Define logging patterns as ordered fields in Logging Profile elements

The pattern that you define in a Logging Profile must be an exact match for the incoming syslog entry. If incoming logs vary in structure, you must define a different pattern for each type of entry.

If several patterns match, the system uses the pattern with the most matching entries.

Each received syslog entry is converted to an SMC log entry. The field values that match a specified pattern are copied without further processing to an SMC log field. Also, you can create Field Resolvers to convert specific values in the syslog data to specific values in SMC logs.

You can use sections in the Logging Profile to organize the logging patterns. To create categories, you can associate one or several Log Data Tags with each section. The Log Data Tags improve the way log entries can be viewed and stored. However, they do not affect the way third-party log entries are converted into SMC log entries. If you do not select specific Log Data Tags for a section, only the default “Third Party” and “Log Data” Log Data Tags are shown for the matching log entries.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. In the Logging Profile, select Ordered Fields as the Pattern.


  2. (Optional) In the header row of the Patterns section, click the Select Log Data Tags link.
    Select the Log Data Tags according to the type of traffic that matches the ordered fields in the section, then click Add. The selected Log Data Tags are added to the Content list.
    Note: Log Data Tags make the converted third-party log data records visible in the appropriate log data contexts. They also generate log data storage indexes, which speed up the filtering by data tags.
  3. To insert the field values, drag and drop items from the Fields branch in the left pane to the empty space in the Patterns section. Or use type-ahead search.
    Alternatively, you can define a Field Resolver, then add it to the pattern instead of a log field. To omit a portion of data, add an Ignore field.
    Important: Type or copy and paste from the syslog message any tokens that appear before and after the field values. If you do not insert the appropriate tokens, the data is not parsed.
  4. (Optional) If some incoming log entries have a different structure, press Enter to add more rows to the Patterns section.
  5. (Optional) To create another section in the same Logging Profile, click Add Section, then configure the new section.
  6. In the Unmatched Log Event section, select the action for handling syslog data that does not match any defined logging patterns:
    • Store in 'Syslog message' field — A log entry is created and all data is inserted into the Syslog Message log field. The log entry is stored on the Log Server.
    • Display in 'Syslog message' field (Current mode only) — A log entry is created and all data is inserted into the Syslog Message log field. The log entry is displayed in the Current Events mode in the Logs view, but it is not stored.
    • Ignore — The data is discarded.

Select Log Data Tags dialog box

Use this dialog box to select Log Data Tags to use in a Logging Profile.

Option Definition
Log Data Tags Contains the Log Data Tags that you can add to the Content list.
Filter Allows you to filter the elements shown.
Up Navigates up one level in the navigation hierarchy. Not available at the top level of the navigation hierarchy.
New Opens the associated dialog box to create an element.
Tools Select Show Deleted Elements to show elements that have been moved to the Trash.
Content Contains the selected Log Data Tags. Click Add to add an element to the list, or Remove to remove the selected element.
Select Retains your selections and closes the window.