Syslog Structure
InsightOps will automatically parse and index fields within your Syslog data. Keys are automatically highlighted and clickable. Clicking on a field will populate the search bar to allow for quick searching of across your data.
basic
Parsing
InsightOps will parse both RPF 5424 (IETF) and RFC 3164 (BSD) Syslog messages. For example, if we take an RFC 3164 Syslog message:
We know that the format of Syslog access logs are:
You'll be able to parse those implied keys immediately for groupby queries and calculations. Given the previous example:
| Implied Key | Value |
|---|---|
| pri | 165 |
| timestamp | Feb 22 17:16:34 |
| hostname | test-VirtualBox |
| appname | kernal |
| procid | 292 |
Using this data allows easier log searching. For example, you can now complete queries such as:
- Look for a hostname with:
where(hostname="test-VirtualBox") - See what appnames are used most often with:
groupby(appname) calculate(count) sort(desc)
Having trouble with Syslog parsing?
Confirm that the data is RFC 5424 or RFC 3164 compliant and has a syslog header.
Did this page help you?