Syslog Messages

Syslog messages sent over the network to Meridian can be transformed into events according to preconfigured rules.

The syslogd service daemon, which enables Meridian to receive syslog messages over the network, must be enabled for this functionality to work. This daemon is disabled by default.

Parsers

Different parsers can be used to convert the syslog message fields into Meridian event fields.

Parser Description

Parser	Description
`org.opennms.netmgt.syslogd.CustomSyslogParser`	Parser that uses a regex statement to parse the syslog header.
`org.opennms.netmgt.syslogd.RadixTreeSyslogParser`	Parser that uses an internal list of grok-style statements to parse the syslog header.
`org.opennms.netmgt.syslogd.SyslogNGParser`	Parser that strictly parses messages in the default pattern of syslog-ng.
`org.opennms.netmgt.syslogd.Rfc5424SyslogParser`	Parser that strictly parses the RFC 5424 format for syslog messages.

org.opennms.netmgt.syslogd.CustomSyslogParser

Parser that uses a regex statement to parse the syslog header.

org.opennms.netmgt.syslogd.RadixTreeSyslogParser

Parser that uses an internal list of grok-style statements to parse the syslog header.

org.opennms.netmgt.syslogd.SyslogNGParser

Parser that strictly parses messages in the default pattern of syslog-ng.

org.opennms.netmgt.syslogd.Rfc5424SyslogParser

Parser that strictly parses the RFC 5424 format for syslog messages.

RadixTreeSyslogParser

The RadixTreeSyslogParser normally uses a set of internally defined patterns to parse multiple syslog message formats. To customize the set of patterns, modify ${OPENNMS_HOME}/etc/syslogd-grok-patterns.txt.

The patterns are defined in grok-style statements where each token is defined by a %{PATTERN:semantic} clause. Whitespace in the pattern will match 0…n whitespace characters, and character literals in the pattern will match the corresponding characters. The % character literal must be escaped by using a backslash (for example, \%).

The RadixTreeSyslogParser’s grok implementation supports only a limited number of pattern types. However, these patterns should be sufficient to parse any syslog message format.

Arrange the patterns in the file from most specific to least specific, since the first pattern to successfully match the syslog message will be used to construct the Meridian event.

Pattern	Description
HOSTNAME	String containing only valid hostname characters (alphanumeric plus '.', '-' and '_').
HOSTNAMEORIP	String containing only valid hostname characters or IP address characters (IPv4 or IPv6).
INT	Positive integer
IPADDRESS	String containing only valid IP address characters (IPv4 or IPv6).
MONTH	Three-character English month abbreviation
NOSPACE	String that contains no whitespace.
STRING	String. Because this matches any character, it must be followed by a delimiter in the pattern String.
WHITESPACE	String that contains only whitespace (spaces and or tabs).

Pattern

Description

HOSTNAME

String containing only valid hostname characters (alphanumeric plus '.', '-' and '_').

HOSTNAMEORIP

String containing only valid hostname characters or IP address characters (IPv4 or IPv6).

INT

Positive integer

IPADDRESS

String containing only valid IP address characters (IPv4 or IPv6).

MONTH

Three-character English month abbreviation

NOSPACE

String that contains no whitespace.

STRING

String. Because this matches any character, it must be followed by a delimiter in the pattern String.

WHITESPACE

String that contains only whitespace (spaces and or tabs).

Semantic Token	Description
day	Two-digit day of month (1–31)
facilityPriority	Facility-priority integer
hostname	String hostname (unqualified or FQDN), IPv4 address, or IPv6 address
hour	Two-digit hour of day (0–23)
message	Remaining String message
messageId	String message ID
minute	Two-digit minute (0–59)
month	Two-digit month (1–12)
parm*	Generic String parameter where the parameter’s key is the identifier following "parm" in the semantic token (for example, parmComponentId maps to a string parameter with key "ComponentId").
processId	String process ID
processName	String process name
second	Two-digit second (0–59)
secondFraction	One- to six-digit fractional second value as a String
timezone	String timezone value
version	Version
year	Four-digit year

Semantic Token

Description

day

Two-digit day of month (1–31)

facilityPriority

Facility-priority integer

hostname

String hostname (unqualified or FQDN), IPv4 address, or IPv6 address

hour

Two-digit hour of day (0–23)

message

Remaining String message

messageId

String message ID

minute

Two-digit minute (0–59)

month

Two-digit month (1–12)

parm*

Generic String parameter where the parameter’s key is the identifier following "parm" in the semantic token (for example, parmComponentId maps to a string parameter with key "ComponentId").

processId

String process ID

processName

String process name

second

Two-digit second (0–59)

secondFraction

One- to six-digit fractional second value as a String

timezone

String timezone value

version

Version

year

Four-digit year