$ ls /logforge/parse
Log parser generators by source
Pick your log source below to see a real worked example: paste a line of the format and LogForge hands back a working regex, Grok pattern, Wazuh decoder, and rsyslog template. Every example on these pages is generated at build time by the same engine that runs in your browser — nothing hand-written, nothing uploaded.
Nginx access
Combined203.0.113.45 - - [03/Jul/2026:14:22:15 +0300] "GET /api/health HTTP/1.1" 200 2 "-" "kube-probe/1.29"
parse nginx →
Apache access (combined)
Combined192.0.2.10 - jdoe [03/Jul/2026:14:22:15 +0300] "GET /wp-admin/ HTTP/1.1" 302 512 "https://example.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/126.0"
parse apache →
OpenSSH / sshd auth
syslogJul 3 14:22:15 fw01 sshd[4721]: Failed password for invalid user admin from 203.0.113.45 port 51234 ssh2
parse sshd →
FortiGate firewall
key=valuedate=2026-07-03 time=14:22:15 devname="FGT60F" devid="FGT60FTK20012345" logid="0000000013" type="traffic" subtype="forward" level="notice" srcip=192.0.2.10 srcport=51234 dstip=198.51.100.20 dstport=443 action="accept" service="HTTPS" sentbyte=15320 rcvdbyte=88210
parse fortigate →
Palo Alto Networks PAN-OS (CEF)
CEFCEF:0|Palo Alto Networks|PAN-OS|11.1|THREAT|url|5|rt=Jul 03 2026 14:22:15 src=192.0.2.55 dst=198.51.100.99 spt=52881 dpt=443 suser=bhapci app=web-browsing act=block-url request=https://malware-cdn.example.net/payload.bin cat=malware
parse palo-alto →
CEF / Trellix / ArcSight (SIEM)
CEFCEF:0|Trellix|Endpoint Security|10.7|1092|Threat detected and blocked|8|src=192.0.2.10 dst=198.51.100.20 spt=51234 dpt=445 suser=jdoe act=blocked fname=invoice_scan.exe fileHash=44d88612fea8a8f36de82e1278abb02f
parse cef →
LEEF / IBM QRadar
LEEFLEEF:2.0|IBM|QRadar|7.5.0|NewEvent|^|devTime=1783085000000^src=203.0.113.66^dst=192.0.2.30^sev=9^cat=IPS^msg=Log4j RCE attempt blocked at perimeter
parse leef →
JSON application
JSON{"ts":"2026-07-03T14:22:15.003Z","level":"error","service":"checkout","msg":"payment failed","order_id":"ord_9f3c","user":"jdoe","ip":"203.0.113.45","gateway":{"name":"stripe","code":"card_declined"}}
parse json →
Postfix mail
syslogJul 3 14:22:15 mail01 postfix/smtpd[2210]: NOQUEUE: reject: RCPT from unknown[203.0.113.99]: 554 5.7.1 Service unavailable
parse postfix →
HAProxy HTTP
syslogJul 3 14:22:15 lb01 haproxy[990]: 192.0.2.10:51234 [03/Jul/2026:14:22:15.123] https-in~ api/srv2 0/0/1/12/13 200 512 - - ---- 5/5/0/1/0 0/0 "GET /api/health HTTP/1.1"
parse haproxy →
Windows Security Event
key=valueEventID=4625 TargetUserName=admin LogonType=3 IpAddress=203.0.113.45 IpPort=51234 Status=0xC000006D WorkstationName=WKSTN-07
parse windows-event →
Cisco ASA firewall
syslog<166>%ASA-4-106023: Deny tcp src outside:203.0.113.45/51234 dst inside:192.0.2.10/443 by access-group "outside_access_in"
parse cisco-asa →
iptables / netfilter
key=valueIN=eth0 OUT= MAC=00:1a:2b:3c:4d:5e SRC=203.0.113.45 DST=192.0.2.10 LEN=60 TTL=54 PROTO=TCP SPT=51234 DPT=22 WINDOW=1024 SYN
parse iptables →
Docker container
key=valuetime="2026-07-03T14:22:15.123456789Z" level=info msg="Container started" container=9f3c2d1a4b7e image="nginx:1.27" name=web-1
parse docker →
Kubernetes (klog)
freeformI0703 14:22:15.123456 1234 controller.go:210] "Reconciling object" namespace="shop" name="web" reason="Scheduled"
parse kubernetes →
AWS CloudTrail
JSON{"eventVersion":"1.09","eventTime":"2026-07-03T14:22:15Z","eventSource":"s3.amazonaws.com","eventName":"GetObject","awsRegion":"eu-central-1","sourceIPAddress":"203.0.113.45","userIdentity":{"type":"IAMUser","userName":"jdoe"},"requestParameters":{"bucketName":"onber-logs"}}
parse aws-cloudtrail →
AWS VPC Flow
delimited2 123456789012 eni-0abc12de34567890 203.0.113.45 192.0.2.10 51234 443 6 12 1520 1783085000 1783085060 ACCEPT OK
parse aws-vpc-flow →
Wazuh alert
JSON{"timestamp":"2026-07-03T14:22:15.123+0000","rule":{"level":10,"description":"sshd: brute force trying to get access to the system","id":"5712"},"agent":{"id":"003","name":"web01"},"data":{"srcip":"203.0.113.45","srcuser":"admin"},"location":"/var/log/auth.log"}
parse wazuh →
Suricata (eve.json)
JSON{"timestamp":"2026-07-03T14:22:15.123456+0300","event_type":"alert","src_ip":"203.0.113.66","src_port":44121,"dest_ip":"192.0.2.30","dest_port":8080,"proto":"TCP","alert":{"signature":"ET EXPLOIT Apache Log4j RCE Attempt","category":"Attempted Administrator Privilege Gain","severity":1}}
parse suricata →
PostgreSQL
freeform2026-07-03 14:22:15.123 UTC [1234] jdoe@onber LOG: duration: 1201.334 ms statement: SELECT * FROM orders WHERE id = 42
parse postgresql →
Don't see your format? The tool handles any log you paste — these pages just pre-work the common ones. For how each output format is built, read the docs.