The procedure occurs on the Log Server and starts with the syslog daemon. The syslog daemon that runs on the Log Server receives the syslogs and calls for their parsing. The parsing involves many parsing files, which contain the different parsing definitions and specifications, and can be found in the $FWDIR/conf/syslog/ directory. In these files there are the device-specific parsing files, which define the actual parsing and extraction of fields, according to each device specific syslog format.
The parsing starts with the syslog_free_text_parser.C file. This file defines the different dictionaries and parses the syslog. The file extracts fields, which are common to all syslog messages (such as PRI, date and time), and the machine and application that generated the syslog.
The syslog_free_text_parser.C file uses the allDevices.C file (which refers to two files: UserDefined/UserDefinedSyslogDevices.C and CPdefined/CPdefinedSyslogDevices.C).
The allDevices.C file goes over the device parsing files, and tries to match the incoming syslog with the syslog format parsed in that file.
After the parsing-file succeeds in the preliminary parsing of the syslog (that is, it matches the syslog format and is therefore the syslog origin), the remaining of the syslog is parsed in that file. If a match is not found, the file will continue to go over the Check Point device parsing files until it finds a match.