Parse syslog messages
Syslog is a logging standard used by Unix-like operating systems to log system events. Many software and hardware vendors also choose this logging format because of its popularity and ease of use. NXLog Agent includes a syslog message parser that supports the BSD (RFC 3164) and newer IETF (RFC 5424) formats.
Below, we provide examples of collecting and parsing different syslog formats with NXLog Agent.
This configuration uses the im_udp input module to listen for syslog messages and parses records with the xm_syslog module. It expects messages in the BSD (RFC 3164) format.
<Extension syslog>
Module xm_syslog
</Extension>
<Input udp>
Module im_udp
ListenAddr 0.0.0.0:514
Exec parse_syslog_bsd(); (1)
</Input>
1 | Calls the parse_syslog_bsd() procedure to parse the record into structured data. |
The following is a syslog message collected from a Linux host.
<38>Oct 31 10:30:12 myhost sshd[8459]: Failed password for invalid user linda from 192.168.1.60 port 38176 ssh2
When the NXLog Agent configuration above processes this message, it adds the following fields to the log record in addition to the core fields. Note that although the message timestamp in the syslog BSD format does not contain the year, the procedure adds it to the $EventTime field for a valid timestamp.
Field | Value |
---|---|
$Message |
Failed password for invalid user linda from 192.168.1.60 port 38176 ssh2 |
$SyslogSeverityValue |
6 |
$SyslogSeverity |
INFO |
$SeverityValue |
2 |
$Severity |
INFO |
$SyslogFacilityValue |
4 |
$SyslogFacility |
AUTH |
$EventTime |
2023-10-31 10:30:12 |
$Hostname |
myhost |
$SourceName |
sshd |
$ProcessID |
8459 |