Skip to content

Syslog parsing

Incoming syslog messages can be parsed by the zensyslog service. This allows syslogs to be either kept or dropped, and allows administrators to set event fields without needing to write event transforms.

To view your configured parsers, navigate to ADVANCED > Settings > Events and scroll down to the Syslog Parsers field.

Parser format

Each syslog parser is made of three parts, written as a Python dictionary: a description, an expression, and a Boolean "keep" value.

"description"
The "description" field is used to identify and explain the parser. It has no effect on parser behavior.
"expr"
The "expr" or "expression" field is the Python-flavored regular expression (regex) used to match an incoming syslog message. You can use [named capture groups]https://www.regular-expressions.info/named.html){.external-link} to set event fields on the generated event.
"keep"
The "keep" field accepts a value of either True or False. Use True to process syslog messages into events. Use False to drop the syslog message without any further event processing.

The Syslog Parsers field contains a Python list of the configured parser dictionaries. A sample list of parser dictionaries might look like the following:

[ 
  {
    "expr": "^: \\d{4} \\w{3}\\s+\\d{1,2}\\s+\\d{1,2}:\\d\\d:\\d\\d \\w{3}: %(?P<eventClassKey>[^:]+): (?P<summary>.*)", 
    "description": "Cisco UCS: 2010 Oct 19 15:47:45 CDT: snmpd: SNMP Operation (GET) failed. Reason:2 reqId (257790979) errno (42) error index (1)", 
    "keep": true
  }, 
  {
    "expr": "^(?P<component>.+)\\[(?P<ntseverity>\\D+)\\] (?P<ntevid>\\d+) (?P<summary>.*)", 
    "description": "ntsyslog windows msg", 
    "keep": true
  }
]

Note

The backslash (\) character must be escaped in your "expr" sequences.

If you attempt to save your parsers with invalid syntax, the system will generate a "flare" message indicating the fault.