Skip to main content

Syslog

Parse Elastic Compatible

Synopsis

Parses syslog messages into structured objects containing priority, facility, severity, hostname, application name, process ID, and message content.

note

See Appendix for details of the format.

Schema

syslog:
  - field: <ident>
  - description: <text>
  - if: <script>
  - ignore_failure: <boolean>
  - ignore_missing: <boolean>
  - on_failure: <processor[]>
  - on_success: <processor[]>
  - tag: <string>
  - target_field: <ident>

Configuration

FieldRequiredDefaultDescription
fieldY-Field containing the syslog message
descriptionN-Explanatory note
ifN-Condition to run
ignore_failureNfalseSee Handling Failures
ignore_missingNfalseIf true, quietly exit if field doesn't exist
on_failureN-See Handling Failures
on_successN-See Handling Success
tagN-Identifier
target_fieldNlog.syslogField to store the parsed syslog object

Details

The processor supports:

  • RFC 3164 (BSD-style) syslog messages
  • RFC 5424 (modern format) syslog messages with structured data
  • Common Event Format (CEF) messages
  • Log Event Extended Format (LEEF) messages
warning

The field must contain a valid syslog message string that conforms to one of the supported formats. Invalid messages will cause the processor to fail unless ignore_failure is set to true.

Examples

Basic

Parsing a basic syslog message...

{
  "syslog_message": "<190>Jul 23 18:07:21 dhcp6c[10256]: add an address 2a02:cf40:72dc:dd12:7378:913c:b42e:099c/128 on igb0"
}
syslog:
  - field: syslog_message
  - target_field: parsed_syslog

extracts message components:

{
  "parsed_syslog": {
    "priority": 190,
    "facility": {
      "code": 23,
      "name": "Local 7"
    },
    "severity": {
      "code": 6,
      "name": "Informational"
    },
    "appname": "dhcp6c",
    "pid": 10256,
    "message": "add an address 2a02:cf40:72dc:dd12:7378:913c:b42e:099c/128 on igb0"
  }
}

Metadata

Parsing an RFC 5424 format message...

{
  "syslog_message": "<134>1 2022-06-09T14:44:11-06:00 OPNsense.example.com filterlog 76404 - [meta sequenceId=\"1\"] 124,,,fae559338f65e11c53669fc3642c93c2,ixl1_vlan70,match,pass,out"
}
syslog:
  - field: syslog_message
  - target_field: parsed_syslog

includes the structured data:

{
  "parsed_syslog": {
    "priority": 134,
    "facility": {
      "code": 16,
      "name": "Local 0"
    },
    "severity": {
      "code": 6,
      "name": "Informational"
    },
    "hostname": "OPNsense.example.com",
    "appname": "filterlog",
    "pid": 76404,
    "message": "124,,,fae559338f65e11c53669fc3642c93c2,ixl1_vlan70,match,pass,out"
  }
}

CEF

Parsing a Cisco Firepower CEF message...

{
  "syslog_message": "<134>MAR  1 16:23:11 policyuuid CEF:0|Cisco|Firepower|6.0|PV:112:1234:5678|POLICY VIOLATION|5|rt=1687855290000;deviceExternalId=12;act=Alerted;dvchost=10.50.60.100"
}
syslog:
  - field: syslog_message
  - target_field: parsed_syslog

extracts the CEF data:

{
  "parsed_syslog": {
    "priority": 134,
    "facility": {
      "code": 16,
      "name": "Local 0"
    },
    "severity": {
      "code": 6,
      "name": "Informational"
    },
    "hostname": "policyuuid",
    "message": "CEF:0|Cisco|Firepower|6.0|PV:112:1234:5678|POLICY VIOLATION|5|rt=1687855290000;deviceExternalId=12;act=Alerted;dvchost=10.50.60.100"
  }
}

Error Messages

Parsing the error level messages...

{
  "syslog_message": "<27>1 2021-07-03T22:17:01.074560-05:00 pfSense.example.com openvpn 66026 - - TLS Error: cannot locate HMAC in incoming packet from [AF_INET]175.16.199.1:34745"
}
syslog:
  - field: syslog_message
  - target_field: parsed_syslog

correctly identifies the severity:

{
  "parsed_syslog": {
    "priority": 27,
    "facility": {
      "code": 3,
      "name": "System"
    },
    "severity": {
      "code": 3,
      "name": "Error"
    },
    "hostname": "pfSense.example.com",
    "appname": "openvpn",
    "pid": 66026,
    "message": "TLS Error: cannot locate HMAC in incoming packet from [AF_INET]175.16.199.1:34745"
  }
}