Syslog Messages

Syslog messages sent over the network to Horizon can be transformed into events according to preconfigured rules.

Syslogd, which enables Horizon to receive syslog messages over the network, must be enabled for this functionality to work. This daemon is disabled by default.

Parsers

You can use parsers to convert syslog message fields into Horizon event fields.

Syslog message parsers
Parser Description

org.opennms.netmgt.syslogd.CustomSyslogParser

Uses a regex statement to parse the syslog header.

org.opennms.netmgt.syslogd.RadixTreeSyslogParser

Uses an internal list of Grok-style statements to parse the syslog header.

org.opennms.netmgt.syslogd.SyslogNGParser

Strictly parses messages in the default pattern of syslog-ng.

org.opennms.netmgt.syslogd.Rfc5424SyslogParser

Strictly parses the RFC 5424 format for syslog messages.

RadixTreeSyslogParser

The RadixTreeSyslogParser normally uses a set of internally defined patterns to parse multiple syslog message formats. To customize the set of patterns, modify ${OPENNMS_HOME}/etc/syslogd-grok-patterns.txt.

The patterns are defined in Grok-style statements where each token is defined by a %{PATTERN:semantic} clause. Whitespace in the pattern will match 0…​n whitespace characters, and character literals in the pattern will match the corresponding characters. The % character literal must be escaped by using a backslash (for example, \%).

The RadixTreeSyslogParser Grok implementation supports only a limited number of pattern types. However, these patterns should be sufficient to parse any syslog message format.

Arrange the patterns in the file from most specific to least specific, since the first pattern to successfully match the syslog message will be used to construct the Horizon event.

RadixTreeSyslogParser parameter patterns
Pattern Description

HOSTNAME

String containing only valid hostname characters (alphanumeric plus '.', '-' and '_').

HOSTNAMEORIP

String containing only valid hostname characters or IP address characters (IPv4 or IPv6).

INT

Positive integer

IPADDRESS

String containing only valid IP address characters (IPv4 or IPv6).

MONTH

Three-character English abbreviation of the month.

NOSPACE

String that contains no whitespace.

STRING

String. Because this matches any character, it must be followed by a delimiter in the pattern string.

WHITESPACE

String that contains only whitespace (spaces and tabs).

RadixTreeSyslogParser semantic tokens
Semantic Token Description

day

Two-digit day of month (01-31)

facilityPriority

Facility-priority integer

hostname

String hostname (unqualified or FQDN), IPv4 address, or IPv6 address.

hour

Two-digit hour of day (00-23)

message

Remaining string message.

messageId

String message ID

minute

Two-digit minute (0-59)

month

Two-digit month (01-12)

parm*

Generic string parameter where the parameter’s key is the identifier following "parm" in the semantic token (for example, parmComponentId maps to a string parameter with key "ComponentId").

processId

String process ID

processName

String process name

second

Two-digit second (00-59)

secondFraction

One- to six-digit fractional second value as a string.

timezone

String timezone value

version

Version

year

Four-digit year

Examples

There are some sample syslog event parsing definitions in ${OPENNMS_HOME}/etc/syslog you can use as a base for customizing your own event parsing.

Discard messages

If there are syslog messages you do not want to keep, you can set the UEI to DISCARD-MATCHING-MESSAGES. This will flag the message as donotpersist so it will be dropped and not written to the database.

<ueiMatch>
    <match type="regex" expression="^.*(\[api-status-warning\].*deprecated).*$" />
    <uei>DISCARD-MATCHING-MESSAGES</uei>
</ueiMatch>

Facility/Severity filtering

If you have similar messages coming in with different syslog facility or severity flags, but only want to capture events that match a specific value, you can specify a filter in the syslogd configuration.

<ueiMatch>
    <facility>local0</facility>
    <severity>Warning</severity>
    <match type="regex" expression="^.*Certificate (.*) expired on (.*)$" />
    <uei>uei.opennms.org/custom/syslog/certExpired</uei>
    <parameter-assignment matching-group="1" parameter-name="certName" />
    <parameter-assignment matching-group="2" parameter-name="expireDate" />
</ueiMatch>