How to save incoming Syslog events?

How can one save incoming events while tuning Syslog monitor?

Q: I cannot properly filter Syslog events until I see them. Is there any way to log those events?

A: Yes, one can use Python script to save Syslog monitor events (separately for every host). Please follow the instructions below

Download the sample Python script

The below script: (897 bytes)

can be used as prototype to save Syslog events and store them for further inspections. The further instructions assume the following:

  1. Script ( is placed into C:\Scripts folder
  2. Log files are written to C:\Scripts\logs folder

Create both folders, or change the corresponding paths in the below instructions. Note: it is important that SYSTEM account may create files and write into C:\Scripts\logs folder.

Unpack script (1391 bytes) from the above archive and place it into C:\Scripts folder.

Create an alert and alerting rule to process Syslog events

Start IPHost GUI client and open a new Alert editor (“Settings > Alerts”, click “New”):

Add new Alert

Click “New > New Simple Action > Execute Python script”.

Enter the new Python script fields like below:

New Python script


Path: is where the script is placed (it must be readable by SYSTEM account).

Arguments: the only string in arguments is folder name where logs should be created. Please make sure there’s backslash (‘\’) in the end.

Input data: enter two strings, each on new line:


(press “Enter” after each line). The “$EventDetails” variable will be expanded into actual Syslog data received, before the script is called.

Click “OK”.

Create a new Alerting rule (“Settings > Alerting Rules > New”). Fill the fields like below:

New Alerting rule

(i.e., only use “Event Alert”, leave other at “do not report”)

Click “OK”.

Assign the alerting rule and test the script

Select a Syslog monitor, open its “Alerting” tab and assign the newly created “Save syslog data” alerting rule:

Assign Alerting rule

Click “Save”.

Launch the Syslog monitor (or Stop and Start it). If everything has been set up correctly, in the logs folder (C:\Scripts\logs in the above example) new log file will be created, named “IPaddress.syslog.txt”, where “IPAddress” is numeric IP address of the host that sent the Syslog event.

For example, if host IP is, then the log file will be named

The above file will hold entries looking like the one below:

[Entry added: 2018-10-02 11:09:05.315315]
  Is RFC 5424: 0
  Host: hostname
  Application (tag): 
  Process Id: -1
  Message Id: 
  Severity level: INFO
  Facility: user
  Date and time: 
  Structured data: 
  Message: root: Test message 3

If you only need some of the above fields, please feel free to edit the as required.

Note: please change the Syslog monitors to only send you required data (default settings accept all the possible data). Real-life network device can easily send dozens of events a second – make sure your IPHost installation has enough resources to handle the syslog events flow.

Note: if you are debugging Syslog monitor (in case there are problems getting requried events), you also might consider running IPHost monitoring service under account different from SYSTEM (default), in case you would need account with real user profile.

Related links