Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var AWS map[string]string = map[string]string{
"S3_REQUEST_LINE": `(?:%{WORD:http.request.method} %{NOTSPACE:url.original}(?: HTTP/%{NUMBER:http.version})?)`,
"S3_ACCESS_LOG": `%{WORD:aws.s3access.bucket_owner} %{NOTSPACE:aws.s3access.bucket} \[%{HTTPDATE:timestamp}\] (?:-|%{IP:client.address}) (?:-|%{NOTSPACE:client.user.id}) %{NOTSPACE:aws.s3access.request_id} %{NOTSPACE:aws.s3access.operation} (?:-|%{NOTSPACE:aws.s3access.key}) (?:-|"%{S3_REQUEST_LINE:aws.s3access.request_uri}") (?:-|%{INT:http.response.status_code:int}) (?:-|%{NOTSPACE:aws.s3access.error_code}) (?:-|%{INT:aws.s3access.bytes_sent:long}) (?:-|%{INT:aws.s3access.object_size:long}) (?:-|%{INT:aws.s3access.total_time:int}) (?:-|%{INT:aws.s3access.turn_around_time:int}) "(?:-|%{DATA:http.request.referrer})" "(?:-|%{DATA:user_agent.original})" (?:-|%{NOTSPACE:aws.s3access.version_id})(?: (?:-|%{NOTSPACE:aws.s3access.host_id}) (?:-|%{NOTSPACE:aws.s3access.signature_version}) (?:-|%{NOTSPACE:tls.cipher}) (?:-|%{NOTSPACE:aws.s3access.authentication_type}) (?:-|%{NOTSPACE:aws.s3access.host_header}) (?:-|%{NOTSPACE:aws.s3access.tls_version}))?`,
"ELB_URIHOST": `%{IPORHOST:url.domain}(?::%{POSINT:url.port:int})?`,
"ELB_URIPATHQUERY": `%{URIPATH:url.path}(?:\?%{URIQUERY:url.query})?`,
"ELB_URIPATHPARAM": `%{ELB_URIPATHQUERY}`,
"ELB_URI": `%{URIPROTO:url.scheme}://(?:%{USER:url.username}(?::[^@]*)?@)?(?:%{ELB_URIHOST})?(?:%{ELB_URIPATHQUERY})?`,
"ELB_REQUEST_LINE": `(?:%{WORD:http.request.method} %{ELB_URI:url.original}(?: HTTP/%{NUMBER:http.version})?)`,
"ELB_V1_HTTP_LOG": `%{TIMESTAMP_ISO8601:timestamp} %{NOTSPACE:aws.elb.name} %{IP:source.address}:%{INT:source.port:int} (?:-|(?:%{IP:aws.elb.backend.ip}:%{INT:aws.elb.backend.port:int})) (?:-1|%{NUMBER:aws.elb.request_processing_time.sec:float}) (?:-1|%{NUMBER:aws.elb.backend_processing_time.sec:float}) (?:-1|%{NUMBER:aws.elb.response_processing_time.sec:float}) %{INT:http.response.status_code:int} (?:-|%{INT:aws.elb.backend.http.response.status_code:int}) %{INT:http.request.body.size:long} %{INT:http.response.body.size:long} "%{ELB_REQUEST_LINE}"(?: "(?:-|%{DATA:user_agent.original})" (?:-|%{NOTSPACE:tls.cipher}) (?:-|%{NOTSPACE:aws.elb.ssl_protocol}))?`,
"ELB_ACCESS_LOG": `%{ELB_V1_HTTP_LOG}`,
"CLOUDFRONT_ACCESS_LOG": `(?<timestamp>%{YEAR}[-]%{MONTHNUM}[-]%{MONTHDAY}\t%{TIME})\t%{WORD:aws.cloudfront.x_edge_location}\t(?:-|%{INT:destination.bytes:long})\t%{IPORHOST:source.address}\t%{WORD:http.request.method}\t%{HOSTNAME:url.domain}\t%{NOTSPACE:url.path}\t(?:(?:000)|%{INT:http.response.status_code:int})\t(?:-|%{DATA:http.request.referrer})\t%{DATA:user_agent.original}\t(?:-|%{DATA:url.query})\t(?:-|%{DATA:aws.cloudfront.http.request.cookie})\t%{WORD:aws.cloudfront.x_edge_result_type}\t%{NOTSPACE:aws.cloudfront.x_edge_request_id}\t%{HOSTNAME:aws.cloudfront.http.request.host}\t%{URIPROTO:network.protocol.name}\t(?:-|%{INT:source.bytes:long})\t%{NUMBER:aws.cloudfront.time_taken:float}\t(?:-|%{IP:network.forwarded_ip})\t(?:-|%{DATA:aws.cloudfront.ssl_protocol})\t(?:-|%{NOTSPACE:tls.cipher})\t%{WORD:aws.cloudfront.x_edge_response_result_type}(?:\t(?:-|HTTP/%{NUMBER:http.version})\t(?:-|%{DATA:aws.cloudfront.fle_status})\t(?:-|%{DATA:aws.cloudfront.fle_encrypted_fields})\t%{INT:source.port:int}\t%{NUMBER:aws.cloudfront.time_to_first_byte:float}\t(?:-|%{DATA:aws.cloudfront.x_edge_detailed_result_type})\t(?:-|%{NOTSPACE:http.request.mime_type})\t(?:-|%{INT:aws.cloudfront.http.request.size:long})\t(?:-|%{INT:aws.cloudfront.http.request.range.start:long})\t(?:-|%{INT:aws.cloudfront.http.request.range.end:long}))?`,
}
View Source
var Bind9 map[string]string = map[string]string{
"BIND9_TIMESTAMP": `%{MONTHDAY}[-]%{MONTH}[-]%{YEAR} %{TIME}`,
