Let's Talk
Let's Talk

NXLog Documentation

You are viewing the documentation of our legacy products. Go to the NXLog Platform Documentation.
6.01

Apple System Logs (xm_asl)

This module provides support for parsing Apple System Log (ASL) files. It registers an InputType using the name of the module instance. This module can be used with the im_file module.

To examine the supported platforms, see the list of installer packages in the Available Modules chapter.

Configuration

The xm_asl module accepts only the common module directives.

Fields

The following fields are used by xm_asl.

$raw_event (type: string)

The raw log message.

$EventTime (type: datetime)

A timestamp for when the event was created by the ASL daemon.

$Facility (type: string)

The sender’s facility.

$GroupAccess (type: integer)

The GID of the group that has permission to read the message (-1 for "all groups").

$Level (type: string)

The ASL record level string. See $Severity.

$LevelValue (type: integer)

The ASL record level value corresponding to the $Level.

$RecordId (type: integer)

A numeric ID for this record.

$Sender (type: string)

The name of the process that sent the message.

$SenderGid (type: integer)

The group ID (GID) of the process that generated the event (-1 or -2 may indicate the nobody or nogroup groups; see /etc/group on the source system).

$SenderHost (type: string)

The host that the sender belongs to (usually the name of the device).

$SenderPid (type: integer)

The ID of the process that generated the event.

$SenderUid (type: integer)

The user ID (UID) of the process that generated the event (-2 may indicate the nobody group; see /etc/group on the source system).

$Severity (type: string)

The normalized severity of the event, mapped as follows.

ASL Level Normalized Severity

0/EMERGENCY

5/CRITICAL

1/ALERT

5/CRITICAL

2/CRITICAL

5/CRITICAL

3/ERROR

4/ERROR

4/WARNING

3/WARNING

5/NOTICE

2/INFO

6/INFO

2/INFO

7/DEBUG

1/DEBUG
$SeverityValue (type: integer)

The normalized severity number of the event. See $Severity.

$UserAccess (type: integer)

The UID of the user that has permission to read the message (-1 for "all users").

Examples

Example 1. Parsing Apple System Logs With xm_asl

This example uses an im_file module instance to read an ASL log file and the InputType provided by xm_asl to parse the events. The various Fields are added to the event record.

nxlog.conf
<Extension asl_parser>
    Module      xm_asl
</Extension>

<Input in>
    Module      im_file
    File        "tmp/input.asl"
    InputType   asl_parser
</Input>