AutoSplit values in KSS NG
When you add an action to log messages to a file, place an AutoSplit value in the path or file name to automatically split the log files. When a message is received, the variable is replaced with a value from the message.
AutoSplit values can be used anywhere within the path or log file name, as long as the result is a valid file name. Any number of AutoSplit values can be used within the path or file name.
If you are using the Run Script action, you can use any of the configured VarCustom or VarGlobal fields as an AutoSplit value. The following sections describe the available options.
To add an AutoSplit value:
- From the Kiwi Syslog NG navigation bar, choose Setup > Rules.
- Locate an existing rule. If the rule does not exist, add a rule and start the New Rule wizard.
- If you are adding an action to an existing rule, select the rule and click Edit. If you are creating a new rule, navigate to the Actions step of the New Rule wizard.
- Click Add Action. Define the action name in the provided field.
-
In the Action drop down, select Log to a file.
-
Click 
to insert an AutoSplit value.
Examples:
-
To split the messages into separate files based on the day of the month:
C:\Logs\MyLogFile$Message.DateM2.txt
The $Message.DateM2 is replaced by the current day of the month. On the 23rd of the month, the message is written to:
C:\Logs\MyLogFile23.txt
-
To split the messages based on priority level and current date:
C:\Logs\$Message.PriLevAA\MyLogFile-$Message.DateISO.txt
On April 9, 2023, the path and file name look like this:
C:\Logs\Critical\MyLogFile-2023-04-09.txt
-
To split the messages based on the sending host, and then by priority level:
C:\Logs\$Message.HostName.$Message.HostDomain\MyLogFile-$Message.PriLevAA.txt
The path and file name look like this:
C:\Logs\myhost.mycompany.com\MyLogFile-Debug.txt
Date values
| Menu name |
ISO Date (YYYY-MM-DD) |
| Parameter |
$Message.DateISO
|
| Explanation |
International formatted date in the format YYYY-MM-DD. Leading zeros, always 10 characters in length. |
| Example |
2023-10-31
|
| Menu name |
Year (YYYY) |
| Parameter |
$Message.DateY4
|
| Explanation |
4 digit year, always 4 characters in length |
| Example |
2022
|
| Menu name |
Year (YY) |
| Parameter |
$Date.DateY2
|
| Explanation |
2 digit year, always 2 characters in length |
| Example |
17
|
| Menu name |
Month (MM) with leading zero |
| Parameter |
$Message.DateM2
|
| Explanation |
2 digit month with leading zero, always 2 characters in length |
| Example |
12
|
| Menu name |
Month (MMM) in English |
| Parameter |
$Message.DateM3
|
| Explanation |
3 character month in English, always 3 characters in length. First letter is in upper case. |
| .Example |
Nov
|
| Menu name |
Date (DD) with leading zero |
| Parameter |
$Message.DateD2
|
| Explanation |
2 digit day of the month with leading zero, always 2 characters in length |
| Example |
05
|
| Menu name |
Day (DDD) in English |
| Parameter |
$Message.DateD3
|
| Explanation |
3 character day of the week in English, always 3 characters in length. First letter is in upper case. |
| Example |
Fri
|
Time values
| Menu name |
Hour (HH) with leading zero |
| Parameter |
$Message.TimeHH
|
| Explanation |
2 digit hour, always 2 characters in length. 24 hour display. 3 p.m. = 15 |
| Example |
14
|
| Menu name |
Minute (MM) with leading zero |
| Parameter |
$Message.TimeMM
|
| Explanation |
2 digit minute, always 2 characters in length |
| Example |
59
|
| Menu name |
AM/PM indicator (AM or PM) |
| Parameter |
$Message.TimeAMPM
|
| Explanation |
2 character time of day indicator. Always 2 characters in length. 00:00 to 11:59 = AM. 12:00 to
23:59 = PM |
| Example |
AM
|
Priority values
| Menu name |
Level (Alpha) |
| Parameter |
$Message.PriLevAA
|
| Explanation |
The message priority level as a word: Debug, Notice, Info… |
| Example |
Critical
|
| Menu name |
Facility (Alpha) |
| Parameter |
$Message.PriFacAA
|
| Explanation |
The message priority facility as a word: Local1, News, Cron… |
| Example |
User
|
| Menu name |
Level (2 digit numeric) |
| Parameter |
$Message.PriLev00
|
| Explanation |
The message priority level as a 2 digit number: 00 to 07 |
| Example |
05
|
| Menu name |
Facility (2 digit numeric) |
| Parameter |
$Message.PriFac00
|
| Explanation |
The message priority facility as a 2 digit number: 00 to 23 |
| Example |
23
|
| Menu name |
Priority (3 digit numeric) |
