{"id":30141988,"url":"https://github.com/solzimer/nsyslog-parser","last_synced_at":"2025-08-11T05:21:27.357Z","repository":{"id":39787399,"uuid":"90142980","full_name":"solzimer/nsyslog-parser","owner":"solzimer","description":"Syslog Parser. Accepts RFC 3164 (BSD) and RFC 5424 formats","archived":false,"fork":false,"pushed_at":"2023-06-06T08:42:23.000Z","size":988,"stargazers_count":18,"open_issues_count":18,"forks_count":5,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-07-03T23:23:54.141Z","etag":null,"topics":["arcsight","cef","parser","rfc-3164","rfc-5424","syslog"],"latest_commit_sha":null,"homepage":null,"language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/solzimer.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-05-03T11:47:13.000Z","updated_at":"2025-03-28T08:39:44.000Z","dependencies_parsed_at":"2024-06-18T21:28:59.006Z","dependency_job_id":"ce78ff0d-0147-4cd9-8310-cfe20f74fc8d","html_url":"https://github.com/solzimer/nsyslog-parser","commit_stats":{"total_commits":96,"total_committers":4,"mean_commits":24.0,"dds":0.125,"last_synced_commit":"147d06e2ee360cd2a074a916fad5a6adaba22277"},"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/solzimer/nsyslog-parser","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/solzimer%2Fnsyslog-parser","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/solzimer%2Fnsyslog-parser/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/solzimer%2Fnsyslog-parser/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/solzimer%2Fnsyslog-parser/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/solzimer","download_url":"https://codeload.github.com/solzimer/nsyslog-parser/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/solzimer%2Fnsyslog-parser/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":268682526,"owners_count":24289659,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-04T02:00:09.867Z","response_time":79,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["arcsight","cef","parser","rfc-3164","rfc-5424","syslog"],"created_at":"2025-08-11T05:21:24.842Z","updated_at":"2025-08-11T05:21:27.349Z","avatar_url":"https://github.com/solzimer.png","language":"JavaScript","readme":"# nsyslog-parser\n[![](https://data.jsdelivr.com/v1/package/npm/nsyslog-parser/badge?style=rounded)](https://www.jsdelivr.com/package/npm/nsyslog-parser)\n\nSyslog Parser. Accepts [RFC 3164 (BSD)](https://tools.ietf.org/search/rfc3164), [RFC 5424](https://tools.ietf.org/html/rfc5424) and [CEF Common Event Format](https://community.saas.hpe.com/t5/ArcSight-Connectors/ArcSight-Common-Event-Format-CEF-Guide/ta-p/1589306) formats.\nAlthough thought as a parser for stantard syslog messages, there are too many systems/devices out there that sends erroneous, propietary or simply malformed messages. **nsyslog-parser** is flexible enough to try and parse every single message to extract as many information as possible, without throwing any errors.