Originator IDs

Default Rule

The default rule makes Syslog Watcher use the sender's IP address as the originator ID.

A message sender is an entity from which the server received the message and, in case of passing through relays/proxies, is not the same as the message originator.

Complex Rules

Complex rules are required to determine Originator IDs for the messages correctly passed through syslog proxies/relays and syslog messages from originators with dynamic IP addresses.

Add Complex Rules

1. Click Add Address Range Rule

2. Set the range of IP addresses. It is usually:

   • A single IP address for messages after a proxy/relay;
   • A range that covers all possible dynamic IP addresses.

3. Set the method to extract an originator ID from a message body. It can be:

   • a built-in algorithm;
   • a regular expression: enclose ID text in parentheses for extraction.

4. Specify the behavior for various possible cases.

Regular Expression Examples

Here are examples that allow Syslog Watcher to extract originator IDS from messages.

Example

Message: contains IP=192.168.1.1 that identifies the originator
Regular expression: IP=(\S+)

Example

Message: contains [ORIGINATOR_NAME] in square brackets
Regular expression: \[(.*)\]

Example

Message: the IDENTIFIER is the second word of the message
Regular expression: ^\S+ (\S+)

Delete Rules

To delete a complex rule:

1. Select the rule by clicking its title area;

2. Click Delete.