Forum Discussion

nageeb's avatar
8 months ago
Solved

New user - looking for information on parsing fields from Syslog message field

We’re just starting to get LogicMonitor setup on our network and, mainly to test the collector, I setup one of our HAProxy instances to forward it’s syslog to the collector and can confirm that the logs are being ingested.  

However, because it’s bare syslog, all I can see is the bare message field.  What I’m looking for is the functionality to pull particular fields out of the message and into fields.

<134>Oct 17 23:37:17 haproxy[3719288]: 69.141.121.67:11058 [17/Oct/2023:23:37:17.568] http_front_80 http_back_80/Acc-SRV01 0/0/0/32/32 200 759 - - --NI 5825/3042/52/12/0 0/0  "POST /Server/URL.asmx HTTP/1.1"

For example, in the log line above, the fields are separated by a space. Among the fields included in the log line are items such as the Client IP, the FronteEnd and BackEnd which I was hoping to be able to extract into their own fields to help with reporting.

I’ve been looking through the documentation and have found the LogSource section but that doesn’t seem to be adding the field. Frankly, after a few hours of searching and experimenting, 

I’m hoping someone could give me some guidance on how this can be done.

Thanks

  • A LogSource can break out all of these fields using the Regex Dynamic Group method.  You can create multiple fields in a single line/expression.  
    https://www.logicmonitor.com/support/syslog-logsource-configuration#h-configuration-options

    Before anything, make sure your collector is the right version to use LogSources and chose the “Enable LM Logs” option for the resource if the logs are being sent to a different collector than the one collecting regular monitoring metrics.

    Then build your Regex.
    It would start something like 
    ([a-zA-Z0-9_ ]*\d+:\d+:\d+) (\S+) (\S+) .+:?.+
    and keep breaking down each section you need to parse into different groups.  Some characters may need to be escaped to be accepted by the LogSource, but once you have it in, it works pretty well.  
    May take a few minutes to kick in, but you should start seeing them soon.  Line up the keys that correspond to each group in your expression in a comma separated list, no spaces (log_time,server,socket, etc)

    May sure none of your fields are named something that could conflict with the standard format, like “timestamp” or “source” since that may break your ingestion.  
    For troubleshooting, temporarily turn on your collector logging for syslog to debug (https://www.logicmonitor.com/support/collectors/collector-management/collector-logging) then go into your debug facility and try
    !tail ..\logs\wrapper.log 1000 
    to see any errors that may be associated with your logs.  

    Make sure to turn off that debug level when you are done.  

    Hope this helps!

11 Replies