"BIND9_DNSTYPE": `(?:A|AAAA|CAA|CDNSKEY|CDS|CERT|CNAME|CSYNC|DLV|DNAME|DNSKEY|DS|HINFO|LOC|MX|NAPTR|NS|NSEC|NSEC3|OPENPGPKEY|PTR|RRSIG|RP|SIG|SMIMEA|SOA|SRV|TSIG|TXT|URI|IN)`,
"BIND9_CATEGORY": `(?:queries)`,
"BIND9_QUERYLOGBASE": `client(:? @0x(?:[0-9A-Fa-f]+))? %{IP:client.address}#%{POSINT:client.port:int} \(%{GREEDYDATA:bind.log.question.name}\): query: %{GREEDYDATA:dns.question.name} (?P<dns___question___class>(?:IN)) %{BIND9_DNSTYPE:dns.question.type}(:? %{DATA:bind.log.question.flags})? \(%{IP:server.address}\)`,
"BIND9_QUERYLOG": `%{BIND9_TIMESTAMP:timestamp} %{BIND9_CATEGORY:bing.log.category}: %{LOGLEVEL:log.level}: %{BIND9_QUERYLOGBASE}`,
"BIND9": `%{BIND9_QUERYLOG}`,
}
View Source
var Bro map[string]string = map[string]string{
"BRO_BOOL": `[TF]`,
"BRO_DATA": `[^\t]+`,
"BRO_HTTP": `%{NUMBER:timestamp}\t%{NOTSPACE:zeek.session_id}\t%{IP:source.address}\t%{INT:source.port:int}\t%{IP:destination.address}\t%{INT:destination.port:int}\t%{INT:zeek.http.trans_depth:int}\t(?:-|%{WORD:http.request.method})\t(?:-|%{BRO_DATA:url.domain})\t(?:-|%{BRO_DATA:url.original})\t(?:-|%{BRO_DATA:http.request.referrer})\t(?:-|%{BRO_DATA:user_agent.original})\t(?:-|%{NUMBER:http.request.body.size:long})\t(?:-|%{NUMBER:http.response.body.size:long})\t(?:-|%{POSINT:http.response.status_code:int})\t(?:-|%{DATA:zeek.http.status_msg})\t(?:-|%{POSINT:zeek.http.info_code:int})\t(?:-|%{DATA:zeek.http.info_msg})\t(?:-|%{BRO_DATA:zeek.http.filename})\t(?:\(empty\)|%{BRO_DATA:zeek.http.tags})\t(?:-|%{BRO_DATA:url.username})\t(?:-|%{BRO_DATA:url.password})\t(?:-|%{BRO_DATA:zeek.http.proxied})\t(?:-|%{BRO_DATA:zeek.http.orig_fuids})\t(?:-|%{BRO_DATA:http.request.mime_type})\t(?:-|%{BRO_DATA:zeek.http.resp_fuids})\t(?:-|%{BRO_DATA:http.response.mime_type})`,
"BRO_DNS": `%{NUMBER:timestamp}\t%{NOTSPACE:zeek.session_id}\t%{IP:source.address}\t%{INT:source.port:int}\t%{IP:destination.address}\t%{INT:destination.port:int}\t%{WORD:network.transport}\t(?:-|%{INT:dns.id:int})\t(?:-|%{BRO_DATA:dns.question.name})\t(?:-|%{INT:zeek.dns.qclass:int})\t(?:-|%{BRO_DATA:zeek.dns.qclass_name})\t(?:-|%{INT:zeek.dns.qtype:int})\t(?:-|%{BRO_DATA:dns.question.type})\t(?:-|%{INT:zeek.dns.rcode:int})\t(?:-|%{BRO_DATA:dns.response_code})\t(?:-|%{BRO_BOOL:zeek.dns.AA})\t(?:-|%{BRO_BOOL:zeek.dns.TC})\t(?:-|%{BRO_BOOL:zeek.dns.RD})\t(?:-|%{BRO_BOOL:zeek.dns.RA})\t(?:-|%{NONNEGINT:zeek.dns.Z:int})\t(?:-|%{BRO_DATA:zeek.dns.answers})\t(?:-|%{DATA:zeek.dns.TTLs})\t(?:-|%{BRO_BOOL:zeek.dns.rejected})`,
"BRO_CONN": `%{NUMBER:timestamp}\t%{NOTSPACE:zeek.session_id}\t%{IP:source.address}\t%{INT:source.port:int}\t%{IP:destination.address}\t%{INT:destination.port:int}\t%{WORD:network.transport}\t(?:-|%{BRO_DATA:network.protocol.name})\t(?:-|%{NUMBER:zeek.connection.duration:float})\t(?:-|%{INT:zeek.connection.orig_bytes:long})\t(?:-|%{INT:zeek.connection.resp_bytes:long})\t(?:-|%{BRO_DATA:zeek.connection.state})\t(?:-|%{BRO_BOOL:zeek.connection.local_orig})\t(?:(?:-|%{BRO_BOOL:zeek.connection.local_resp})\t)?(?:-|%{INT:zeek.connection.missed_bytes:long})\t(?:-|%{BRO_DATA:zeek.connection.history})\t(?:-|%{INT:source.packets:long})\t(?:-|%{INT:source.bytes:long})\t(?:-|%{INT:destination.packets:long})\t(?:-|%{INT:destination.bytes:long})\t(?:\(empty\)|%{BRO_DATA:zeek.connection.tunnel_parents})`,
"BRO_FILES": `%{NUMBER:timestamp}\t%{NOTSPACE:zeek.files.fuid}\t(?:-|%{IP:server.address})\t(?:-|%{IP:client.address})\t(?:-|%{BRO_DATA:zeek.files.session_ids})\t(?:-|%{BRO_DATA:zeek.files.source})\t(?:-|%{INT:zeek.files.depth:int})\t(?:-|%{BRO_DATA:zeek.files.analyzers})\t(?:-|%{BRO_DATA:file.mime_type})\t(?:-|%{BRO_DATA:file.name})\t(?:-|%{NUMBER:zeek.files.duration:float})\t(?:-|%{BRO_DATA:zeek.files.local_orig})\t(?:-|%{BRO_BOOL:zeek.files.is_orig})\t(?:-|%{INT:zeek.files.seen_bytes:long})\t(?:-|%{INT:file.size:long})\t(?:-|%{INT:zeek.files.missing_bytes:long})\t(?:-|%{INT:zeek.files.overflow_bytes:long})\t(?:-|%{BRO_BOOL:zeek.files.timedout})\t(?:-|%{BRO_DATA:zeek.files.parent_fuid})\t(?:-|%{BRO_DATA:file.hash.md5})\t(?:-|%{BRO_DATA:file.hash.sha1})\t(?:-|%{BRO_DATA:file.hash.sha256})\t(?:-|%{BRO_DATA:zeek.files.extracted})`,
