What to do in case of a malfunctioning / non-existing parse

The logging method and the format of the logs are different for each device. What's more, the format of the logs can also start to vary by simply changing the device's firmware.

If the device logs you want to track are not normalized (parsed) correctly after being stored in the Logmanager database or are not normalized at all, we are speaking about non-functional or non-existent parser.

In case of suspicion that the parser which processes certain logs is not working properly, you need to ask Logmanager's vendor to repair or add functionality.

In order to minimize the correction time of parsing rule, please follow these steps:

1. Export the original logs (only raw field).
2. Provide information about the device/software (Device type, vendor, version, running firmware version).
3. If available provide device documentation that describes how this device writes logs and in what format they are being sent.
4. Sumarize your idea of how the normalized log should look after the parser to give you all necessary information at first glance.
5. Send all of this information to partner/vendor.

1. In the Logmanager console, in the Logs/Dashboards menu, select the “Log overview” dashboard.

   

2. In the “PARSER NAME” panel, click the circle next to the broken parser. This creates a filter that selects only the logs used by this parser.

   

   If a particular parser is not visible here, you need to change the selection filter.

3. In the "ALL EVENTS" panel, in the field "Fields" - uncheck all the fields.

   

   and check only the “raw” field.

   

   This completes the selection of logs and fields that need to be sent to the vendor.

4. The final step is export itself, which can be started with the “Export” button.

   

   Please make sure, that you don`t export a large number of logs. It would slow down the export time.

Points 1. and 2. are only performed if particular parser is not visible:

1. Select any parser on the "PARSER NAME" panel by clicking the circle next to it. Click on the filter you created - directly to “must” in “terms” box.

   

2. Modify the filter by typing the name of the desired parser into the “value” field. The parser name can be found in the Parser/Parsers menu.

   

In order to save this filter, click on the Apply button.

Go back to Steps to make export of original logs. and continue with step number 3.

No need to worry if the logs coming from device for which Logmanager does not have a built-in parser, the customer will not lose any logs. Logs are stored in the database in all cases - in this case just without normalization, in the original format.

To ensure that logs from the device are normalized and stored in an uniform format, please follow the steps below:

1. Export the original logs (only raw field).
2. Provide information about the device/software (Device type, vendor, version, running firmware version).
3. If available provide device documentation that describes how this device writes logs and in what format they are being sent.
4. Sumarize your idea of how the normalized log should look after the parser to give you all necessary information at first glance.
5. Send all of this information to partner/vendor.

1. In the Logmanager console, in the Logs/Dashboards menu, select the “Log overview” dashboard.

   

2. In the “PARSER NAME” panel, click the circle next to the “unknown” parser. This creates a filter that selects only logs which did not pass through any parser rule.

   

3. Make one more filter (based on the IP address in the “DEVICE IP” panel) which will specify logs from a specific device that require a new parser.

   

4. In the "ALL EVENTS" panel, in the field "Fields" - uncheck all the fields.

   

   and check only the “raw” field.

   

   This completes the selection of logs and fields that need to be sent to the vendor.

5. The final step is export itself, which can be started with the “Export” button.

Please make sure, that you don`t export a large number of logs. It would slow down the export time.