structured data.

Parsing for the RFC-5424 Standard

The following examples show two events parsed by a syslog instance configured shows the configuration used for the collector, a sample event, and the fields that the syslog parser adds to the event.

  • Configuration:

    [filelog|simple_logs]
    directory=/var/log
    include=*.txt
    parser=syslog
    
  • An event generated in the monitored file:

    <165>1 2017-01-24T09:17:15.719Z router1 mgd 3046 UI_DBASE_LOGOUT_EVENT [junos@2636.1.1.1.2.18 username=\"regress\"] User 'regress' exiting configuration mode - Juniper format

  • Fields that are added to the event by the syslog parser:

    The following fields will be added to the event by Syslog parser:
    timestamp=2017-01-24T09:17:15.719000
    pri_facility = 20
    pri_severity = 5
    procid = 3046
    msgid = UI_DBASE_LOGOUT_EVENT
    appname = mgd
    
    

Parsing for the RFC-3164 Standard

The following example shows the configuration used for the collector, a sample RFC-3164 event, and the fields that syslog adds to the event.

  • Configuration:

    [filelog|simple_logs]
    directory=/var/log
    include=*.txt
    parser=syslog
    
  • An RFC-3164 event generated in the monitored file:

    <13>2017-01-24T09:17:15.719Z router1 mgd 3046 UI_DBASE_LOGOUT_EVENT User 'regress' exiting configuration mode - Juniper format
    
  • Fields that are added to the event by the syslog parser:

     
    timestamp=2017-01-24T09:17:15.719000
    pri_facility=1
    pri_severity=5
    appname="mgd"