\n\n## Features\n\n* [RFC 3164 (BSD)](https://tools.ietf.org/search/rfc3164) and [RFC 5424](https://tools.ietf.org/html/rfc5424) formats\n* Extracts information of non standard, erroneus or malformed messages\n* Parses [IETF Structured data](https://tools.ietf.org/html/rfc5424#section-6.3)\n* Parses [CEF Common Event Format](https://community.saas.hpe.com/t5/ArcSight-Connectors/ArcSight-Common-Event-Format-CEF-Guide/ta-p/1589306)\n* Recognizes non-standard host-chain header\n\n## Installation\n\n    npm install nsyslog-parser\n\n## Usage\n\n```\nparser(line,options)\n```\n\n```javascript\nconst parser = require(\"nsyslog-parser\");\n\n// Standard BSD message\nvar bsdLine = \"\u003c34\u003eOct 11 22:14:15 mymachine su: 'su root' failed for lonvick on /dev/pts/8\";\n\n// IETF (RFC 5424) message, with structured data and chained hostnames\nvar ietfLine = \"\u003c110\u003e1 2009-05-03T14:00:39.529966+02:00 host.example.org/relay.example.org syslogd 2138 - [exampleSDID@32473 iut=\"3\" eventSource=\"Application\" eventID=\"1011\"][exampleSDID@32474 iut=\"4\" eventSource=\"Application\" eventID=\"1012\"][ssign VER=\"0111\" RSID=\"1\" SG=\"0\" SPRI=\"0\" GBC=\"2\" FMN=\"1\" CNT=\"7\" HB=\"K6wzcombEvKJ+UTMcn9bPryAeaU= zrkDcIeaDluypaPCY8WWzwHpPok= zgrWOdpx16ADc7UmckyIFY53icE= XfopJ+S8/hODapiBBCgVQaLqBKg= J67gKMFl/OauTC20ibbydwIlJC8= M5GziVgB6KPY3ERU1HXdSi2vtdw= Wxd/lU7uG/ipEYT9xeqnsfohyH0=\" SIGN=\"AKBbX4J7QkrwuwdbV7Taujk2lvOf8gCgC62We1QYfnrNHz7FzAvdySuMyfM=\"] BOMAn application event log entry\";\n\n// Syslog CEF (Common Event Format)\nvar cefLine = \"Jan 18 11:07:53 dsmhost CEF:0|Trend Micro|Deep Security Manager|\u003cDSM version\u003e|600|User Signed In|3|src=10.52.116.160 suser=admin target=admin msg=User signed in from 2001:db8::5\";\nconsole.log(parser(bsdLine);\nconsole.log(parser(ietfLine);\nconsole.log(parser(cefLine);\n```\n\n## Results\n\n```javascript\n{\n\toriginalMessage: '\u003c34\u003eOct 11 22:14:15 mymachine su: \\'su root\\' failed for lonvick on /dev/pts/8',\n\tpri: '\u003c34\u003e',\n\tprival: 34,\n\tfacilityval: 4,\n\tlevelval: 2,\n\tfacility: 'auth',\n\tlevel: 'crit',\n\ttype: 'BSD',\n\tts: '2017-10-11T20:14:15.000Z',\n\thost: 'mymachine',\n\tappName: 'su',\n\tmessage: '\\'su root\\' failed for lonvick on /dev/pts/8',\n\tchain: [],\n\tfields: [],\n\theader: '\u003c34\u003eOct 11 22:14:15 mymachine su: '\n}\n{\n\toriginalMessage: '\u003c110\u003e1 2009-05-03T14:00:39.529966+02:00 host.example.org/relay.example.org syslogd 2138 - [exampleSDID@32473 iut=\"3\" eventSource=\"Application\" eventID=\"1011\"][exampleSDID@32474 iut=\"4\" eventSource=\"Application\" eventID=\"1012\"][ssign VER=\"0111\" RSID=\"1\" SG=\"0\" SPRI=\"0\" GBC=\"2\" FMN=\"1\" CNT=\"7\" HB=\"K6wzcombEvKJ+UTMcn9bPryAeaU= zrkDcIeaDluypaPCY8WWzwHpPok= zgrWOdpx16ADc7UmckyIFY53icE= XfopJ+S8/hODapiBBCgVQaLqBKg= J67gKMFl/OauTC20ibbydwIlJC8= M5GziVgB6KPY3ERU1HXdSi2vtdw= Wxd/lU7uG/ipEYT9xeqnsfohyH0=\" SIGN=\"AKBbX4J7Qkrwu wdbV7Taujk2lvOf8gCgC62We1QYfnrNHz7FzAvdySuMyfM=\"] BOMAn application event log entry',\n\tpri: '\u003c110\u003e',\n\tprival: 110,\n\tfacilityval: 13,\n\tlevelval: 6,\n\tfacility: 'security',\n\tlevel: 'info',\n\tversion: 1,\n\ttype: 'RFC5424',\n\tts: '2009-05-03T12:00:39.529Z',\n\thost: 'relay.example.org',\n\tappName: 'syslogd',\n\tpid: '2138',\n\tmessageid: '-',\n\tmessage: 'BOMAn application event log entry',\n\tchain: [ 'host.example.org' ],\n\tstructuredData:\n\t[\n\t\t{\n\t\t\t'$id': 'exampleSDID@32473',\n\t\t\tiut: '3',\n\t\t\teventSource: 'Application',\n\t\t\teventID: '1011'\n\t\t},\n\t\t{\n\t\t\t'$id': 'exampleSDID@32474',\n\t\t\tiut: '4',\n\t\t\teventSource: 'Application',\n\t\t\teventID: '1012'\n\t\t},\n\t\t{\n\t\t\t'$id': 'ssign',\n\t\t\tVER: '0111',\n\t\t\tRSID: '1',\n\t\t\tSG: '0',\n\t\t\tSPRI: '0',\n\t\t\tGBC: '2',\n\t\t\tFMN: '1',\n\t\t\tCNT: '7',\n\t\t\tHB: 'K6wzcombEvKJ+UTMcn9bPryAeaU= zrkDcIeaDluypaPCY8WWzwHpPok= zgrWOdpx16ADc7UmckyIFY53icE= XfopJ+S8/hODapiBBCgVQaLqBKg= J67gKMFl/OauTC20ibbydwIlJC8= M5GziVgB6KPY3ERU1HXdSi2 vtdw= Wxd/lU7uG/ipEYT9xeqnsfohyH0=',\n\t\t\tSIGN: 'AKBbX4J7QkrwuwdbV7Taujk2lvOf8gCgC62We1QYfnrNHz7FzAvdySuMyfM='\n\t\t}\n\t],\n  fields: [],\n  header: '\u003c110\u003e1 2009-05-03T14:00:39.529966+02:00 host.example.org/relay.example.org syslogd 2138 - [exampleSDID@32473 iut=\"3\" eventSource=\"Application\" eventID=\"1011\"][exampleSDID@32474 iut=\"4\" eventSource=\"Application\" eventID=\"1012\"][ssign VER=\"0111\" RSID=\"1\" SG=\"0\" SPRI=\"0\" GBC=\"2\" FMN=\"1\" CNT=\"7\" HB=\"K6wzcombEvKJ+UTMcn9bPryAeaU= zrkDcIeaDluypaPCY8WWzwHpPok= zgrWOdpx16ADc7UmckyIFY53icE= XfopJ+S8/hODapiBBCgVQaLqBKg= J67gKMFl/OauTC20ibbydwIlJC8= M5GziVgB6KPY3ERU1HXdSi2vtdw= Wxd/lU7uG/ipEYT9xeqnsfohyH0=\" SIGN=\"AKBbX4J7QkrwuwdbV7Tauj k2lvOf8gCgC62We1QYfnrNHz7FzAvdySuMyfM=\"]'\n}\n\n{\n\toriginalMessage: 'Jan 18 11:07:53 dsmhost CEF:0|Trend Micro|Deep Security Manager|\u003cDSM version\u003e|600|User Signed In|3|src=10.52.116.160 suser=admin target=admin msg=User signed in from 2001:db8::5',\n\tpri: '',\n\tprival: NaN,\n\ttype: 'CEF',\n\tts: '2017-01-18T10:07:53.000Z',\n\thost: 'dsmhost',\n\tmessage: 'CEF:0|Trend Micro|Deep Security Manager|\u003cDSM version\u003e|600|User Signed In|3|src=10.52.116.160 suser=admin target=admin msg=User signed in from 2001:db8::5',\n\tchain: [],\n\tcef: {\n\t\tversion: 'CEF:0',\n\t\tdeviceVendor: 'Trend Micro',\n\t\tdeviceProduct: 'Deep Security Manager',\n\t\tdeviceVersion: '\u003cDSM version\u003e',\n\t\tdeviceEventClassID: '600',\n\t\tname: 'User Signed In',\n\t\tseverity: '3',\n\t\textension: 'src=10.52.116.160 suser=admin target=admin msg=User signed in from 2001:db8::5'\n\t},\n  fields: {\n\t\tsrc: '10.52.116.160',\n\t\tsuser: 'admin',\n\t\ttarget: 'admin',\n\t\tmsg: 'User signed in from 2001:db8::5'\n\t},\n\theader: 'Jan 18 11:07:53 dsmhost '\n}\n```\n\n## Options\n\nOptions is a javascript object with the following parameters:\n* cef : Parse CEF strcuture (*true* by default)\n* fields : Parse Syslog structured data (*true* by default)\n* pid : Separate the PID field in case the **app** header field has the **app[pid]** format (true by default)\n*\tgenerateTimestamp: If *true* and no timestamp can be parsed from the line, sets the current timestamp. Otherwise, leave the field as *undefined* (*true* by default)\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsolzimer%2Fnsyslog-parser","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsolzimer%2Fnsyslog-parser","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsolzimer%2Fnsyslog-parser/lists"}