Log Source Parser Fallback

Introduction

This article provides information about the Logsign parser fallback module, which offers you an option to make syslog log sources meaningful.

 

Parser Fallback

When an integrated log source sends data, the received data is made meaningful by mapping and normalization in the parser service. For this process, plugin selection is provided during the log source addition, and parser services know how to parse the logs. In some cases, logs may arrive in different formats, causing problems during parsing. In such cases, selecting a different plugin can prevent the issues, and this process is called parser fallback.

In the example below, auditd logs are obtained from the 10.10.11.70 log source, and session history logs also arrive from the same IP.

1.png

 

Parser Fallback --> Session history plugin should be added as fallback with Add.

2.png

3.png

 

When the process is completed, it should be saved with Save.

Using a high eps plugin source for the Parser Fallback process causes slowness in parser services. Therefore, the fallback process is not recommended for high eps sources, and it should be added as a new source with facility instead.

Was this article helpful?
0 out of 0 found this helpful

Articles in this section

See more
Become a Certified Logsign User/Administrator
Sign-up for Logsign Academy and take the courses to learn about Logsign USO Platform in detail. Enjoy the courses, and get your badges and certificates. In these courses, you'll learn how to use Logsign in your work and add value to your career.
Visit Our Blog
Our Logsign USO Platform illustrate our expertise. So do the blog. Through our blog posts, deepen your knowledge on various SecOps topics or get updated about important news & modern approaches for cybersecurity. Get into the habit of reading valuable information provided by Logsign. Be a step ahead.