RFC3164 Decoder for SL4NT 3.x
This RFC3164 decoder is implemented as a custom rule evaluator object. The text
of a syslog message that is passed to the custom evaluator object is parsed for
RFC3164-compliant TIMESTAMP, HOSTNAME and MSG parts. If successful, the
TIMESTAMP part is stored in custom field 1, the HOSTNAME part is stored in
custom field 2 and the MSG part is stored in custom field 3.
Using the RFC3164 decoder makes only sense when the senders of syslog
messages sent their messages formatted according to RFC3164. Otherwise, you'll
only be wasting CPU-cycles.
The source code for this custom rule evaluator object is contained in the
SL4NT 3.x SDK.
Prerequisites:
- Installation:
-
- To install the RFC3164 Decoder, copy RFC3164Decoder.dll to a directory of your choice
(for example: C:\Program Files\SL4NT\Bin)
and execute the command RegSvr32.exe
RFC3164Decoder.dll.
- Uninstallation
-
- To uninstall the RFC3164 Decoder, execute the command
RegSvr32.exe /u
RFC3164Decoder.dll and delete the file RFC3164Decoder.dll afterwards.
- Add a new processing rule
- In the Processing Rule Definition dialog, specify a name and then
click Custom Evaluator.... Enter SL4NT.RFC3164Decoder in the
ProgID field of the displayed Custom Evaluator Object dialog.
- Move the new processing rule to the top of the list.
- To use the decoded TIMESTAMP, HOSTNAME and MSG parts, create log formats
which contain custom field 1, 2 and 3, and assign these log formats to actions
which are referenced by your other processing rules.
2005-02-12
www.netal.com
Franz Krainer
franzk@netal.com