}
View Source
var Default map[string]string = map[string]string{
"WORD": `\b\w+\b`,
"NOTSPACE": `\S+`,
"SPACE": `\s*`,
"DATA": `.*?`,
"INT": `(?:[+-]?(?:[0-9]+))`,
"NUMBER": `(?:%{BASE10NUM})`,
"BOOL": "true|false",
"BASE10NUM": `([+-]?(?:[0-9]+(?:\.[0-9]+)?)|\.[0-9]+)`,
"BASE16NUM": `[+-]?(?:0x)?[0-9A-Fa-f]+`,
"BASE16FLOAT": `[+-]?(?:0x)?[0-9A-Fa-f]+(?:\.[0-9A-Fa-f]*)?`,
"POSINT": `\b[1-9][0-9]*\b`,
"NONNEGINT": `\b[0-9]+\b`,
"GREEDYDATA": `.*`,
"QUOTEDSTRING": `"([^"\\]*(\\.[^"\\]*)*)"|\'([^\'\\]*(\\.[^\'\\]*)*)\'`,
"UUID": `[A-Fa-f0-9]{8}-(?:[A-Fa-f0-9]{4}-){3}[A-Fa-f0-9]{12}`,
"URN": `urn:[0-9A-Za-z][0-9A-Za-z-]{0,31}:[0-9A-Za-z()+,.:=@;$_!*'/?#-]+`,
"IP": `(?:%{IPV6}|%{IPV4})`,
"IPV6": `((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?`,
"IPV4": `(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)`,
"IPORHOST": `(?:%{IP}|%{HOSTNAME})`,
"HOSTNAME": `\b(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\.?|\b)`,
"EMAILLOCALPART": `[a-zA-Z][a-zA-Z0-9_.+-=:]+`,
"EMAILADDRESS": `%{EMAILLOCALPART}@%{HOSTNAME}`,
"USERNAME": `[a-zA-Z0-9._-]+`,
"USER": `%{USERNAME}`,
"MAC": `(?:%{CISCOMAC}|%{WINDOWSMAC}|%{COMMONMAC})`,
"CISCOMAC": `(?:(?:[A-Fa-f0-9]{4}\.){2}[A-Fa-f0-9]{4})`,
"WINDOWSMAC": `(?:(?:[A-Fa-f0-9]{2}-){5}[A-Fa-f0-9]{2})`,
"COMMONMAC": `(?:(?:[A-Fa-f0-9]{2}:){5}[A-Fa-f0-9]{2})`,
"HOSTPORT": `%{IPORHOST}:%{POSINT}`,
"UNIXPATH": `(/[\w_%!$@:.,+~-]+)+`,
"TTY": `/dev/(pts|tty([pq])?)(\w+)?/?(?:[0-9]+)`,
"WINPATH": `[A-Za-z]+:(\\[^\\?*]+)+`,
"URIPROTO": `[A-Za-z][A-Za-z0-9+\.-]+`,
"URIHOST": `%{IPORHOST}(?::%{POSINT})?`,
"URIPATH": `(/[A-Za-z0-9$.+!*'(){},~:;=@#%&_\-]+)+`,
"URIQUERY": `[A-Za-z0-9$.+!*'|(){},~@#%&/=:;_?\-\[\]<>]*`,
"URIPARAM": `\?%{URIQUERY}`,
"URIPATHPARAM": `%{URIPATH}(?:\?%{URIQUERY})?`,
"URI": `%{URIPROTO}://(?:%{USER}(?::[^@]*)?@)?%{URIHOST}(?:%{URIPATH}(?:\?%{URIQUERY})?)?`,
"PATH": `(?:%{UNIXPATH}|%{WINPATH})`,
"MONTH": `\b(?:Jan(?:uary)?|Feb(?:ruary)?|Mar(?:ch)?|Apr(?:il)?|May|Jun(?:e)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|Oct(?:ober)?|Nov(?:ember)?|Dec(?:ember)?)\b`,
"MONTHNUM": `(?:0[1-9]|1[0-2])`,
"MONTHDAY": `(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9])`,
"DAY": `\b(?:Mon(?:day)?|Tue(?:sday)?|Wed(?:nesday)?|Thu(?:rsday)?|Fri(?:day)?|Sat(?:urday)?|Sun(?:day)?)\b`,
"YEAR": `(\d\d){1,2}`,
"HOUR": `(?:2[0123]|[01]?[0-9])`,
"MINUTE": `(?:[0-5][0-9])`,
"SECOND": `(?:(?:[0-5][0-9]|60)(?:[:.,][0-9]+)?)`,
"TIME": `%{HOUR}:%{MINUTE}(?::%{SECOND})?`,
"DATE_US": `%{MONTHNUM}[/-]%{MONTHDAY}[/-]%{YEAR}`,
"DATE_EU": `%{MONTHDAY}[./-]%{MONTHNUM}[./-]%{YEAR}`,
"ISO8601_TIMEZONE": `(?:Z|[+-]%{HOUR}(?::?%{MINUTE}))`,
"ISO8601_SECOND": `%{SECOND}`,
"TIMESTAMP_ISO8601": `%{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?%{ISO8601_TIMEZONE}?`,
"DATE": `%{DATE_US}|%{DATE_EU}`,
"DATESTAMP": `%{DATE}[- ]%{TIME}`,
"TZ": `(?:[PMACE][SED]T|UTC)`,
"DATESTAMP_RFC822": `%{DAY} %{MONTH} %{MONTHDAY} %{YEAR} %{TIME} %{TZ}`,
"DATESTAMP_RFC2822": `%{DAY}, %{MONTHDAY} %{MONTH} %{YEAR} %{TIME} %{ISO8601_TIMEZONE}`,
"DATESTAMP_OTHER": `%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{TZ} %{YEAR}`,
"DATESTAMP_EVENTLOG": `%{YEAR}%{MONTHNUM}%{MONTHDAY}%{HOUR}%{MINUTE}%{SECOND}`,
"SYSLOGTIMESTAMP": `%{MONTH} +%{MONTHDAY} %{TIME}`,
"PROG": `[!-Z\\^-~]+`,
"SYSLOGPROG": `%{PROG}(?:\[\d+\])?`,
"SYSLOGHOST": `%{IPORHOST}`,
