Format Configuration

Overview of Format Configuration

Every format has its own predefined format configuration file that configures the format of the exported logs, the delimiters, fields that are part of the header, and so on.

These format configuration files are configured in this file:

$EXPORTERDIR/targets/<Name of Log Exporter Configuration>/conf/<Format>FormatDefinition.xml

Important - Do not edit the original <Format>FormatDefinition.xml files.

Doing so causes a data loss after an upgrade.

Instead, create a copy of the file and modify the copied file, while leaving the original intact.

After modifying the copied file, refer to it (using a full path) in the <formatHeaderFile> element in the relevant targetConfiguration.xml file (see Advanced Configuration).

Example list of files:

$EXPORTERDIR/conf/CefFormatDefinition.xml
$EXPORTERDIR/conf/GenericFormatDefinition.xml
$EXPORTERDIR/conf/JsonFormatDefinition.xml
$EXPORTERDIR/conf/LeefFormatDefinition.xml
$EXPORTERDIR/conf/LogRhythmFormatDefinition.xml
$EXPORTERDIR/conf/RsaFormatDefinition.xml
$EXPORTERDIR/conf/SplunkFormatDefinition.xml
$EXPORTERDIR/conf/SyslogFormatDefinition.xml

Body

Parameter	Description	Syslog	Splunk	RSA	CEF	LEEF	LogRhythm	Generic
`<start_message_body></start_message_body>`	The character preceding the log data payload.	`[`
`<end_message_body></end_message_body>`	The character following the log data payload.	`]`
`<message_separator></message_separator>`	The delimiter that separates logs.	` ` (means '`\n`')	` ` (means '`\n`')	` ` (means '`\n`')	` ` (means '`\n`')	` ` (means '`\n`')	` ` (means '`\n`')	('`\n`')
`<fields_separatator></fields_separatator>`	The delimiter that separates log fields.	'`;` ' (semicolon + space)	`\|` (pipe)	' ' (space)	' ' (space)	`&#09` (<TAB>)	`\|` (pipe)	' ' (space)
`<field_value_separatator></field_value_separatator>`	The assignment operator.	`:`	`=`	`=`	`=`	`=`	`=`	`=`
`<value_encapsulation_start>"</value_encapsulation_start>`	The value encapsulation operator (start)	`"`				`"`		`"`
`<value_encapsulation_end>"</value_encapsulation_end>`	The value encapsulation operator (end)	`"`				`"`		`"`
`<escape_chars> <char> <orig></orig> <escaped></escaped> </char> </escape_chars>`	Escaping unwanted characters. The escape functionality replaces the string that's encapsulated by the '`orig`' tags with the one encapsulated by the '`escaped`' tags	;\ --> \\ " --> \" --> ' ' ] --> \]	\| --> ; = --> \= --> ' '	= --> \= --> ' '	;\ --> \\ = --> \= --> ' ' \| --> \\|	= --> \= --> ' '	\| --> ; = --> \= --> ' '	\ --> \\ " --> ' --> ' '

Header

Parameter	Description	Default values for Syslog	Default values for Splunk	Default values for RSA	Default values for CEF	Default values for LogRhythm
`<header_format></header_format>`	The delimiter between the header values and the number of values. Every `{}` is replaced with one value.	`' '` (space)	`time={}\|hostname={}\|`	`<134>`	`\| ;`	`LOGV2 {}\|`

Parameter

Description

Default values for Syslog

Default values for Splunk

Default values for RSA

Default values for CEF

Default values for LogRhythm

<header_format></header_format>

The delimiter between the header values and the number of values.

Every {} is replaced with one value.

' '

(space)

time={}|hostname={}|

<134>

| ;

LOGV2 {}|

Notes:

To add a constant string to the header, add the string to the <header_format> tag value.
To add a new field to the header, add a new header format replacement string (for example: {}) to the '<header_format>' and add the relevant information in the '<headers>' tag.