| Parameter |
$Message.Pri000
|
| Explanation |
The message priority as a 3 digit number: 000 to 191 |
| Example |
016
|
IP Address values
| Menu name |
IP Address (4 octets, zero padded) |
| Parameter |
$Message.IPAdd4
|
| Explanation |
The IP address of the device that sent the message. Each octet is zero padded. Always 15
characters in length |
| Example |
192.168.001.024
|
| Menu name |
IP Address (3 octets, zero padded) |
| Parameter |
$Message.IPAdd3
|
| Explanation |
The first 3 octets of the IP address of the device that sent the message. Each octet is zero
padded. Always 11 characters in length. |
| Example |
192.168.001
|
| Menu name |
IP Address (2 octets, zero padded) |
| Parameter |
$Message.IPAdd2
|
| Explanation |
The first 2 octets of the IP address of the device that sent the message. Each octet is zero
padded. Always 7 characters in length. |
| Example |
203.056
|
| Menu name |
IPv6 Address |
| Parameter |
$Message.IPv6Add6
|
| Explanation |
The IPv6 address of the device that sent the message. IPv6 address of the device is separated
with ~ as special character is not accepted in file name. |
| Example |
ABC~567~0~0~8888~9999~1111~0
|
Host name values
| Menu name |
Hostname (no domain name) |
| Parameter |
$Message.HostName
|
| Explanation |
The host name of the device that sent the message. No domain name is
included. |
| Example |
sales-router
|
| Menu name |
Domain (no host name) |
| Parameter |
$Message.HostDomain
|
| Explanation |
The domain name suffix of the device that sent the message. No host
name is included. |
| Example |
mycompany.co.nz
|
| Menu name |
Reversed domain (no host name) |
| Parameter |
$Message.HostDomRev
|
| Explanation |
The domain name suffix of the device that sent the message, in reverse order. No host name is included. |
| Example |
nz.co.mycompany
|
Message Text - WELF format
WELF format is the WebTrends Extended Logging Format. This format is used by firewalls such as GNATBox, SonicWall, CyberWallPlus, and NetScreen. Each field within the message text is prefixed with an identifying tag, such as fw= for the firewall name or src= for the source of the packet being logged.
| Menu name |
Firewall name (WELF format) |
| Parameter |
$Message.TextFW
|
| Explanation |
The name of the firewall that created the message |
| Example |
protector
|
| Menu name |
Source address (WELF format) |
| Parameter |
$Message.TextSrc
|
| Explanation |
The source IP address of the packet being logged by the firewall (not zero padded, unless this
has been done by the firewall already) |
| Example |
192.168.1.6
|
| Menu name |
Destination address (WELF format) |
| Parameter |
$Message.TextDst
|
| Explanation |
The destination IP address of the packet being logged by the firewall (not zero padded, unless
this has been done by the firewall already) |
| Example |
203.57.12.1
|
| Menu name |
Protocol (WELF format) |
| Parameter |
$Message.TextDst
|
| Explanation |
The protocol of the packet being logged by the firewall |
| Example |
http
|
| Menu name |
Serial Number (WELF format) |
| Parameter |
$Message.TextSn
|
| Explanation |
The Serial number of the device as in WELF Message |
| Example |
abcdDDDXSD
|
Input Source values
| Menu name |
Input Source (UDP/TCP/SNMP) |
| Parameter |
$Message.InpSrc
|
| Explanation |
Identifies the input source of the message. (The listening method that received the message) |
| Example |
UDP
|
| Menu name |
VarCustom01 to VarCustom16 |
| Parameter |
$Custom.VarCustom01 to $Custom.VarCustom16 |
| Explanation |
There are 16 custom fields that can be modified by the Run Script action. If these fields have not
been modified by the script, they are blank. Be aware that a blank autosplit value may result in an invalid
file name. The custom field values are cleared when a new message arrives. They are only valid for the current
message. To store values longer than a single message, use VarGlobal fields. |
| Example |
Any value that the script creates can be used. |
| Menu name |
VarGlobal01 to VarGlobal16 |
| Parameter |
$Global.VarGlobal01 to $Global.VarGlobal16 |
| Explanation |
There are 16 global fields that can be modified by the Run Script action. If these fields have not
been modified by the script, they are blank. Be aware that a blank AutoSplit value may result in an invalid
file name. The global fields retain their value between messages. |
| Example |
Any value that the script creates can be used. |
