Context (Fields)
A message context is a set of data fields extracted from a message. These fields can be later used in filter rules and for text formatting: exports, forwards, or alerts.
Use Case Example
Let's say the network equipment sends messages each time a command is executed in the configuration console, for example:
%ASA-7-111009: User 'enable_15' executed cmd: show logging mess 106100
We need to extract new data fields: {USER} equals the username and {CMD} for the executed command.
Field Extractor
This feature has been available since Syslog Watcher 6.0. A single regular expression extracts multiple data fields. The expression contains one or more named groups (regular expression syntax): (?<FIELD_NAME>...).
Here is an example of how to implement the use case using Field Extractor:
- Syslog Watcher executes Field Extractor every time it parses a message, regardless of whether the fields are used or not.
- There is no way to analyze only a part of a message, so long syslog messages significantly reduce the parsing performance.
If you need to extract many fields from every message, the Field Extractor will be more efficient than Fields.
Fields
The Fields feature appeared in Syslog Watcher 6.5. We designed it to solve the shortcomings of the Field Extractor.
Below is an example of how to achieve the same results using Fields and regular expression modifiers:
The example above parses one extra field ({ID}) for message identification. Also, note the length limiter (|32|) that increases performance trimming {MESSAGE} field to 32 bytes.
Here is an example of how you can use these fields in an email alert:
Fields {USER} and {CMD} will only be processed if the message has the required ID.
- Lazy processing: Syslog Watcher extracts only fields that you use.
- You can limit the length of the analyzed message part.