Objective

Prerequisites

• Access to EventLog Analyzer user interface as Administrator or Custom role to Import Log file and create parser rule.
• Log files from the source systems (e.g., servers, applications) that need to be imported
• Knowledge of the log source path, file type, event type and values in them to create parser rule.

Steps to follow

1. Log in to EventLog Analyzer
2. Navigate to Settings >> Log source configuration >> Import Log .
3. Choose the method of which you want to import the file(Local/Remote/S3 bucket) and select the file. Refer to Related articles to get additional help.
4. Set the required Log format(Can be a predefined or custom format that you have created earlier) or create a new log format in the drop down box for which the log has to be imported.  Refer How to create Log format during import to know the steps.

5. Place the cursor on top of the file name and choose View logs/Extract fields option

6. You can notice the Log Type value in the top right corner or in the fields which states which Log format is applied for the file selected. Place your cursor on top of any event and choose Create Additional Fields to start extraction.

1. Regex method
2. Delimiter method
3. JSON method

 Regex Method
 

1. Provide a rule name.
2. Select and click the word(s) in the message, to be extracted as a field.
3. You can use the Auto Identify option to identify the fields automatically.

4. Provide a name for this field. Optionally, specify the prefix and suffix to the field value. Refer How to add Prefix and Suffix to know more.
5. Click on Create Pattern to generate a parser rule pattern.

6. A parser rule pattern is created using the field definition. You can edit the generated pattern manually if you are familiar with regular expressions.
7. Validate link is used to test the generated pattern against the previous search results. You can manually check the suitability of the pattern by analyzing the 'Matched Log Messages' and 'Unmatched Log Messages' displayed.
8. Click on Choose another pattern to choose a pattern from the list of patterns generated by the application.
9. You can define any existing field matching criteria to apply the pattern for this specific log type.
10. Save the pattern to extract the field(s) from the upcoming logs.

 Delimiter Method

1. Provide a rule name.
2. You can use the Delimiter to extract fields using delimiters such as Space, Comma, Tab, or Pipe. You can also use the text box in the drop down to enter a Custom Delimiter, which can split the field values.
3. Click Save rule to save the created rule and have them applied for upcoming logs.

JSON Method

• For JSON format logs, users can extract fields by specifying the JSON path to target specific fields in the log. Each field is defined by assigning a field name and mapping it to its corresponding JSON path. It's important to note that the JSON path should accurately reference the key or nested structure within the JSON log.
• JSON field extraction can be configured only for the File Import custom log format. Users can create JSON extraction rules in the following two ways:

• With a Sample Log:

• Provide a valid JSON log.
• Select the required fields from the JSON tree.
• Assign field names for the corresponding JSON paths.

• Manually specify the JSON path to target specific fields.
• Ensure the JSON path matches the log structure.

8. Once you extract the field, it will be visible as custom field in right pane and you will be able to see the field with values.

9. Follow the above steps to create desired fields and Save the option to take effect.

• Open Search tab, select the device, set the calendar date and time as per log and perform search. Verify that the new fields are extracted by searching the field name under Add/Remove Field option.

• Ensure that the extracted data is displayed correctly and matches the expected values.

 Tips

• Logs imports will be parsed based on the Log format selected. If a log format is created new, application will remember the format and will be used during Auto identification.
• Newly extracted fields will be applicable only for new logs collected. Old logs will not contain the parsed value.
• Newly extracted fields will be mapped to respective Log format which can be seen under Settings >> Admin Settings >> Custom Log formats.
• You can  create a new log format during import  using the following steps.
• Choose Automatically Identify drop down
• Enter a new Log Format name and choose + option near the text box to add it.

• New fields can be used in Reports, Search and Alerts tab and can be used for custom reports, Custom Alerts, Custom Action/Rule creation.
• You can  add Prefix/sufix  in Regix to build the pattern easily.
• You can also include the prefix and/or suffix of a field value to improve precision. To include a prefix and/or suffix, click on the icon in the right corner of the Fields table and select the required option. Click Apply.
• For instance, consider the message : Successful Network Logon: User Name: sylvian Domain: ADVENTNET Logon ID: (0x0,0x6D51131) Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: SYLVIAN Logon GUID: - Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: 192.168.113.97 Source Port: 0 22873
• The prefix Logon Type can be a static value as most of the logs will have the exact word as Logon Type where as Source Network Address can be dynamic as the logs may have different word(s) like, Source IP Address, Source Address, but with the same pattern.
• If the prefix and suffix are defined with exact match, the field extraction will be precise.

Related topics and articles