Syslog Messages

Syslog messages sent over the network to Horizon can be transformed into events according to preconfigured rules.

The Syslogd service daemon, which enables Horizon to receive syslog messages over the network, must be enabled for this functionality to work. This service daemon is disabled by default.

Parsers

Different parsers can be used to convert the syslog message fields into Horizon event fields.

Parser Description

Parser	Description
`org.opennms.netmgt.syslogd.CustomSyslogParser`	Parser that uses a regex statement to parse the syslog header.
`org.opennms.netmgt.syslogd.RadixTreeSyslogParser`	Parser that uses an internal list of grok-style statements to parse the syslog header.
`org.opennms.netmgt.syslogd.SyslogNGParser`	Parser that strictly parses messages in the default pattern of syslog-ng.
`org.opennms.netmgt.syslogd.Rfc5424SyslogParser`	Parser that strictly parses the RFC 5424 format for syslog messages.

org.opennms.netmgt.syslogd.CustomSyslogParser

Parser that uses a regex statement to parse the syslog header.

org.opennms.netmgt.syslogd.RadixTreeSyslogParser

Parser that uses an internal list of grok-style statements to parse the syslog header.

org.opennms.netmgt.syslogd.SyslogNGParser

Parser that strictly parses messages in the default pattern of syslog-ng.

org.opennms.netmgt.syslogd.Rfc5424SyslogParser

Parser that strictly parses the RFC 5424 format for syslog messages.

RadixTreeSyslogParser

The RadixTreeSyslogParser normally uses a set of internally defined patterns to parse multiple syslog message formats. To customize the set of patterns, you can put a new set of patterns into a syslog-grok-patterns.txt in the etc directory for Horizon.

The patterns are defined in grok-style statements where each token is defined by a %{PATTERN:semantic} clause. Whitespace in the pattern will match 0…n whitespace characters, and character literals in the pattern will match the corresponding characters. The '%' character literal must be escaped by using a backslash, i.e., '\%'.

The RadixTreeSyslogParser’s grok implementation only supports a limited number of pattern types. However, these patterns should be sufficient to parse any syslog message format.

Arrange the patterns in the file from most specific to least specific, since the first pattern to successfully match the syslog message will be used to construct the Horizon event.

Pattern	Description
HOSTNAME	String containing only valid hostname characters (alphanumeric plus '.', '-' and '_').
HOSTNAMEORIP	String containing only valid hostname characters or IP address characters (IPv4 or IPv6).
INT	Positive integer
IPADDRESS	String containing only valid IP address characters (IPv4 or IPv6).
MONTH	3-character English month abbreviation
NOSPACE	String that contains no whitespace.
STRING	String. Because this matches any character, it must be followed by a delimiter in the pattern string.
WHITESPACE	String that contains only whitespace (spaces and or tabs).

Pattern

Description

HOSTNAME

String containing only valid hostname characters (alphanumeric plus '.', '-' and '_').

HOSTNAMEORIP

String containing only valid hostname characters or IP address characters (IPv4 or IPv6).

INT

Positive integer

IPADDRESS

String containing only valid IP address characters (IPv4 or IPv6).

MONTH

3-character English month abbreviation

NOSPACE

String that contains no whitespace.

STRING

String. Because this matches any character, it must be followed by a delimiter in the pattern string.

WHITESPACE

String that contains only whitespace (spaces and or tabs).

Semantic Token	Description
day	2-digit day of month (1-31)
facilityPriority`	Facility-priority integer
hostname	String hostname (unqualified or FQDN), IPv4 address, or IPv6 address
hour	2-digit hour of day (0-23)
message	Remaining string message
messageId	String message ID
minute	2-digit minute (0-59)
month	2-digit month (1-12)
parm*	String generic parameter where the parameter’s key is the identifier following "parm" in the semantic token (for example, parmComponentId maps to a string parameter with key "ComponentId").
processId	String process ID
processName	String process name
second	2-digit second (0-59)
secondFraction	1- to 6-digit fractional second value as a string
timezone	String timezone value
version	Version
year	4-digit year

Semantic Token

Description

day

2-digit day of month (1-31)

facilityPriority`

Facility-priority integer

hostname

String hostname (unqualified or FQDN), IPv4 address, or IPv6 address

hour

2-digit hour of day (0-23)

message

Remaining string message

messageId

String message ID

minute

2-digit minute (0-59)

month

2-digit month (1-12)

parm*

String generic parameter where the parameter’s key is the identifier following "parm" in the semantic token (for example, parmComponentId maps to a string parameter with key "ComponentId").

processId

String process ID

processName

String process name

second

2-digit second (0-59)

secondFraction

1- to 6-digit fractional second value as a string

timezone

String timezone value

version

Version

year

4-digit year