Syslog Parsing Schemas

GFI EventsManager supports parsing of Syslog events, based on regular expressions. This enables you to manually define a set of expressions to parse Syslog events. This set of expressions is called a Parsing Schema. The Syslog parsing schema is stored in %GFI EventsManager install directory%\Data\toolcfg_syslogSchemas.xml. Editing this file requires knowledge of XML and regular database expressions. Use the below schema as a guide for structuring your XML file. The XML elements in the Syslog Parsing Schema are described below.

Syslog Parsing Schema – XML Structure

<SyslogParseSchema>

<SchemaName>Standard linux message</SchemaName>

<Formats>

<Format>

<PriorityRegex>.*</PriorityRegex>

<Regex><![CDATA[(?<timestamp>\w{3}\s*\d{1,2}\s\d{2}:\d{2}:\d{2})\s(?<host>\w*)\s(?<source_process>\w*):\s.*]]></Regex>

</Format>

<Format>

<PriorityRegex>.*</PriorityRegex>

<Regex><![CDATA[(?<source_process>\w*)\(.*\)\[(?<source_pid>\d*)\]:\s.*]]></Regex>

</Format>

<Format>

<PriorityRegex>.*</PriorityRegex>

<Regex><![CDATA[(?<source_process>\w*)\[(?<source_pid>\d*)\]:\s.*]]></Regex>

</Format>

<Format>

<PriorityRegex>.*</PriorityRegex>

<Regex><![CDATA[(?<source_process>\w*):\s.*]]></Regex>

</Format>

</Formats>

<Fields>

<Field>

<Name>timestamp</Name>

<GroupName>timestamp</GroupName>

<Type>DateTime</Type>

</Field>

<Field>

<Name>host</Name>

<GroupName>host</GroupName>

<Type>String</Type>

</Field>

<Field>

<Name>source process</Name>

<GroupName>source_process</GroupName>

<Type>String</Type>

</Field>

<Field>

<Name>source pid</Name>

<GroupName>source_pid</GroupName>

<Type>Int32</Type>

</Field>

</Fields>

</SyslogParseSchema>

Schema parsing elements

Syslog Parsing Schema	XML Tag Description
SchemaName	The display name of the schema. The provided name is displayed in GFI EventsManager Management Console.
Formats	A collection of Format nodes, each containing a regular expression for parsing. Format nodes contain: A regular expression for parsing the message and a regular expression to test the priority. Before testing the priority with regular expressions, the node is formatted as a string in the form of facility.severity A standard .net regex element used for parsing expressions. For more information, refer to http://msdn.microsoft.com/en-us/library/az24scfc%28v=vs.71%29.aspx.
Fields	A collection of Field nodes, each containing information about: Name – the display name of the field. The provided name appears in Events Browser GroupName – represents the group name from a regular expression corresponding to the field. This is used to get the field value after parsing Type – data type of the field. Example: String and Date.

XML Document Map

XML Document Map