# Netskope parser The Netskope parser can parse Netskope log messages. These messages do not completely comply with the syslog RFCs, making them difficult to parse. The `netskope-parser()` of AxoSyslog solves this problem, and can separate these log messages to name-value pairs. For details on using value-pairs in AxoSyslog see [Structuring macros, metadata, and other value-pairs](../../docs/axosyslog-core/chapter-concepts/concepts-value-pairs/index.md). The parser can parse messages in the following format: ``` {JSON-formatted-log-message} ``` For example: ``` <134>{"count": 1, "supporting_data": {"data_values": ["x.x.x.x", "user@domain.com"], "data_type": "user"}, "organization_unit": "domain/domain/Domain Users/Enterprise Users", "severity_level": 2, "category": null, "timestamp": 1547421943, "_insertion_epoch_timestamp": 1547421943, "ccl": "unknown", "user": "user@domain.com", "audit_log_event": "Login Successful", "ur_normalized": "user@domain.com", "_id": "936289", "type": "admin_audit_logs", "appcategory": null} ``` If you find a message that the `netskope-parser()` cannot properly parse, [contact us](), so we can improve the parser. The AxoSyslog application sets the `${PROGRAM}` field to `Netskope`. By default, the Netskope-specific fields are extracted into name-value pairs prefixed with `.netskope`. For example, the `organization_unit` in the previous message becomes `${.netskope.organization_unit}`. You can change the prefix using the `prefix` option of the parser. ## Declaration: ``` @version: 4.25 @include "scl.conf" log { source { network(flags(no-parse)); }; parser { netskope-parser(); }; destination { ... }; }; ``` Note that you have to disable message parsing in the source using the `flags(no-parse)` option for the parser to work. The `netskope-parser()` is actually a reusable configuration snippet configured to parse Netskope messages. For details on using or writing such configuration snippets, see [Reusing configuration blocks](../../docs/axosyslog-core/chapter-configuration-file/large-configs/config-blocks/index.md). You can find the source of this configuration snippet on [GitHub](). ## prefix() | ---|--- Synopsis: | prefix() _Description:_ Insert a prefix before the name part of the parsed name-value pairs to help further processing. For example: * To insert the `my-parsed-data.` prefix, use the `prefix(my-parsed-data.)` option. * To refer to a particular data that has a prefix, use the prefix in the name of the macro, for example, `${my-parsed-data.name}`. * If you forward the parsed messages using the IETF-syslog protocol, you can insert all the parsed data into the SDATA part of the message using the `prefix(.SDATA.my-parsed-data.)` option. Names starting with a dot (for example, `.example`) are reserved for use by AxoSyslog. If you use such a macro name as the name of a parsed value, it will attempt to replace the original value of the macro (note that only soft macros can be overwritten, see [Hard versus soft macros](../../docs/axosyslog-core/chapter-manipulating-messages/customizing-message-format/macros-hard-vs-soft/index.md) for details). To avoid such problems, use a prefix when naming the parsed values, for example, `prefix(my-parsed-data.)` By default, `netskope-parser()` uses the `.netskope.` prefix. To modify it, use the following format: ``` parser { netskope-parser(prefix("myprefix.")); }; ``` Last modified October 16, 2025: [Fix @version config numbers in examples (89688d87)]()