"SYSLOGFACILITY": `<%{NONNEGINT}.%{NONNEGINT}>`,
"HTTPDATE": `%{MONTHDAY}/%{MONTH}/%{YEAR}:%{TIME} %{INT}`,
"QS": `%{QUOTEDSTRING}`,
"SYSLOGBASE": `%{SYSLOGTIMESTAMP:timestamp} (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:host.name} %{SYSLOGPROG}:`,
"LOGLEVEL": `(?i)(alert|trace|debug|notice|info(?:rmation)?|warn(?:ing)?|err(?:or)?|crit(?:ical)?|fatal|severe|emerg(?:ency)?)`,
}
View Source
var Exim map[string]string = map[string]string{
"EXIM_MSGID": `[0-9A-Za-z]{6}-[0-9A-Za-z]{6}-[0-9A-Za-z]{2}`,
"EXIM_FLAGS": `(?:<=|=>|->|\*>|\*\*|==|<>|>>)`,
"EXIM_DATE": `(:?%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{TIME})`,
"EXIM_PID": `\[%{POSINT:process.pid:int}\]`,
"EXIM_QT": `((\d+y)?(\d+w)?(\d+d)?(\d+h)?(\d+m)?(\d+s)?)`,
"EXIM_EXCLUDE_TERMS": `(Message is frozen|(Start|End) queue run| Warning: | retry time not reached | no (IP address|host name) found for (IP address|host) | unexpected disconnection while reading SMTP command | no immediate delivery: |another process is handling this message)`,
"EXIM_REMOTE_HOST": `(H=(\(%{NOTSPACE:source.host.name}\) )?(\(%{NOTSPACE:exim.log.remote_address}\) )?\[%{IP:source.address}\](?::%{POSINT:source.port:int})?)`,
"EXIM_INTERFACE": `(I=\[%{IP:destination.address}\](?::%{NUMBER:destination.port:int}))`,
"EXIM_PROTOCOL": `(P=%{NOTSPACE:network.protocol.name})`,
"EXIM_MSG_SIZE": `(S=%{NUMBER:exim.log.message.body.size:int})`,
"EXIM_HEADER_ID": `(id=%{NOTSPACE:exim.log.header_id})`,
"EXIM_QUOTED_CONTENT": `(?:\\.|[^\\"])*`,
"EXIM_SUBJECT": `(T="%{EXIM_QUOTED_CONTENT:exim.log.message.subject}")`,
"EXIM_UNKNOWN_FIELD": `(?:[A-Za-z0-9]{1,4}=(?:%{QUOTEDSTRING}|%{NOTSPACE}))`,
"EXIM_NAMED_FIELDS": `(?: (?:%{EXIM_REMOTE_HOST}|%{EXIM_INTERFACE}|%{EXIM_PROTOCOL}|%{EXIM_MSG_SIZE}|%{EXIM_HEADER_ID}|%{EXIM_SUBJECT}|%{EXIM_UNKNOWN_FIELD}))*`,
"EXIM_MESSAGE_ARRIVAL": `%{EXIM_DATE:timestamp} (?:%{EXIM_PID} )?%{EXIM_MSGID:exim.log.message.id} (?P<exim___log___flags>\<\=) ((?P<exim___log___status>[a-z:]) )?%{EMAILADDRESS:exim.log.sender.email}%{EXIM_NAMED_FIELDS}(?:(?: from \<?%{DATA:exim.log.sender.original}\>?)? for %{EMAILADDRESS:exim.log.recipient.email})?`,
"EXIM": `%{EXIM_MESSAGE_ARRIVAL}`,
}
View Source
var Firewalls map[string]string = map[string]string{
"NETSCREENSESSIONLOG": `%{SYSLOGTIMESTAMP:timestamp} %{IPORHOST:observer.hostname} %{NOTSPACE:observer.name}\: (?P<observer___product>NetScreen) device_id=%{WORD:netscreen.device_id} .*?(system-(\w+)-(%{NONNEGINT:event.code})\((%{WORD:netscreen.session.type})\))?\: start_time="%{DATA:netscreen.session.start_time}" duration=%{INT:netscreen.session.duration:int} policy_id=%{INT:netscreen.policy_id} service=%{DATA:netscreen.service} proto=%{INT:netscreen.protocol_number:int} src zone=%{WORD:observer.ingress.zone} dst zone=%{WORD:observer.egress.zone} action=%{WORD:event.action} sent=%{INT:source.bytes:long} rcvd=%{INT:destination.bytes:long} src=%{IPORHOST:source.address} dst=%{IPORHOST:destination.address}(?: src_port=%{INT:source.port:int} dst_port=%{INT:destination.port:int})?(?: src-xlated ip=%{IP:source.nat.ip} port=%{INT:source.nat.port:int} dst-xlated ip=%{IP:destination.nat.ip} port=%{INT:destination.nat.port:int})?(?: session_id=%{INT:netscreen.session.id} reason=%{GREEDYDATA:netscreen.session.reason})?`,
"CISCO_TAGGED_SYSLOG": `^<%{POSINT:log.syslog.priority:int}>%{CISCOTIMESTAMP:timestamp}( %{SYSLOGHOST:host.name})? ?: %%{CISCOTAG:cisco.asa.tag}:`,
"CISCOTIMESTAMP": `%{MONTH} +%{MONTHDAY}(?: %{YEAR})? %{TIME}`,
"CISCOTAG": `[A-Z0-9]+-%{INT}-(?:[A-Z0-9_]+)`,
"CISCO_ACTION": `Built|Teardown|Deny|Denied|denied by ACL|requested|permitted|denied|discarded|est-allowed|Dropping|created|deleted`,
"CISCO_REASON": `Duplicate TCP SYN|Failed to locate egress interface|Invalid transport field|No matching connection|DNS Response|DNS Query|(?:%{WORD}\s*)*`,
"CISCO_DIRECTION": `Inbound|inbound|Outbound|outbound`,
"CISCO_INTERVAL": `first hit|%{INT}-second interval`,
"CISCO_XLATE_TYPE": `static|dynamic`,
"CISCO_HITCOUNT_INTERVAL": `hit-cnt %{INT:cisco.asa.hit_count:int} (?:first hit|%{INT:cisco.asa.interval:int}-second interval)`,
"CISCO_SRC_IP_USER": `%{NOTSPACE:observer.ingress.interface.name}:%{IP:source.address}(?:\(%{DATA:source.user.name}\))?`,
"CISCO_DST_IP_USER": `%{NOTSPACE:observer.egress.interface.name}:%{IP:destination.address}(?:\(%{DATA:destination.user.name}\))?`,
"CISCO_SRC_HOST_PORT_USER": `%{NOTSPACE:observer.ingress.interface.name}:(?:(?:%{IP:source.address})|(?:%{HOSTNAME:source.address}))(?:/%{INT:source.port:int})?(?:\(%{DATA:source.user.name}\))?`,
"CISCO_DST_HOST_PORT_USER": `%{NOTSPACE:observer.egress.interface.name}:(?:(?:%{IP:destination.address})|(?:%{HOSTNAME:destination.address}))(?:/%{INT:destination.port:int})?(?:\(%{DATA:destination.user.name}\))?`,
"CISCOFW104001": `\((?:Primary|Secondary)\) Switching to ACTIVE - %{GREEDYDATA:event.reason}`,
"CISCOFW104002": `\((?:Primary|Secondary)\) Switching to STANDBY - %{GREEDYDATA:event.reason}`,
"CISCOFW104003": `\((?:Primary|Secondary)\) Switching to FAILED\.`,
"CISCOFW104004": `\((?:Primary|Secondary)\) Switching to OK\.`,
"CISCOFW105003": `\((?:Primary|Secondary)\) Monitoring on [Ii]nterface %{NOTSPACE:network.interface.name} waiting`,
"CISCOFW105004": `\((?:Primary|Secondary)\) Monitoring on [Ii]nterface %{NOTSPACE:network.interface.name} normal`,
"CISCOFW105005": `\((?:Primary|Secondary)\) Lost Failover communications with mate on [Ii]nterface %{NOTSPACE:network.interface.name}`,
"CISCOFW105008": `\((?:Primary|Secondary)\) Testing [Ii]nterface %{NOTSPACE:network.interface.name}`,
"CISCOFW105009": `\((?:Primary|Secondary)\) Testing on [Ii]nterface %{NOTSPACE:network.interface.name} (?:Passed|Failed)`,
"CISCOFW106001": `%{CISCO_DIRECTION:cisco.asa.network.direction} %{WORD:cisco.asa.network.transport} connection %{CISCO_ACTION:cisco.asa.outcome} from %{IP:source.address}/%{INT:source.port:int} to %{IP:destination.address}/%{INT:destination.port:int} flags %{DATA:cisco.asa.tcp_flags} on interface %{NOTSPACE:observer.egress.interface.name}`,
"CISCOFW106006_106007_106010": `%{CISCO_ACTION:cisco.asa.outcome} %{CISCO_DIRECTION:cisco.asa.network.direction} %{WORD:cisco.asa.network.transport} (?:from|src) %{IP:source.address}/%{INT:source.port:int}(?:\(%{DATA:source.user.name}\))? (?:to|dst) %{IP:destination.address}/%{INT:destination.port:int}(?:\(%{DATA:destination.user.name}\))? (?:(?:on interface %{NOTSPACE:observer.egress.interface.name})|(?:due to %{CISCO_REASON:event.reason}))`,
"CISCOFW106014": `%{CISCO_ACTION:cisco.asa.outcome} %{CISCO_DIRECTION:cisco.asa.network.direction} %{WORD:cisco.asa.network.transport} src %{CISCO_SRC_IP_USER} dst %{CISCO_DST_IP_USER}\s?\(type %{INT:cisco.asa.icmp_type:int}, code %{INT:cisco.asa.icmp_code:int}\)`,
"CISCOFW106015": `%{CISCO_ACTION:cisco.asa.outcome} %{WORD:cisco.asa.network.transport} \(%{DATA:cisco.asa.rule_name}\) from %{IP:source.address}/%{INT:source.port:int} to %{IP:destination.address}/%{INT:destination.port:int} flags %{DATA:cisco.asa.tcp_flags} on interface %{NOTSPACE:observer.egress.interface.name}`,
"CISCOFW106021": `%{CISCO_ACTION:cisco.asa.outcome} %{WORD:cisco.asa.network.transport} reverse path check from %{IP:source.address} to %{IP:destination.address} on interface %{NOTSPACE:observer.egress.interface.name}`,
"CISCOFW106023": `%{CISCO_ACTION:action}( protocol)? %{WORD:network.protocol.name} src %{DATA:source.interface}:%{DATA:source.address}(/%{INT:source.port})?(\(%{DATA:source.fwuser}\))? dst %{DATA:destination.interface}:%{DATA:destination.address}(/%{INT:destination.port})?(\(%{DATA:destination.fwuser}\))?( \(type %{INT:icmp_type}, code %{INT:icmp_code}\))? by access-group "?%{DATA:policy_id}"? \[%{DATA:hashcode1}, %{DATA:hashcode2}\]`,
