Skip to main content
Version: User Guide 6.5

Context (Fields)

A message context is a set of data fields extracted from a message. These fields can be later used in filter rules and for text formatting: exports, forwards, or alerts.

Message context example

Use Case Example

Let's say the network equipment sends messages each time a command is executed in the configuration console, for example:
%ASA-7-111009: User 'enable_15' executed cmd: show logging mess 106100

We need to extract new data fields: {USER} equals the username and {CMD} for the executed command.

Field Extractor

This feature has been available since Syslog Watcher 6.0. A single regular expression extracts multiple data fields. The expression contains one or more named groups (regular expression syntax): (?<FIELD_NAME>...).

Here is an example of how to implement the use case using Field Extractor:

Usage Example - Field Extractor

disadvantages of FIELD EXTRACTOR
  • Syslog Watcher executes Field Extractor every time it parses a message, regardless of whether the fields are used or not.
  • There is no way to analyze only a part of a message, so long syslog messages significantly reduce the parsing performance.

If you need to extract many fields from every message, the Field Extractor will be more efficient than Fields.


The Fields feature appeared in Syslog Watcher 6.5. We designed it to solve the shortcomings of the Field Extractor.

Below is an example of how to achieve the same results using Fields and regular expression modifiers:

Usage Example - Fields Configuration

The example above parses one extra field ({ID}) for message identification. Also, note the length limiter (|32|) that increases performance trimming {MESSAGE} field to 32 bytes.

Here is an example of how you can use these fields in an email alert:

Using Fields in Email Alerts

Fields {USER} and {CMD} will only be processed if the message has the required ID.

Advantages of FIELDS
  • Lazy processing: Syslog Watcher extracts only fields that you use.
  • You can limit the length of the analyzed message part.