Originator IDs¶
Default Rule¶
The default rule makes Syslog Watcher use the sender's IP address as the originator ID.
A message sender is an entity from which the server received the message and, in case of passing through relays/proxies, is not the same as the message originator.
Complex Rules¶
Complex rules are required to determine Originator IDs for the messages correctly passed through syslog proxies/relays and syslog messages from originators with dynamic IP addresses.
Add Complex Rules¶
-
Click Add Address Range Rule
-
Set the range of IP addresses. It is usually:
- A single IP address for messages after a proxy/relay;
- A range that covers all possible dynamic IP addresses.
-
Set the method to extract an originator ID from a message body. It can be:
- a built-in algorithm;
- a regular expression: enclose ID text in parentheses for extraction.
-
Specify the behavior for various possible cases.
Regular Expression Examples¶
Here are examples that allow Syslog Watcher to extract originator IDS from messages.
Example
Message: contains IP=192.168.1.1 that identifies the originator
Regular expression: IP=(\S+)
Example
Message: contains [ORIGINATOR_NAME] in square brackets
Regular expression: \[(.*)\]
Example
Message: the IDENTIFIER is the second word of the message
Regular expression: ^\S+ (\S+)
Delete Rules¶
To delete a complex rule:
-
Select the rule by clicking its title area;
-
Click Delete.