Support Questions
Find answers, ask questions, and share your expertise

How to write syslog parser in Metron's Strom?

Explorer

I am using Metron 0.4.1

I want to write syslog parser but I don't know how to do it.

thanks for helping me.

2 REPLIES 2

Re: How to write syslog parser in Metron's Strom?

Contributor

@mojgan ghasemi

  • You could start by defining it via Grok using the GrokParser. SYSLOG_HEADER + MESSAGE, where the SYSLOG_HEADER could look like:
<%{POSINT:syslog_priority}>%{SYSLOGTIMESTAMP:date} %{IPORHOST:device} 

Re: How to write syslog parser in Metron's Strom?

Contributor

https://github.com/apache/metron/pull/1175

Supports RFC 5424 messages only