Parse Syslog messages in standard formats

Overview

Syslog is widely used for message logging in UNIX-like operating systems. Syslog messages can be recorded in local files or sent to Syslog servers over the Internet. Each server can store and parse Syslog messages of multiple devices.

Background information

Traditional Syslog messages are in random formats due to a lack of Syslog standards. In some cases, Syslog messages may fail to be parsed because they can be considered only as strings. Therefore, correctness is the first priority when you parse Syslog messages in different formats.

Syslog protocols

Parse Syslog messages in common formats by using the Grok function

Parse Syslog messages in uncommon formats by using the Grok function

This section describes how to use the Grok function to parse Syslog messages in two uncommon formats: FluentRFC5424 and FluentRFC3164. These messages are collected by using the Fluent software.

• FluentRFC5424
  • Log content

      receive_time: 1558663265
      __topic__:
      content: <16>1 2019-02-28T12:00:00.003Z 192.168.0.1 aliyun 11111 ID24224 [exampleSDID@20224 iut='3' eventSource='Application' eventID='11211] Hi, from Fluentd!

  • DSL orchestration

    e_regex('content',grok('%{POSINT:priority}>%{NUMBER:version} %{TIMESTAMP_ISO8601:timestamp} %{SYSLOGHOST:hostname} %{WORD:ident} %{USER:pid} %{USERNAME:msgid} (? P<extradata>(\[(. *)\]|[^ ])) %{GREEDYDATA:message}'))

  • Result

      receive_time: 1558663265
      __topic__:
      content: <16>1 2019-02-28T12:00:00.003Z 192.168.0.1 aliyun 11111 ID24224 [exampleSDID@20224 iut='3' eventSource='Application' eventID='11211] Hi, from aliyun!
      priority: 16
      version: 1
      timestamp: 2019-02-28T12:00:00.003Z
      hostname: 192.168.0.1
      ident: aliyun
      pid: 1111
      msgid: ID24224
      extradata: [exampleSDID@20224 iut='3' eventSource='Application' eventID='11211]
      message: Hi, from aliyun!

• FluentRFC3164
  • Log content

      receive_time: 1558663265
      __topic__:
      content: <6>Feb 28 12:00:00 192.168.0.1 aliyun[11111]: [error] Syslog test

  • DSL orchestration

    e_regex('content', grok('%{POSINT:priority}>%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST:hostname} %{WORD:ident}(? P<pid>(\[[a-zA-Z0-9. _-]+\]|[^:])): (? P<level>(\[(\w+)\]|[^ ])) %{GREEDYDATA:message}'))

  • Result

     receive_time: 1558663265
      __topic__:
      content: <6>Feb 28 12:00:00 192.168.0.1 aliyun[11111]: [error] Syslog test
      priority: 6
      timestamp: Feb 28 12:00:00
      hostname: 192.168.0.1
      ident: aliyun
      pid: [1111]
      level: [error]
      message: Syslog test

• Parse the priority field in a log entry
  After you parse the Syslog messages in the FluentRFC5424 and FluentRFC3164 formats, you can further parse the priority field to obtain information about facility and severity. For more information about how to use RFC5424, see e_syslogrfc. Example

  • Raw log entry

    receive_time: 1558663265
      __topic__:
      content: <13>1 2019-05-06T11:50:16.015554+08:00 iZbp1a65x3r1vhpe94fi2qZ root - - - twish
      priority: 13
      version: 1
      timestamp: 2019-05-06T11:50:16.015554+08:00
      hostname: iZbp1a65x3r1vhpe94fi2qZ
      program: root
      message: twish

  • DSL orchestration

    e_syslogrfc("priority","SYSLOGRFC5424")

  • Result

      receive_time: 1558663265
      __topic__:
      content: <13>1 2019-05-06T11:50:16.015554+08:00 iZbp1a65x3r1vhpe94fi2qZ root - - - twish
      priority: 13
      version: 1
      timestamp: 2019-05-06T11:50:16.015554+08:00
      hostname: iZbp1a65x3r1vhpe94fi2qZ
      program: root
      message: twish
      _facility_: 1
      _severity_: 5
      _severitylabel_: Notice: normal but significant condition
      _facilitylabel_: user-level messages