Powered by Zoomin Software. For more details please contactZoomin

Flowmon User Guide

Table of Contents

Syslog Server

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
Print
  • Last Updated: April 5, 2026
  • 4 minute read
    • Flowmon Products
    • Flowmon
    • Documentation

You can configure the syslog server functionality on the Syslog Server page. Enable the Enable external syslogs toggle switch, which displays a list of allowed syslog clients. You can add a new syslog client by clicking New syslog client.

The device is able to process the syslog messages from services like DHCP, VPN, or directory services and use them to collect information about user logins. This information can be used for the assignment of user identity to IP address, and so on, by adding a parsing rule for the syslog message. The parsing rule is used by the syslog-ng patterndb parser. It allows you to describe a syslog message in a similar way to regular expressions and specify which parts of the log are matching the IP address and user name.

Attention

TCP multiline syslog messages are not supported.

Before you add a new parsing rule, you should check whether it will be able to get the information from the log message. You can use the Test rule button which shows a new form, in which you can enter the syslog message and a corresponding parsing rule. The test result displays the content of all variables, with the most important being USERNAME and ASSIGNED_IP. These two variables must be filled with corresponding data for user identity to work. An optional variable DOMAIN can be used to specify the domain name, which is then added to the USERNAME in the following format: DOMAIN\USERNAME. If the DOMAIN is not specified, USERNAME stays in the original format. To create parsing rules by yourself, you must follow the syntax of syslog-ng patterndb, which is available in the syslog-ng documentation.

NOTE:

In the Logout message rule, the ASSIGNED_IP is not mandatory - only the USERNAME must be present. If ASSIGNED_IP is missing, the system uses the IP address assigned to this USERNAME in the login message. If the USERNAME was assigned to multiple concurrent IP addresses, then the logout message also requires ASSIGNED_IP information for the proper procession of the logout message.

Parsing Rules Syntax

It is usually enough to use the ESTRING data type, which matches any string ending with the specified string or character. @ESTRING::ip address=@ matches any text ended by a string ’ip address=’.

@ESTRING::ip address=@@ESTRING:ASSIGNED_IP:@ matches, for example, this string: ’DHCP ip address=192.168.1.1’ and fills the variable ASSIGNED_IP by value ’192.168.1.1’.

@ESTRING::ip address=@@ESTRING:ASSIGNED_IP: user=@@ESTRING:USERNAME:@ matches, for example, this string: ’DHCP ip address=192.168.1.1 user=flowmon’ and fills the variable USERNAME with value ’flowmon’.

If you need to create a parsing rule for a log message, where the words are separated only by white spaces, for example: ’DHCP 192.168.1.1 MSWinEventLog flowmon’, then you can use the following parsing rule:

@ESTRING::DHCP @@ESTRING:ASSIGNED_IP:MSWinEventLog@@ESTRING:USERNAME:@, where

@ESTRING::DHCP @ matches the string until the first space after the word ’DHCP’. @ESTRING:ASSIGNED_IP:MSWinEventLog@ matches the string from the first space after the word ’DHCP’ until the word ’MSWinEventLog’.

@ESTRING:USERNAME:@ matches the string from the word ’MSWinEventLog’ until the end of the string.

If you try this example using the tool Test rule, then in the Test result section you will see that the variables USERNAME and ASSIGNED_IP are surrounded by additional white spaces. These will be removed internally later, so you do not have to try removing them by a parsing rule.

After you insert a new parsing rule, there is another option to validate that it is correct. In the table Rules for parsing User Identity information, there is a column Match count, which shows how many log messages matched this rule. Specific log messages can be displayed by clicking on the picture of a file in the same column.

All parsing rules must contain some combination of strings that are specific only for this log. For example, if you want to parse information from Windows Active Directory, the simple version of the log message could look like this:

’<38>Jun 1 15:30:28 microsoft-windows-security-auditing[success] 4624 An account was successfully logged on.Account Name:FlowmonAccount Domain:INVEAName:Source Network Address:192.168.1.1Source Port:50625’.

There could be multiple versions of this message for logout or error messages, so you need to specify the parsing rule to match only this type of message. You can start from a static part of the log, which specifies what kind of service this: ’microsoft-windows-security-auditing[success]’. Then you need to know if this is is really a login message, so match the string: ’An account was successfully logged on’. And finally, extract information about the IP address and user name. The resulting parsing rule looks like this:

@ESTRING::microsoft-windows-security-auditing[success]@@ESTRING::An account was successfully logged on.@@ESTRING::Account Name:@@ESTRING:USERNAME:Account Domain:@@ESTRING::Source Network Address:@@ESTRING:ASSIGNED_IP:Source Port:@

NOTE:

The parser ignores the newline characters (CR, LF) in multi-line messages. Do not use them in your parsing rules.

To obtain more information about how to write parsing rules, see the official syslog-ng documentation.

TitleResults for “How to create a CRG?”Also Available inAlert