The syslog parser supports the message_decoder and extract_sd options and automatically detects two formats: RFC-6587, RFC-5424, and RFC-3164.
Configuring the message_decoder Option
All common options and the message_decoder option are available for the syslog parser. By default, only the timestamp and appname fields are extracted. Enable the message_decoder option by setting configuration values in your liagent.ini file to be similar to the following example:
[filelog|data_logs] directory=D:\Logs include=*.txt parser=mysyslog [parser|mysyslog] base_parser=syslog message_decoder=syslog_message_decoder debug=yes [parser|syslog_message_decoder] base_parser=kvp fields=*
Parsing with the message_decoder Option
The following example shows a sample event and the fields that are added to the event by a syslog parser configured to use the message_decoder option:
- Sample event:
2015-09-09 13:38:31.619407 +0400 smith01 john: Fri Dec 5 08:58:26 2014 [pid 26123] [jsmith.net] status_code=FAIL oper_ ation=LOGIN: Client "176.31.17.46"
- Returned by a syslog parser to which the message_decoder option is applied to run a KVP parser:
timestamp=2015-09-09T09:38:31.619407 appname=john status_code=FAIL operation=LOGIN:
Configuring the extract_sd Option for Parsing Structured Data
To parse structured data, enable the extract_sd option by setting configuration values in your liagent.ini file to be similar to the following example:
[filelog|simple_logs] directory=/var/log include=*.txt parser=syslog_parser [parser|syslog_parser] base_parser=syslog extract_sd=yes
Parsing with the extract_sd Option
The following example shows a sample event and the fields that are added to the event by a syslog parser configured to use the extract_sd option:
- The sample event:
<165>1 2017-01-24T09:17:15.719Z localhost evntslog - ID47 [exampleSDID@32473 iut="3" eventSource="Application" eventID="1011"][examplePriority@32473 class="high"] Found entity IPSet, display name dummy ip set 1411 - The following fields are added to the event by the syslog parser:
timestamp=2017-01-24T09:17:15.719000 pri_facility=20 pri_severity=5 procid="-" msgid="ID47" iut="3" eventsource="Application" eventid="1011" class="high" appname="evntslog"
Fields Extracted By the Parser
The parser automatically extracts the following fields from an event:
| RFC Classification | pri_facility | pri_severity | timestamp | appname | procid | msgid |
|---|---|---|---|---|---|---|
| Non-RFC | X | X | ||||
| RFC-3164 | X | X | X | X | ||
| RFC-5424 | X | X | X | X | X | X |
Syslog Parser Options
The following table describes available syslog options.
| Option | Description |
|---|---|
message_decoder |
Defines an additional parser, which is used to parse the message body of an event. It can be a built-in parser, such as 'auto' or any custom-defined parser. |
extract_sd |
Parses structured data. Only yes or no values are supported for the extract_sd option. The option is deactivated by default. When the extract_sd option is enabled, it simply extracts all key-value pairs from the structured data. |
Parsing for the RFC-5424 Standard
The following examples show two events parsed by a syslog instance configured shows the configuration used for the collector, a sample event, and the fields that the syslog parser adds to the event.- Configuration:
[filelog|simple_logs] directory=/var/log include=*.txt parser=syslog
- An event generated in the monitored file:
<165>1 2017-01-24T09:17:15.719Z router1 mgd 3046 UI_DBASE_LOGOUT_EVENT [[email protected] username=\"regress\"] User 'regress' exiting configuration mode - Juniper format - Fields that are added to the event by the syslog parser:
The following fields will be added to the event by Syslog parser: timestamp=2017-01-24T09:17:15.719000 pri_facility = 20 pri_severity = 5 procid = 3046 msgid = UI_DBASE_LOGOUT_EVENT appname = mgd
Parsing for the RFC-3164 Standard
The following example shows the configuration used for the collector, a sample RFC-3164 event, and the fields that syslog adds to the event.
- Configuration:
[filelog|simple_logs] directory=/var/log include=*.txt parser=syslog
- An RFC-3164 event generated in the monitored file:
<13>2017-01-24T09:17:15.719Z router1 mgd 3046 UI_DBASE_LOGOUT_EVENT User 'regress' exiting configuration mode - Juniper format
- Fields that are added to the event by the syslog parser:
timestamp=2017-01-24T09:17:15.719000 pri_facility=1 pri_severity=5 appname="mgd"
