NXLog User Guide

108.3. Apple System Logs (xm_asl)

This module provides support for parsing Apple System Log (ASL) files. It registers an InputType using the name of the module instance. This module can be used with the im_file module.

108.3.1. Configuration

The xm_asl module accepts only the common module directives.

108.3.2. Fields

The following fields are used by xm_asl.

$raw_event (type: string): The raw log message.

$EventTime (type: datetime): A timestamp for when the event was created by the ASL daemon.

$Facility (type: string): The sender’s facility.

$GroupAccess (type: integer): The GID of the group that has permission to read the message (-1 for "all groups").

$Level (type: string): The ASL record level string. See $Severity.

$LevelValue (type: integer): The ASL record level value corresponding to the $Level.

$RecordId (type: integer): A numeric ID for this record.

$Sender (type: string): The name of the process that sent the message.

$SenderGid (type: integer): The group ID (GID) of the process that generated the event (-1 or -2 may indicate the nobody or nogroup groups; see /etc/group on the source system).

$SenderHost (type: string): The host that the sender belongs to (usually the name of the device).

$SenderPid (type: integer): The ID of the process that generated the event.

$SenderUid (type: integer): The user ID (UID) of the process that generated the event (-2 may indicate the nobody group; see /etc/group on the source system).

$Severity (type: string)

The normalized severity of the event, mapped as follows.

ASL Level	Normalized Severity
0/EMERGENCY	5/CRITICAL
1/ALERT	5/CRITICAL
2/CRITICAL	5/CRITICAL
3/ERROR	4/ERROR
4/WARNING	3/WARNING
5/NOTICE	2/INFO
6/INFO	2/INFO
7/DEBUG	1/DEBUG

ASL Level

Normalized Severity

0/EMERGENCY

5/CRITICAL

1/ALERT

5/CRITICAL

2/CRITICAL

5/CRITICAL

3/ERROR

4/ERROR

4/WARNING

3/WARNING

5/NOTICE

2/INFO

6/INFO

2/INFO

7/DEBUG

1/DEBUG

$SeverityValue (type: integer): The normalized severity number of the event. See $Severity.

$UserAccess (type: integer): The UID of the user that has permission to read the message (-1 for "all users").

108.3.3. Examples

Example 484. Parsing Apple System Logs With xm_asl

This example uses an im_file module instance to read an ASL log file and the InputType provided by xm_asl to parse the events. The various Fields are added to the event record.

nxlog.conf


  1
2
3
4
5
6
7
8
9

  <Extension asl_parser>
    Module      xm_asl
</Extension>

<Input in>
    Module      im_file
    File        "tmp/input.asl"
    InputType   asl_parser
</Input>