Create Logging Profile elements

A syslog packet consists of three parts: <PRI>, HEADER, and MSG. In a Logging Profile element, you define patterns for converting the MSG part of the syslog packet to a SMC log entry.

A Logging Profile parses the data in a syslog message to the corresponding SMC log fields when the syslog entry is converted to an SMC log entry. The parts of the syslog packet are explained in more detail in the following table.
Table 1. Parts of the syslog packet
Section Description
<PRI>

Contains facility and priority information.

The Log Server automatically extracts the Facility value from the <PRI> part and converts it to the Syslog Facility field in SMC logs. You do not define patterns for mapping this section in the Logging Profile.

HEADER

Contains a time stamp and the host name or IP address of a device.

The Log Server automatically extracts the data in the HEADER part.

This section is optional in syslog packets, so not all devices send this data.

MSG Contains the text of the syslog message. In the Logging Profile, you define the mapping for parsing this part of the syslog packet.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Configuration, then browse to Monitoring.
  2. Browse to Third-Party Devices > Logging Profiles.
  3. Right-click Logging Profiles, then select New > Logging Profile.
  4. Enter a name for the Logging Profile, then click OK.
  5. (Optional) To insert fields, drag and drop items to the Header field from the Fields branch in the Resource pane, or use type-ahead search.


    Note: You can add fields that are the same for all logging patterns that you define in the Patterns pane. To omit a portion of data, add an Ignore field.
    Important: Type or copy and paste from the syslog message any tokens that appear before and after the field values. If you do not insert the appropriate tokens, the data cannot be parsed.

    In the illustration, the header of the syslog entry contains the following data common for all patterns:

    <Cisco time><space><Ignore><space><Ignore><space><Cisco original time>

    As a result, the header contains the following data:

    <Sep 21 04:04:56> <cisco-example.stonesoft.com> <1815452:> <Sep 21 04:04:55> %

    Because the Ignore field is used for <cisco-example.stonesoft.com> and <1815452:>, the values are not converted to SMC log entry format.

  6. Select how Patterns are parsed:
    • Ordered Fields — The syslog entries are parsed in the specified order. If the incoming logs vary in structure, you must define several patterns.
    • Key-Value Pairs — The syslog entries are parsed based on key-value pairs that you define. You can add key-value pairs in any order. You can use one pattern for all logs even if the logs vary in structure.
  7. Click Save.

Logging Profile Properties dialog box

Use this dialog box to define the properties for a Logging Profile.

Option Definition
Name The name of the element.
Category

(Optional)

 Includes the element in predefined categories. Click Select to select a category.
Comment

(Optional)

 A comment for your own reference.