Syslog Structure

InsightOps will automatically parse and index fields within your Syslog data. Keys are automatically highlighted and clickable. Clicking on a field will populate the search bar to allow for quick searching of across your data.



InsightOps will parse both RPF 5424 (IETF) and RFC 3164 (BSD) Syslog messages. For example, if we take an RFC 3164 Syslog message:

<165>Feb 22 17:16:34 test-VirtualBox kernel[292]: Accidentally deleted folder=system32

We know that the format of Syslog access logs are:

<pri><timestamp> <hostname> <appname>[<procid>]:

You'll be able to parse those implied keys immediately for groupby queries and calculations. Given the previous example:

Implied KeyValue
timestampFeb 22 17:16:34

Using this data allows easier log searching. For example, you can now complete queries such as:

  • Look for a hostname with: where(hostname="test-VirtualBox")
  • See what appnames are used most often with: groupby(appname) calculate(count) sort(desc)

Having trouble with Syslog parsing?

Confirm that the data is RFC 5424 or RFC 3164 compliant and has a syslog header.