bokamba / logforge / parse

$ ls /logforge/parse

Log parser generators by source

Pick your log source below to see a real worked example: paste a line of the format and LogForge hands back a working regex, Grok pattern, Wazuh decoder, and rsyslog template. Every example on these pages is generated at build time by the same engine that runs in your browser — nothing hand-written, nothing uploaded.

Nginx access

Combined

203.0.113.45 - - [03/Jul/2026:14:22:15 +0300] "GET /api/health HTTP/1.1" 200 2 "-" "kube-probe/1.29"

parse nginx →

Apache access (combined)

Combined

192.0.2.10 - jdoe [03/Jul/2026:14:22:15 +0300] "GET /wp-admin/ HTTP/1.1" 302 512 "https://example.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/126.0"

parse apache →

OpenSSH / sshd auth

syslog

Jul 3 14:22:15 fw01 sshd[4721]: Failed password for invalid user admin from 203.0.113.45 port 51234 ssh2

parse sshd →

FortiGate firewall

key=value

date=2026-07-03 time=14:22:15 devname="FGT60F" devid="FGT60FTK20012345" logid="0000000013" type="traffic" subtype="forward" level="notice" srcip=192.0.2.10 srcport=51234 dstip=198.51.100.20 dstport=443 action="accept" service="HTTPS" sentbyte=15320 rcvdbyte=88210

parse fortigate →

Palo Alto Networks PAN-OS (CEF)

CEF

CEF:0|Palo Alto Networks|PAN-OS|11.1|THREAT|url|5|rt=Jul 03 2026 14:22:15 src=192.0.2.55 dst=198.51.100.99 spt=52881 dpt=443 suser=bhapci app=web-browsing act=block-url request=https://malware-cdn.example.net/payload.bin cat=malware

parse palo-alto →

CEF / Trellix / ArcSight (SIEM)

CEF

CEF:0|Trellix|Endpoint Security|10.7|1092|Threat detected and blocked|8|src=192.0.2.10 dst=198.51.100.20 spt=51234 dpt=445 suser=jdoe act=blocked fname=invoice_scan.exe fileHash=44d88612fea8a8f36de82e1278abb02f

parse cef →

LEEF / IBM QRadar

LEEF

LEEF:2.0|IBM|QRadar|7.5.0|NewEvent|^|devTime=1783085000000^src=203.0.113.66^dst=192.0.2.30^sev=9^cat=IPS^msg=Log4j RCE attempt blocked at perimeter

parse leef →

JSON application

JSON

{"ts":"2026-07-03T14:22:15.003Z","level":"error","service":"checkout","msg":"payment failed","order_id":"ord_9f3c","user":"jdoe","ip":"203.0.113.45","gateway":{"name":"stripe","code":"card_declined"}}

parse json →

Postfix mail

syslog

Jul 3 14:22:15 mail01 postfix/smtpd[2210]: NOQUEUE: reject: RCPT from unknown[203.0.113.99]: 554 5.7.1 Service unavailable

parse postfix →

HAProxy HTTP

syslog

Jul 3 14:22:15 lb01 haproxy[990]: 192.0.2.10:51234 [03/Jul/2026:14:22:15.123] https-in~ api/srv2 0/0/1/12/13 200 512 - - ---- 5/5/0/1/0 0/0 "GET /api/health HTTP/1.1"

parse haproxy →

Windows Security Event

key=value

EventID=4625 TargetUserName=admin LogonType=3 IpAddress=203.0.113.45 IpPort=51234 Status=0xC000006D WorkstationName=WKSTN-07

parse windows-event →

Cisco ASA firewall

syslog

<166>%ASA-4-106023: Deny tcp src outside:203.0.113.45/51234 dst inside:192.0.2.10/443 by access-group "outside_access_in"

parse cisco-asa →

iptables / netfilter

key=value

IN=eth0 OUT= MAC=00:1a:2b:3c:4d:5e SRC=203.0.113.45 DST=192.0.2.10 LEN=60 TTL=54 PROTO=TCP SPT=51234 DPT=22 WINDOW=1024 SYN

parse iptables →

Docker container

key=value

time="2026-07-03T14:22:15.123456789Z" level=info msg="Container started" container=9f3c2d1a4b7e image="nginx:1.27" name=web-1

parse docker →

Kubernetes (klog)

freeform

I0703 14:22:15.123456 1234 controller.go:210] "Reconciling object" namespace="shop" name="web" reason="Scheduled"

parse kubernetes →

AWS CloudTrail

JSON

{"eventVersion":"1.09","eventTime":"2026-07-03T14:22:15Z","eventSource":"s3.amazonaws.com","eventName":"GetObject","awsRegion":"eu-central-1","sourceIPAddress":"203.0.113.45","userIdentity":{"type":"IAMUser","userName":"jdoe"},"requestParameters":{"bucketName":"onber-logs"}}

parse aws-cloudtrail →

AWS VPC Flow

delimited

2 123456789012 eni-0abc12de34567890 203.0.113.45 192.0.2.10 51234 443 6 12 1520 1783085000 1783085060 ACCEPT OK

parse aws-vpc-flow →

Wazuh alert

JSON

{"timestamp":"2026-07-03T14:22:15.123+0000","rule":{"level":10,"description":"sshd: brute force trying to get access to the system","id":"5712"},"agent":{"id":"003","name":"web01"},"data":{"srcip":"203.0.113.45","srcuser":"admin"},"location":"/var/log/auth.log"}

parse wazuh →

Suricata (eve.json)

JSON

{"timestamp":"2026-07-03T14:22:15.123456+0300","event_type":"alert","src_ip":"203.0.113.66","src_port":44121,"dest_ip":"192.0.2.30","dest_port":8080,"proto":"TCP","alert":{"signature":"ET EXPLOIT Apache Log4j RCE Attempt","category":"Attempted Administrator Privilege Gain","severity":1}}

parse suricata →

PostgreSQL

freeform

2026-07-03 14:22:15.123 UTC [1234] jdoe@onber LOG: duration: 1201.334 ms statement: SELECT * FROM orders WHERE id = 42

parse postgresql →

Don't see your format? The tool handles any log you paste — these pages just pre-work the common ones. For how each output format is built, read the docs.