You use the Log Parser Rules view (available from the Configure view) to customize rules for your log parsers.
The default log parser parses logs that do not match any installed log parsers. The information contained in such a log is processed against the default log parser's rules, and metadata is then extracted by those rules and is available for Enrichment, Investigation, Reporting, and Alerting. This provides immediate visibility into logs from custom or unsupported sources.
You can also add or extend a log parser. For example, you may need to parse certain fields differently than in the manner provided by the log parser for a particular event source. You can add rules that change the way meta information is extracted from the logs for the event source.
Finally, you can view and test sample log messages and rules for your log parsers, including the default log parser.
The Log Parser Rules tab displays information about log parsers that use dynamic log parser rules. This includes the following:
- The default log parser that parses logs that are not associated with a particular log parser
- Native XML-defined device parsers that have been extended with dynamic log parser rules, and
- User-created custom device parsers used to parse unsupported custom event sources
This tab contains the following information:
- You can view the rules for a particular event source type, including the default parser.
- You can view the Names, Literals, patterns, and meta for each configured log parser.
- You can add log parsers
- You can add, edit, and delete custom rules for log parsers
To access this tab, go to Configure > Log Parser Rules. For more details, see Log Parser Rules Tab.