Parse syslog messages

Syslog is a logging standard used by Unix-like operating systems to log system events. Many software and hardware vendors also choose this logging format because of its popularity and ease of use. NXLog Agent includes a syslog message parser that supports the BSD (RFC 3164) and newer IETF (RFC 5424) formats.

Below, we provide examples of collecting and parsing different syslog formats with NXLog Agent.

Example 1. Parsing syslog BSD

This configuration uses the im_udp input module to listen for syslog messages and parses records with the xm_syslog module. It expects messages in the BSD (RFC 3164) format.

nxlog.conf

<Extension syslog>
    Module        xm_syslog
</Extension>

<Input udp>
    Module        im_udp
    ListenAddr    0.0.0.0:514
    Exec          parse_syslog_bsd(); (1)
</Input>

1	Calls the parse_syslog_bsd() procedure to parse the record into structured data.

The following is a syslog message collected from a Linux host.

Input sample

<38>Oct 31 10:30:12 myhost sshd[8459]: Failed password for invalid user linda from 192.168.1.60 port 38176 ssh2

When the NXLog Agent configuration above processes this message, it adds the following fields to the log record in addition to the core fields. Note that although the message timestamp in the syslog BSD format does not contain the year, the procedure adds it to the $EventTime field for a valid timestamp.

Field	Value
$Message	Failed password for invalid user linda from 192.168.1.60 port 38176 ssh2
$SyslogSeverityValue	6
$SyslogSeverity	INFO
$SeverityValue	2
$Severity	INFO
$SyslogFacilityValue	4
$SyslogFacility	AUTH
$EventTime	2023-10-31 10:30:12
$Hostname	myhost
$SourceName	sshd
$ProcessID	8459

Field

Value

$Message

Failed password for invalid user linda from 192.168.1.60 port 38176 ssh2

$SyslogSeverityValue

$SyslogSeverity

INFO

$SeverityValue

$Severity

INFO

$SyslogFacilityValue

$SyslogFacility

AUTH

$EventTime

2023-10-31 10:30:12

$Hostname

myhost

$SourceName

sshd

$ProcessID

8459