Syslog Structure

InsightOps will automatically parse and index fields within your Syslog data. Keys are automatically highlighted and clickable. Clicking on a field will populate the search bar to allow for quick searching of across your data.

basic

Parsing

If we take a normal Syslog example in this format:

<165>1 Feb 22 17:16:34 test-VirtualBox kernel: [292] Accidentally deleted folder=system32 We know that the format of Syslog access logs are:

*pri* *version* *timestamp* *hostname* *appname* *procid*

And you'll be able to parse those implied keys immediately for groupby queries and calculations. So from the example above:

Implied Key

Value

pri

165

version

1

timestamp

Feb 22 17:16:34

hostname

test-VirtualBox

appname

kernel

procid

292

Using this data allows easier log searching. For example you can now complete queries such as:

  • Look for a hostname with: where(hostname="test-VirtualBox")

  • See what appnames are used most often with: groupby(appname) calculate(count) sort(desc)

Having trouble with Syslog parsing?

Confirm that the data is RFC 5424 compliant and has a syslog header.