Version:

Parsers

Parsers extract individual logs from the incoming data and forward them for further processing in the log collection pipeline.

Collectors and fetchers use parsers to process the collected log. In addition to built-in, default parsers you can create your own. The provided regex pattern in the parser splits the message into individual log entries.

../_images/LP_Config_Parsers_List.png

Parsers

Note

Since the Line parser splits logs greater than 12 KB into individual logs of 12 KB, the disk space can fill up quickly while receiving larger log files. You can monitor disk usage from System Monitor.

Adding a Parser

  1. Go to Settings >> Configuration from the navigation bar and click Parsers.

../_images/LP_Config_Parsers_List_Add.png

Parsers

  1. Click Add Parser.

../_images/LP_Config_Parsers_Add.png

Addition of a Parser

  1. Enter Name, Pattern, and Example.

  2. Click Check to verify if the pattern matches the examples.

../_images/LP_Config_Parsers_Check.png

Pattern and Examples Check

  1. Click Submit.

Now, apply the parser to the collection devices, i.e., collectors and fetchers.

Editing a Parser

  1. Go to Settings >> Configuration from the navigation bar and click Parsers.

  2. Click the Name of the required parser and update the information. You cannot edit the name of a parser.

../_images/LP_Config_Parsers_List_Edit.png

Parsers

  1. Click the Check button to verify if the pattern matches the examples.

  2. Click Submit.

Note

Click the ? icon near the top-right corner for context-sensitive help.

Deleting a Parser

  1. Go to Settings >> Configuration from the navigation bar and click Parsers.

  2. Click the Delete icon under Actions.

    ../_images/LP_Config_Parsers_List_Delete.png

    Parsers

    1. To delete multiple parsers, select the parsers, click More and choose Delete Selected.

    ../_images/LP_Config_Parsers_List_DeleteSelected.png

    Parsers

    1. To delete all the parsers, click More and choose Delete All.

    ../_images/LP_Config_Parsers_List_DeleteAll.png

    Parsers

  3. Click Yes to confirm deletion.

Default parsers

Logpoint provides the following parsers you can use to parse some standarized log formats.

Line Parser

Splits each line in the incoming data into individual logs. If the size of the input message is larger than 12 KB, the message is split into individual logs.

Example:

Line parser splits the following type of log entries into two seperate logs:

Apr 28 08:58:18 EventCode=5156 EventType=0 Keywords=Audit Success Message=A connection permitted. Application Name: App Direction: Inbound Source Address: 21.21.3.133 Source Port: 80 Destination Address: 21.21.3.132 Destination Port:444
Apr 28 08:58:18 EventCode=5156 EventType=0 Keywords=Audit Success Message=A connection permitted. Application Name: App Direction: Inbound Source Address: 21.21.3.133 Source Port: 80 Destination Address: 21.21.3.132 Destination Port:6161

Syslog Parser

Splits multiple syslog messages into individual logs using the newline character. If the size of the input message is larger than the Message Length set from Syslog, the message is split into individual log by that length.

Example:

Syslog parser splits the following type of log entries separated by newline into two seperate logs:

<135>Apr 28 08:58:18 LogName=Security SourceName=Security audit. EventCode=5156 EventType=0 TaskCategory=Connection Keywords=Audit Success Message=A connection permitted. Process ID: 41 Application Name: App Direction: Inbound Source Address: 21.21.3.133 Source Port: 80 Destination Address: 21.21.3.132 Destination Port:444 \n <165>Apr 28 08:58:18 LogName=Security12 SourceName=Security audit1. EventCode=5156 EventType=0 TaskCategory=Connection Keywords=Audit Success Message=A connection permitted. Process ID: 41 Application Name: App Direction: Inbound Source Address: 21.21.3.133 Source Port: 80 Destination Address: 21.21.3.132 Destination Port:6161

Multi Line Syslog Parser

Splits multiple syslog messages written in multiple lines into individual logs. It uses PRI (Priority Value), a numerical value enclosed in angle brackets “<>”, to split the messaage.

Example:

Multi Line Syslog parser splits the following type of log entries into three seperate logs:

<135>Apr 28 08:58:18
LogName=Security
SourceName=Security audit.
EventCode=5156
EventType=0
TaskCategory=Connection
Keywords=Audit Success
Message=A connection permitted.
Process ID: 41
Application Name: App
Direction: Inbound
Source Address: 21.21.3.133
Source Port: 80
Destination Address: 21.21.3.132
Destination Port:444

<165>Apr 28 08:58:18
LogName=Security12
SourceName=Security audit1.
EventCode=5156
EventType=0
TaskCategory=Connection
Keywords=Audit Success
Message=A connection permitted.
Process ID: 41
Application Name: App
Direction: Inbound
Source Address: 21.21.3.133
Source Port: 80
Destination Address: 21.21.3.132
Destination Port:6161

<161>Mar 19 11:38:18
LogName=Security123
SourceName=Security audit 123.
EventCode=5156
EventType=0
TaskCategory=Connection
Keywords=Audit Success
Message=A connection permitted.
Process ID: 4
Application Name: App
Direction: Inbound
Source Address: 21.21.3.133
Source Port: 80
Destination Address: 21.21.3.132
Destination Port:6161

Email Parser

Splits logs from multiple email services like Exim, Qmail, Cisco Ironport, and Postfix MTA. Email parser can only be used with Syslog collector.

Proofpoint Email Protection Parser

Splits logs coming from Proofpoint’s Email Protection service.

DB2 Parser

Splits logs from IBM DB2 servers.

RACF Parser

Splits logs from Resource Access Control Facility (RACF) devices.

CSVParser

Processes comma-separated values from a file. CSVParser can only be used with file-based collectors and fetchers.

JSONLineParser

Processes JSON lines from a file. JSONLineParser can only be used with file-based collectors and fetchers.

In addition to these parsers, Logpoint has default parsers specific to integrations. For more details, search for specific parsers in the ServiceDesk.

Helpful?

We are glad this guide helped.


Please don't include any personal information in your comment

Contact Support