Converting logs from third-party devices

You can set up most external devices to send logs to the Log Server in syslog format.

The Log Server can convert incoming syslog entries to SMC log entries. You can use predefined Logging Profile elements or create new elements to determine how the field values are selected from a syslog entry and inserted into an SMC log entry. A Logging Profile must have at least one logging pattern. Logging patterns determine how the fields from syslog entry are parsed to the appropriate log fields in an SMC log entry.

You can create logging patterns in the following ways:
  • Ordered Fields — Use when the fields in the syslog message are not separated by keywords and the type of field can only be deduced from its position. The received syslog entries are parsed in a sequence that you define in the Logging Profile. If the incoming logs vary in structure, you must define a different sequence for each type of structure. You can define several patterns in one Logging Profile.
  • Key-Value Pairs — Use when the syslog message contains keywords that describe the type of field. The received syslog entries are parsed based on key values that you define in the Logging Profile. You can define the key values in any order. A single definition can be used even if logs vary in structure.

It is easier to configure a pattern using key-value pairs. We recommend that you use key-value pairs if a third-party device formats the relevant parts of the syslog packet as key-value pairs. Ordered fields can be used to process all syslog data regardless of its format, but it is more difficult to configure a pattern as ordered fields.

If a match is found, the system simply converts the matching syslog entry to an SMC log field. You can define Field Resolvers for more complex operations.

You can categorize incoming logs from third-party devices by selecting specific Log Data Tags for them. You can categorize logs based on the log type, or the feature or product that generates the logs. For example, you can associate the “Firewall” Log Data Tag with third-party firewall logs.

You can create categories by dividing the logging patterns in a Logging Profile in sections. Both ordered fields and key-value pairs can be divided into sections. You can select one or several Log Data Tags for each section. The selected Log Data Tags are shown for the matching log entries in the Fields pane of the Logs view if the Log Data Tags column is enabled. In addition to the Log Data Tags you define in the Logging Profile, the default “Third Party” and “Log Data” Log Data Tags are associated with all logs from third-party devices.

You can also use Log Data Tags as filtering criteria in the Logs view, in Reports, and in Local Filters for various elements. (Elements include: Administrator, Log Server, and Management Server elements and Correlation Situations).