The Parsing Procedure

The procedure occurs on the Log ServerClosed Dedicated Check Point server that runs Check Point software to store and process logs. and starts with the syslog daemon. The syslog daemon that runs on the Log Server receives the syslogs and calls for their parsing. The parsing involves many parsing files, which contain the different parsing definitions and specifications, and can be found in the $FWDIR/conf/syslog/ directory. In these files there are the device-specific parsing files, which define the actual parsing and extraction of fields, according to each device specific syslog format.

The parsing starts with the syslog_free_text_parser.C file. This file defines the different Dictionary terms and parses the syslog. The file extracts fields, which are common to all syslog messages (such as PRI, date and time), and the machine and application that generated the syslog.

The syslog_free_text_parser.C file uses the allDevices.C file (which refers to two files: UserDefined/UserDefinedSyslogDevices.C and CPdefined/CPdefinedSyslogDevices.C).

  • The first file (UserDefined/UserDefinedSyslogDevices.C) contains the names of the devices parsing files that the user defines.

  • The second file (CPdefined/CPdefinedSyslogDevices.C) contains devices parsing files that Check Point defines.

The allDevices.C file goes over the device parsing files, and tries to match the incoming syslog with the syslog format parsed in that file.

After the parsing-file succeeds in the preliminary parsing of the syslog (that is, it matches the syslog format and is therefore the syslog origin), the remaining of the syslog is parsed in that file. If a match is not found, the file will continue to go over the Check Point device parsing files until it finds a match.