Working with Parsers
Creating a custom parser for device logs involves writing an XML specification for the parser and using a test event to make sure the logs are parsed correctly.
Prerequisites
You should have:
- examples of the logs that you want to parse.
- created any new device/application types, event attribute types, or event types that you want to use in your XML specification.
- already written the XML specification for your parser.
- prepared a test event that you can use to validate the parser.
Parsers are applied in the order they are listed in ADMIN > Device Support > Parsers, so it is important to add your custom parser to the list in relation to any other parsers that may be applied to your device logs. If you click Fix Order, this will arrange the parsers with system-defined parsers at the top of the list in their original order, and user-defined parsers at the bottom. Be sure to click Apply to ensure the change in order is picked up by the back-end module.
After making a parser change, you must click Apply for the parser modules on all nodes to pick up the change. This is by design. If this does not occur, then SSH to the node where you expect the event to arrive first, and restart the phParser module.
The following sections provide information about working with parsers: