Methods and systems for normalizing log messages. Some methods include obtaining a freeform log message from one of many disparate programs. The methods can include determining which program originated the message and, based on that, determining a signature which matches the message. Using the signature, a parsing expression may be determined with which to extract information from a portion of the message. The time from obtaining the message to extracting the information can be about the same for all messages and can be about 1/40,000th of a second. In some embodiments, a generic signature of the message may be output. A version of the message may be reconstructed based on the generic signature and information. When more than one message signatures matches the reconstructed message, one of the matching signatures can be adjusted. The parsing expression can be the first of an ordered list of expressions which successfully evaluates the log message.