Parse syslog messages
Syslog is a logging standard used by Unix-like operating systems to log system events. Many software and hardware vendors also choose this logging format because of its popularity and ease of use. NXLog Agent includes a syslog message parser that supports the BSD (RFC 3164) and newer IETF (RFC 5424) formats.
Below, we provide examples of collecting and parsing different syslog formats with NXLog Agent.
This configuration uses the im_udp input module to listen for syslog messages and parses records with the xm_syslog module. It expects messages in the BSD (RFC 3164) format.
<Extension syslog>
    Module        xm_syslog
</Extension>
<Input udp>
    Module        im_udp
    ListenAddr    0.0.0.0:514
    Exec          parse_syslog_bsd(); (1)
</Input>| 1 | Calls the parse_syslog_bsd() procedure to parse the record into structured data. | 
The following is a syslog message collected from a Linux host.
<38>Oct 31 10:30:12 myhost sshd[8459]: Failed password for invalid user linda from 192.168.1.60 port 38176 ssh2When the NXLog Agent configuration above processes this message, it adds the following fields to the log record in addition to the core fields. Note that although the message timestamp in the syslog BSD format does not contain the year, the procedure adds it to the $EventTime field for a valid timestamp.
| Field | Value | 
|---|---|
| $Message | Failed password for invalid user linda from 192.168.1.60 port 38176 ssh2 | 
| $SyslogSeverityValue | 6 | 
| $SyslogSeverity | INFO | 
| $SeverityValue | 2 | 
| $Severity | INFO | 
| $SyslogFacilityValue | 4 | 
| $SyslogFacility | AUTH | 
| $EventTime | 2023-10-31 10:30:12 | 
| $Hostname | myhost | 
| $SourceName | sshd | 
| $ProcessID | 8459 | 