"CISCOFW106100_2_3": `access-list %{NOTSPACE:cisco.asa.rule_name} %{CISCO_ACTION:cisco.asa.outcome} %{WORD:cisco.asa.network.transport} for user '%{DATA:user.name}' %{DATA:observer.ingress.interface.name}\/%{IP:source.address}\(%{INT:source.port:int}\) -> %{DATA:observer.egress.interface.name}\/%{IP:destination.address}\(%{INT:destination.port:int}\) %{CISCO_HITCOUNT_INTERVAL} \[%{DATA:metadata.cisco.asa.hashcode1}\, %{DATA:metadata.cisco.asa.hashcode2}\]`,
"CISCOFW106100": `access-list %{NOTSPACE:cisco.asa.rule_name} %{CISCO_ACTION:cisco.asa.outcome} %{WORD:cisco.asa.network.transport} %{DATA:observer.ingress.interface.name}/%{IP:source.address}\(%{INT:source.port:int}\)(?:\(%{DATA:source.user.name}\))? -> %{DATA:observer.egress.interface.name}/%{IP:destination.address}\(%{INT:destination.port:int}\)(?:\(%{DATA:source.user.name}\))? hit-cnt %{INT:cisco.asa.hit_count:int} %{CISCO_INTERVAL} \[%{DATA:metadata.cisco.asa.hashcode1}\, %{DATA:metadata.cisco.asa.hashcode2}\]`,
"CISCOFW304001": `%{IP:source.address}(?:\(%{DATA:source.user.name}\))? Accessed URL %{IP:destination.address}:%{GREEDYDATA:url.original}`,
"CISCOFW110002": `%{CISCO_REASON:event.reason} for %{WORD:cisco.asa.network.transport} from %{DATA:observer.ingress.interface.name}:%{IP:source.address}/%{INT:source.port:int} to %{IP:destination.address}/%{INT:destination.port:int}`,
"CISCOFW302010": `%{INT:cisco.asa.connections.in_use:int} in use, %{INT:cisco.asa.connections.most_used:int} most used`,
"CISCOFW302013_302014_302015_302016": `%{CISCO_ACTION:cisco.asa.outcome}(?: %{CISCO_DIRECTION:cisco.asa.network.direction})? %{WORD:cisco.asa.network.transport} connection %{INT:cisco.asa.connection_id} for %{NOTSPACE:observer.ingress.interface.name}:%{IP:source.address}/%{INT:source.port:int}(?: \(%{IP:source.nat.ip}/%{INT:source.nat.port:int}\))?(?:\(%{DATA:source.user.name?}\))? to %{NOTSPACE:observer.egress.interface.name}:%{IP:destination.address}/%{INT:destination.port:int}( \(%{IP:destination.nat.ip}/%{INT:destination.nat.port:int}\))?(?:\(%{DATA:destination.user.name}\))?( duration %{TIME:cisco.asa.duration} bytes %{INT:network.bytes:long})?(?: %{CISCO_REASON:event.reason})?(?: \(%{DATA:user.name}\))?`,
"CISCOFW302020_302021": `%{CISCO_ACTION:cisco.asa.outcome}(?: %{CISCO_DIRECTION:cisco.asa.network.direction})? %{WORD:cisco.asa.network.transport} connection for faddr %{IP:destination.address}/%{INT:cisco.asa.icmp_seq:int}(?:\(%{DATA:destination.user.name}\))? gaddr %{IP:source.nat.ip}/%{INT:cisco.asa.icmp_type:int} laddr %{IP:source.address}/%{INT}(?: \(%{DATA:source.user.name}\))?`,
"CISCOFW305011": `%{CISCO_ACTION:cisco.asa.outcome} %{CISCO_XLATE_TYPE} %{WORD:cisco.asa.network.transport} translation from %{DATA:observer.ingress.interface.name}:%{IP:source.address}(/%{INT:source.port:int})?(?:\(%{DATA:source.user.name}\))? to %{DATA:observer.egress.interface.name}:%{IP:destination.address}/%{INT:destination.port:int}`,
"CISCOFW313001_313004_313008": `%{CISCO_ACTION:cisco.asa.outcome} %{WORD:cisco.asa.network.transport} type=%{INT:cisco.asa.icmp_type:int}, code=%{INT:cisco.asa.icmp_code:int} from %{IP:source.address} on interface %{NOTSPACE:observer.egress.interface.name}(?: to %{IP:destination.address})?`,
