Skip to content

Latest commit

 

History

History
201 lines (183 loc) · 5.87 KB

syslogparser.md

File metadata and controls

201 lines (183 loc) · 5.87 KB

Syslog Parser Processor

The Syslog Parser Processor parses syslog messages into structured objects. It supports both single-threaded and multi-threaded processing for improved performance.

Examples

Example 1: Single-threaded parsing

Configuration

"processors": {
	"syslogParser": {
		"type": "syslogparser",
		"config": {
			"field": "${originalMessage}"
		}
	}
}

Input

{
	"originalMessage": "<34>1 2023-03-15T10:00:00Z host1 app - - - Test message"
}

Output

{
	"originalMessage": "<34>1 2023-03-15T10:00:00Z host1 app - - - Test message",
	"syslog": {
		"priority": 34,
		"version": 1,
		"timestamp": "2023-03-15T10:00:00Z",
		"hostname": "host1",
		"appname": "app",
		"message": "Test message"
	}
}

Example 2: Multi-threaded parsing

Configuration

"processors": {
	"syslogParser": {
		"type": "syslogparser",
		"config": {
			"field": "${originalMessage}",
			"cores": 4
		}
	}
}

Input

{
	"originalMessage": "<34>1 2023-03-15T10:00:00Z host1 app - - - Test message"
}

Output

{
	"originalMessage": "<34>1 2023-03-15T10:00:00Z host1 app - - - Test message",
	"syslog": {
		"priority": 34,
		"version": 1,
		"timestamp": "2023-03-15T10:00:00Z",
		"hostname": "host1",
		"appname": "app",
		"message": "Test message"
	}
}

Example 3: Parse syslog line in CEF format

Configuration

"processors": {
	"syslogParser": {
		"type": "syslogparser",
		"config": {
			"field": "${originalMessage}"
		}
	}
}

Input

{
	"originalMessage": "<134><165>1 2023-03-15T10:00:00Z host1 app 1234 ID47 [exampleSDID@32473 iut=\"3\" eventSource=\"Application\" eventID=\"1011\"] BOMAn application event log entryn"
}

Output

{
  "originalMessage": "CEF:0|JATP|Cortex|3.6.0.1444|email|Phishing|8|externalId=1499 eventId=14058 lastActivityTime=2016-05-03 23:42:54+00 src= dst= src_hostname= dst_hostname= src_username= dst_username= mailto:src_email_id=src@abc.com dst_email_id={mailto:test1@abc.com,mailto:test2@abc.com,mailto:test3@abc.com} startTime=2016- 05-03 23:42:54+00 url=http://greatfilesarey.asia/QA/files_to_pcaps/ 74280968a4917da52b5555351eeda969.bin http://greatfilesarey.asia/QA/ files_to_pcaps/1813791bcecf3a3af699337723a30882.bin fileHash=bce00351cfc559afec5beb90ea387b03788e4af5 fileType=PE32",
  "pri": "",
  "prival": null,
  "type": "CEF",
  "ts": "2025-03-18T18:10:24.036Z",
  "message": "CEF:0|JATP|Cortex|3.6.0.1444|email|Phishing|8|externalId=1499 eventId=14058 lastActivityTime=2016-05-03 23:42:54+00 src= dst= src_hostname= dst_hostname= src_username= dst_username= mailto:src_email_id=src@abc.com dst_email_id={mailto:test1@abc.com,mailto:test2@abc.com,mailto:test3@abc.com} startTime=2016- 05-03 23:42:54+00 url=http://greatfilesarey.asia/QA/files_to_pcaps/ 74280968a4917da52b5555351eeda969.bin http://greatfilesarey.asia/QA/ files_to_pcaps/1813791bcecf3a3af699337723a30882.bin fileHash=bce00351cfc559afec5beb90ea387b03788e4af5 fileType=PE32",
  "chain": [],
  "host": "",
  "cef": {
    "version": "CEF:0",
    "deviceVendor": "JATP",
    "deviceProduct": "Cortex",
    "deviceVersion": "3.6.0.1444",
    "deviceEventClassID": "email",
    "name": "Phishing",
    "severity": "8",
    "extension": "externalId=1499 eventId=14058 lastActivityTime=2016-05-03 23:42:54+00 src= dst= src_hostname= dst_hostname= src_username= dst_username= mailto:src_email_id=src@abc.com dst_email_id={mailto:test1@abc.com,mailto:test2@abc.com,mailto:test3@abc.com} startTime=2016- 05-03 23:42:54+00 url=http://greatfilesarey.asia/QA/files_to_pcaps/ 74280968a4917da52b5555351eeda969.bin http://greatfilesarey.asia/QA/ files_to_pcaps/1813791bcecf3a3af699337723a30882.bin fileHash=bce00351cfc559afec5beb90ea387b03788e4af5 fileType=PE32"
  },
  "fields": {
    "externalId": "1499",
    "eventId": "14058",
    "lastActivityTime": "2016-05-03 23:42:54+00",
    "src": "",
    "dst": "",
    "src_hostname": "",
    "dst_hostname": "",
    "src_username": "",
    "dst_username": "",
    "mailto:src_email_id": "src@abc.com",
    "dst_email_id": "{mailto:test1@abc.com,mailto:test2@abc.com,mailto:test3@abc.com}",
    "startTime": "2016- 05-03 23:42:54+00",
    "url": "http://greatfilesarey.asia/QA/files_to_pcaps/ 74280968a4917da52b5555351eeda969.bin http://greatfilesarey.asia/QA/ files_to_pcaps/1813791bcecf3a3af699337723a30882.bin",
    "fileHash": "bce00351cfc559afec5beb90ea387b03788e4af5",
    "fileType": "PE32"
  },
  "header": ""
}
---

### Example 4: Parse structured syslog
#### Configuration
```json
"processors": {
	"syslogParser": {
		"type": "syslogparser",
		"config": {
			"field": "${originalMessage}"
		}
	}
}

Input

{
	"originalMessage": "<165>1 2023-03-15T10:00:00Z host1 app 1234 ID47 [exampleSDID@32473 iut=\"3\" eventSource=\"Application\" eventID=\"1011\"] BOMAn application event log entry"
}

Output

{
	"originalMessage": "<165>1 2023-03-15T10:00:00Z host1 app 1234 ID47 [exampleSDID@32473 iut=\"3\" eventSource=\"Application\" eventID=\"1011\"] BOMAn application event log entry",
	"pri": "<165>",
	"prival": 165,
	"facilityval": 20,
	"levelval": 5,
	"facility": "local4",
	"level": "notice",
	"version": 1,
	"type": "RFC5424",
	"ts": "2023-03-15T10:00:00.000Z",
	"host": "host1",
	"appName": "app",
	"pid": "1234",
	"messageid": "ID47",
	"message": "BOMAn application event log entry",
	"chain": [],
	"structuredData": [
		{
			"$id": "exampleSDID@32473",
			"iut": "3",
			"eventSource": "Application",
			"eventID": "1011"
		}
	],
	"header": "<165>1 2023-03-15T10:00:00Z host1 app 1234 ID47 ",
	"fields": []
}

Configuration Parameters

  • field: The input field containing the syslog message to parse (default: ${originalMessage}).
  • cores: The number of cores to use for multi-threaded processing (default: 0, meaning single-threaded).
  • multithreading: Automatically enabled if cores is greater than 0 and the environment supports worker threads.