Skip to content

Originator IDs

Default Rule

The default rule makes Syslog Watcher use the sender's IP address as the originator ID.

Default Rule for Originator ID

A message sender is an entity from which the server received the message and, in case of passing through relays/proxies, is not the same as the message originator.

Complex Rules

Complex rules are required to determine Originator IDs for the messages correctly passed through syslog proxies/relays and syslog messages from originators with dynamic IP addresses.

Add Complex Rules

  1. Click Add Address Range Rule

  2. Set the range of IP addresses. It is usually:

    • A single IP address for messages after a proxy/relay;
    • A range that covers all possible dynamic IP addresses.
  3. Set the method to extract an originator ID from a message body. It can be:

    • a built-in algorithm;
    • a regular expression: enclose ID text in parentheses for extraction.
  4. Specify the behavior for various possible cases.

Server Configuration - Additional Address Range Rule

Regular Expression Examples

Here are examples that allow Syslog Watcher to extract originator IDS from messages.

Example

Message: contains IP=192.168.1.1 that identifies the originator
Regular expression: IP=(\S+)

Example

Message: contains [ORIGINATOR_NAME] in square brackets
Regular expression: \[(.*)\]

Example

Message: the IDENTIFIER is the second word of the message
Regular expression: ^\S+ (\S+)

Delete Rules

To delete a complex rule:

  1. Select the rule by clicking its title area;

  2. Click Delete.