"CISCOFW313005": `%{CISCO_REASON:event.reason} for %{WORD:cisco.asa.network.transport} error message: %{WORD} src %{CISCO_SRC_IP_USER} dst %{CISCO_DST_IP_USER} \(type %{INT:cisco.asa.icmp_type:int}, code %{INT:cisco.asa.icmp_code:int}\) on %{NOTSPACE} interface\.\s+Original IP payload: %{WORD:cisco.asa.original_ip_payload.network.transport} src %{IP:cisco.asa.original_ip_payload.source.address}/%{INT:cisco.asa.original_ip_payload.source.port:int}(?:\(%{DATA:cisco.asa.original_ip_payload.source.user.name}\))? dst %{IP:cisco.asa.original_ip_payload.destination.address}/%{INT:cisco.asa.original_ip_payload.destination.port:int}(?:\(%{DATA:cisco.asa.original_ip_payload.destination.user.name}\))?`,
"CISCOFW321001": `Resource '%{DATA:cisco.asa.resource.name}' limit of %{POSINT:cisco.asa.resource.limit:int} reached for system`,
"CISCOFW402117": `%{WORD:cisco.asa.network.type}: Received a non-IPSec packet \(protocol=\s?%{WORD:cisco.asa.network.transport}\) from %{IP:source.address} to %{IP:destination.address}\.?`,
"CISCOFW402119": `%{WORD:cisco.asa.network.type}: Received an %{WORD:cisco.asa.ipsec.protocol} packet \(SPI=\s?%{DATA:cisco.asa.ipsec.spi}, sequence number=\s?%{DATA:cisco.asa.ipsec.seq_num}\) from %{IP:source.address} \(user=\s?%{DATA:source.user.name}\) to %{IP:destination.address} that failed anti-replay checking\.?`,
"CISCOFW419001": `%{CISCO_ACTION:cisco.asa.outcome} %{WORD:cisco.asa.network.transport} packet from %{NOTSPACE:observer.ingress.interface.name}:%{IP:source.address}/%{INT:source.port:int} to %{NOTSPACE:observer.egress.interface.name}:%{IP:destination.address}/%{INT:destination.port:int}, reason: %{GREEDYDATA:event.reason}`,
"CISCOFW419002": `%{CISCO_REASON:event.reason} from %{DATA:observer.ingress.interface.name}:%{IP:source.address}/%{INT:source.port:int} to %{DATA:observer.egress.interface.name}:%{IP:destination.address}/%{INT:destination.port:int} with different initial sequence number`,
"CISCOFW500004": `%{CISCO_REASON:event.reason} for protocol=%{WORD:cisco.asa.network.transport}, from %{IP:source.address}/%{INT:source.port:int} to %{IP:destination.address}/%{INT:destination.port:int}`,
"CISCOFW602303_602304": `%{WORD:cisco.asa.network.type}: An %{CISCO_DIRECTION:cisco.asa.network.direction} %{DATA:cisco.asa.ipsec.tunnel_type} SA \(SPI=%{DATA:cisco.asa.ipsec.spi}\) between %{IP:source.address} and %{IP:destination.address} \(user=%{DATA:source.user.name}\) has been %{CISCO_ACTION:cisco.asa.outcome}`,
"CISCOFW710001_710002_710003_710005_710006": `%{WORD:cisco.asa.network.transport} (?:request|access) %{CISCO_ACTION:cisco.asa.outcome} from %{IP:source.address}/%{INT:source.port:int} to %{DATA:observer.egress.interface.name}:%{IP:destination.address}/%{INT:destination.port:int}`,
"CISCOFW713172": `Group = %{DATA:cisco.asa.source.group}, IP = %{IP:source.address}, Automatic NAT Detection Status:\s+Remote end\s*%{DATA:metadata.cisco.asa.remote_nat}\s*behind a NAT device\s+This\s+end\s*%{DATA:metadata.cisco.asa.local_nat}\s*behind a NAT device`,
"CISCOFW733100": `\\s*%{DATA:[cisco.asa.burst.object}\s*\] drop %{DATA:cisco.asa.burst.id} exceeded. Current burst rate is %{INT:cisco.asa.burst.current_rate:int} per second, max configured rate is %{INT:cisco.asa.burst.configured_rate:int}; Current average rate is %{INT:cisco.asa.burst.avg_rate:int} per second, max configured rate is %{INT:cisco.asa.burst.configured_avg_rate:int}; Cumulative total count is %{INT:cisco.asa.burst.cumulative_count:int}`,
"IPTABLES_TCP_FLAGS": `(CWR |ECE |URG |ACK |PSH |RST |SYN |FIN )*`,
"IPTABLES_TCP_PART": `(?:SEQ=%{INT:iptables.tcp.seq:int}\s+)?(?:ACK=%{INT:iptables.tcp.ack:int}\s+)?WINDOW=%{INT:iptables.tcp.window:int}\s+RES=0x%{BASE16NUM:iptables.tcp_reserved_bits}\s+%{IPTABLES_TCP_FLAGS:iptables.tcp.flags}`,
"IPTABLES4_FRAG": `((\s)?(CE|DF|MF))*`,
"IPTABLES4_PART": `SRC=%{IPV4:source.address}\s+DST=%{IPV4:destination.address}\s+LEN=(?:%{INT:iptables.length:int})?\s+TOS=(?:0|0x%{BASE16NUM:iptables.tos})?\s+PREC=(?:0x%{BASE16NUM:iptables.precedence_bits})?\s+TTL=(?:%{INT:iptables.ttl:int})?\s+ID=(?:%{INT:iptables.id})?\s+(?:%{IPTABLES4_FRAG:iptables.fragment_flags})?(?:\s+FRAG: %{INT:iptables.fragment_offset:int})?`,
