Originator IDs

Default Rule

The default rule makes Syslog Watcher use the sender’s IP address as the originator ID.

Default Rule for Originator ID

A message sender is an entity from which the server received the message and, in case of passing through relays/proxies, is not the same as the message originator.

Complex Rules

Complex rules are required to correctly determine Originator IDs for messages passed through syslog proxies/relays and for syslog messages from originators with dynamic IP addresses.

Add Complex Rules

  1. Click Add Address Range Rule.

  2. Set the range of IP addresses. It is usually:

    • A single IP address for messages after a proxy/relay;

    • A range that covers all possible dynamic IP addresses.

  3. Set the method to extract an originator ID from a message body. It can be:

    • a built-in algorithm;

    • a regular expression: enclose ID text in parentheses for extraction.

  4. Specify the behavior for various possible cases.

Server Configuration - Additional Address Range Rule

Regular Expression Examples

Here are examples that allow Syslog Watcher to extract originator IDs from messages.

Message: contains IP=192.168.1.1 that identifies the originator
Regular expression: IP=(\S+)

Message: contains [ORIGINATOR_NAME] in square brackets
Regular expression: \[(.*)\]

Message: the IDENTIFIER is the second word of the message
Regular expression: ^\S+ (\S+)

Delete Rules

To delete a complex rule:

  1. Select the rule by clicking its title area.

  2. Click Delete.