Version:

Parsers

Parsers extract individual logs from the incoming data and forwards them for further processing in the log collection pipeline.

../_images/LP_Config_Parsers_List.png

Parsers

You can create your own parser and apply it to the collectors and fetchers. The provided regex pattern breaks the log data into individual logs.

Note

Since the Line parser splits logs greater than 12 KB into individual logs of 12 KB, the disk space can fill up quickly while receiving larger log files. You can monitor disk usage from System Monitor.

Adding a Parser

  1. Go to Settings >> Configuration from the navigation bar and click Parsers.

../_images/LP_Config_Parsers_List_Add.png

Parsers

  1. Click Add Parser.

../_images/LP_Config_Parsers_Add.png

Addition of a Parser

  1. Provide Name, Pattern, and Example.

  2. Before clicking Submit, click Check to verify if the pattern matches the examples.

../_images/LP_Config_Parsers_Check.png

Pattern and Examples Check

  1. Click Submit.

Note

Click the ? icon near the top-right corner to get help on the inputs.

Now, apply the parser to the collection devices, i.e., collectors and fetchers.

Editing a Parser

  1. Go to Settings >> Configuration from the navigation bar and click Parsers.

  2. Click the Name of the required parser.

../_images/LP_Config_Parsers_List_Edit.png

Parsers

  1. Update the information.

  2. Click the Check button to verify if the pattern matches the examples.

  3. Click Submit.

Note

  • You cannot edit the name of a parser.

  • Click the ? icon near the top-right corner to get help on the inputs.

Deleting a Parser

  1. Go to Settings >> Configuration from the navigation bar and click Parsers.

  2. Click the Delete icon under the Actions column of the parser.

    ../_images/LP_Config_Parsers_List_Delete.png

    Parsers

    1. To delete multiple parsers, select the parsers, click the More drop-down menu, and choose Delete Selected.

    ../_images/LP_Config_Parsers_List_DeleteSelected.png

    Parsers

    1. To delete all the parsers, click More drop-down menu and choose Delete All.

    ../_images/LP_Config_Parsers_List_DeleteAll.png

    Parsers

  3. A delete confirmation dialog box appears on the screen. Click Yes to proceed.

Default parsers

LogPoint provides the following parsers you can use to parse some standarized log formats.

Line Parser

Splits each line in the incoming data into individual logs.

Example:

Line parser splits the following type of log entries into two seperate logs:

Apr 28 08:58:18 EventCode=5156 EventType=0 Keywords=Audit Success Message=A connection permitted. Application Name: App Direction: Inbound Source Address: 21.21.3.133 Source Port: 80 Destination Address: 21.21.3.132 Destination Port:444
Apr 28 08:58:18 EventCode=5156 EventType=0 Keywords=Audit Success Message=A connection permitted. Application Name: App Direction: Inbound Source Address: 21.21.3.133 Source Port: 80 Destination Address: 21.21.3.132 Destination Port:6161

Syslog Parser

Splits multiple syslog messages into individual logs. It parses both the RFC 3164 and RFC 5424 format of Syslog messages.

Example:

Syslog parser splits the following type of log entries into two seperate logs:

<135>Apr 28 08:58:18 LogName=Security SourceName=Security audit. EventCode=5156 EventType=0 TaskCategory=Connection Keywords=Audit Success Message=A connection permitted. Process ID: 41 Application Name: App Direction: Inbound Source Address: 21.21.3.133 Source Port: 80 Destination Address: 21.21.3.132 Destination Port:444<165>Apr 28 08:58:18 LogName=Security12 SourceName=Security audit1. EventCode=5156 EventType=0 TaskCategory=Connection Keywords=Audit Success Message=A connection permitted. Process ID: 41 Application Name: App Direction: Inbound Source Address: 21.21.3.133 Source Port: 80 Destination Address: 21.21.3.132 Destination Port:6161

Multi Line Syslog Parser

Splits multiple syslog messages written in multiple lines into individual logs.

Example:

Multi Line Syslog parser splits the following type of log entries into three seperate logs:

<135>Apr 28 08:58:18
LogName=Security
SourceName=Security audit.
EventCode=5156
EventType=0
TaskCategory=Connection
Keywords=Audit Success
Message=A connection permitted.
Process ID: 41
Application Name: App
Direction: Inbound
Source Address: 21.21.3.133
Source Port: 80
Destination Address: 21.21.3.132
Destination Port:444

<165>Apr 28 08:58:18
LogName=Security12
SourceName=Security audit1.
EventCode=5156
EventType=0
TaskCategory=Connection
Keywords=Audit Success
Message=A connection permitted.
Process ID: 41
Application Name: App
Direction: Inbound
Source Address: 21.21.3.133
Source Port: 80
Destination Address: 21.21.3.132
Destination Port:6161

<161>Mar 19 11:38:18
LogName=Security123
SourceName=Security audit 123.
EventCode=5156
EventType=0
TaskCategory=Connection
Keywords=Audit Success
Message=A connection permitted.
Process ID: 4
Application Name: App
Direction: Inbound
Source Address: 21.21.3.133
Source Port: 80
Destination Address: 21.21.3.132
Destination Port:6161

Email Parser

Splits logs from multiple email services like Exim, Qmail, Cisco Ironport, and Postfix MTA. Email parser can only be used with Syslog collector.

DB2 Parser

Splits logs from IBM DB2 servers.

RACF Parser

Splits logs from Resource Access Control Facility (RACF) devices.

CSVParser

Processes comma-separated values from a file. CSVParser can only be used with file-based collectors and fetchers.

JSONLineParser

Processes JSON lines from a file. JSONLineParser can only be used with file-based collectors and fetchers.

Note

In addition to these parsers, Logpoint has default parsers specific to integrations. For more details, search for specific parsers in the ServiceDesk.

Helpful?

We are glad this guide helped.


Please don't include any personal information in your comment

Contact Support