Syslog Messages
Syslog messages sent over the network to Horizon can be transformed into events according to preconfigured rules.
| Syslogd, which enables Horizon to receive syslog messages over the network, must be enabled for this functionality to work. This daemon is disabled by default. |
Parsers
You can use parsers to convert syslog message fields into Horizon event fields.
| Parser | Description |
|---|---|
org.opennms.netmgt.syslogd.CustomSyslogParser |
Uses a regex statement to parse the syslog header. |
org.opennms.netmgt.syslogd.RadixTreeSyslogParser |
Uses an internal list of Grok-style statements to parse the syslog header. |
org.opennms.netmgt.syslogd.SyslogNGParser |
Strictly parses messages in the default pattern of syslog-ng. |
org.opennms.netmgt.syslogd.Rfc5424SyslogParser |
Strictly parses the RFC 5424 format for syslog messages. |
RadixTreeSyslogParser
The RadixTreeSyslogParser normally uses a set of internally defined patterns to parse multiple syslog message formats.
To customize the set of patterns, modify ${OPENNMS_HOME}/etc/syslogd-grok-patterns.txt.
The patterns are defined in Grok-style statements where each token is defined by a %{PATTERN:semantic} clause.
Whitespace in the pattern will match 0…n whitespace characters, and character literals in the pattern will match the corresponding characters.
The % character literal must be escaped by using a backslash (for example, \%).
The RadixTreeSyslogParser Grok implementation supports only a limited number of pattern types.
However, these patterns should be sufficient to parse any syslog message format.
|
Arrange the patterns in the file from most specific to least specific, since the first pattern to successfully match the syslog message will be used to construct the Horizon event.
| Pattern | Description |
|---|---|
HOSTNAME |
String containing only valid hostname characters (alphanumeric plus '.', '-' and '_'). |
HOSTNAMEORIP |
String containing only valid hostname characters or IP address characters (IPv4 or IPv6). |
INT |
Positive integer |
IPADDRESS |
String containing only valid IP address characters (IPv4 or IPv6). |
MONTH |
Three-character English abbreviation of the month. |
NOSPACE |
String that contains no whitespace. |
STRING |
String. Because this matches any character, it must be followed by a delimiter in the pattern string. |
WHITESPACE |
String that contains only whitespace (spaces and tabs). |
| Semantic Token | Description |
|---|---|
day |
Two-digit day of month (01–31) |
facilityPriority |
Facility-priority integer |
hostname |
String hostname (unqualified or FQDN), IPv4 address, or IPv6 address. |
hour |
Two-digit hour of day (00–23) |
message |
Remaining string message. |
messageId |
String message ID |
minute |
Two-digit minute (0–59) |
month |
Two-digit month (01–12) |
parm* |
Generic string parameter where the parameter’s key is the identifier following "parm" in the semantic token (for example, |
processId |
String process ID |
processName |
String process name |
second |
Two-digit second (00–59) |
secondFraction |
One- to six-digit fractional second value as a string. |
timezone |
String timezone value |
version |
Version |
year |
Four-digit year |