Configuring custom syslog message parsers
Modifications made to the syslog.res file in the field will not be preserved during future patching. If Technical Support or Professional Services make changes to handle specific formats, they must inform Engineering to incorporate these changes into future releases. This ensures that new syslog formats discovered by one customer benefit all customers..
Custom message parsers are configured in the following file:
<installation_home>/lib/xml/res/syslog.res
Message parsers are defined under the regexMap component property. Each block defines a message format and its mapped information. Parsers are applied in the order they appear in the list.
To ensure no messages are skipped, a default wildcard parser is added at the end of the list. This guarantees that all Syslog messages are persisted as raw messages, even if NetIM cannot parse their details.
Syslog parser example
In the example above, the parser is named "Non-Standard Parser 2." The regular expression that parses the message format is defined under regexString. Since angle brackets (<>) have special meaning in res files, they must be encoded as:
• < for <
• > for >
The numeric values for priority, timestamp, host, message, and syslogName are indices that extract groups from the regular expression. In the example, groups 1, 2, and 3 provide values for priority, timestamp, and message respectively. If a syslog message does not provide certain information, those properties will not have an index.