"IPTABLES6_PART": `SRC=%{IPV6:source.address}\s+DST=%{IPV6:destination.address}\s+LEN=(?:%{INT:iptables.length:int})?\s+TC=(?:0|0x%{BASE16NUM:iptables.tos})?\s+HOPLIMIT=(?:%{INT:iptables.ttl:int})?\s+FLOWLBL=(?:%{INT:iptables.flow_label})?`,
"IPTABLES": `IN=(?:%{NOTSPACE:observer.ingress.interface.name})?\s+OUT=(?:%{NOTSPACE:observer.egress.interface.name})?\s+(?:MAC=(?:%{COMMONMAC:destination.mac})?(?::%{COMMONMAC:source.mac})?(?::A-Fa-f0-9{2}:A-Fa-f0-9{2})?\s+)?(:?%{IPTABLES4_PART}|%{IPTABLES6_PART}).*?PROTO=(?:%{WORD:network.transport})?\s+SPT=(?:%{INT:source.port:int})?\s+DPT=(?:%{INT:destination.port:int})?\s+(?:%{IPTABLES_TCP_PART})?`,
"SHOREWALL": `(?:%{SYSLOGTIMESTAMP:timestamp}) (?:%{WORD:observer.hostname}) .*Shorewall:(?:%{WORD:shorewall.firewall.type})?:(?:%{WORD:shorewall.firewall.action})?.*%{IPTABLES}`,
"SFW2_LOG_PREFIX": `SFW2\-INext\-%{NOTSPACE:suse.firewall.action}`,
"SFW2": `((?:%{SYSLOGTIMESTAMP:timestamp})|(?:%{TIMESTAMP_ISO8601:timestamp}))\s*%{HOSTNAME:observer.hostname}.*?%{SFW2_LOG_PREFIX:suse.firewall.log_prefix}\s*%{IPTABLES}`,
}
View Source
var HAProxy map[string]string = map[string]string{
"HAPROXYTIME": `\b%{HOUR}:%{MINUTE}(:%{SECOND})?\b`,
"HAPROXYDATE": `%{MONTHDAY}/%{MONTH}/%{YEAR}:%{HAPROXYTIME}.%{INT}`,
"HAPROXYCAPTUREDREQUESTHEADERS": `(?:-|%{DATA:haproxy.http.request.captured_headers})`,
"HAPROXYCAPTUREDRESPONSEHEADERS": `(?:-|%{DATA:haproxy.http.response.captured_headers})`,
"HAPROXYURI": `(?:%{URIPROTO:url.scheme}://)?(?:%{USER:url.username}(?::[^@]*)?@)?(?:%{IPORHOST:url.domain}(?::%{POSINT:url.port:int})?)?(?:%{URIPATH:url.path}(?:\?%{URIQUERY:url.query})?)?`,
"HAPROXYHTTPREQUESTLINE": `(?:<BADREQ>|(?:%{WORD:http.request.method} %{HAPROXYURI:url.original}(?: HTTP/%{NUMBER:http.version})?))`,
"HAPROXYHTTPBASE": `%{IP:source.address}:%{INT:source.port:int} \[%{HAPROXYDATE:haproxy.request_date}\] %{NOTSPACE:haproxy.frontend_name} %{NOTSPACE:haproxy.backend_name}/(?:<NOSRV>|%{NOTSPACE:haproxy.server_name}) (?:-1|%{INT:haproxy.http.request.time_wait_ms:int})/(?:-1|%{INT:haproxy.total_waiting_time_ms:int})/(?:-1|%{INT:haproxy.connection_wait_time_ms:int})/(?:-1|%{INT:haproxy.http.request.time_wait_without_data_ms:int})/%{NOTSPACE:haproxy.total_time_ms} %{INT:http.response.status_code:int} %{INT:source.bytes:long} (?:-|%{DATA:haproxy.http.request.captured_cookie}) (?:-|%{DATA:haproxy.http.response.captured_cookie}) %{NOTSPACE:haproxy.termination_state} %{INT:haproxy.connections.active:int}/%{INT:haproxy.connections.frontend:int}/%{INT:haproxy.connections.backend:int}/%{INT:haproxy.connections.server:int}/%{INT:haproxy.connections.retries:int} %{INT:haproxy.server_queue:int}/%{INT:haproxy.backend_queue:int}(?: \{%{HAPROXYCAPTUREDREQUESTHEADERS}\}(?: \{%{HAPROXYCAPTUREDRESPONSEHEADERS}\})?)?(?: "%{HAPROXYHTTPREQUESTLINE}"?)?`,
"HAPROXYHTTP": `(?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp}) %{IPORHOST:host.name} %{SYSLOGPROG}: %{HAPROXYHTTPBASE}`,
"HAPROXYTCP": `(?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp}) %{IPORHOST:host.name} %{SYSLOGPROG}: %{IP:source.address}:%{INT:source.port:int} \[%{HAPROXYDATE:haproxy.request_date}\] %{NOTSPACE:haproxy.frontend_name} %{NOTSPACE:haproxy.backend_name}/(?:<NOSRV>|%{NOTSPACE:haproxy.server_name}) (?:-1|%{INT:haproxy.total_waiting_time_ms:int})/(?:-1|%{INT:haproxy.connection_wait_time_ms:int})/%{NOTSPACE:haproxy.total_time_ms} %{INT:source.bytes:long} %{NOTSPACE:haproxy.termination_state} %{INT:haproxy.connections.active:int}/%{INT:haproxy.connections.frontend:int}/%{INT:haproxy.connections.backend:int}/%{INT:haproxy.connections.server:int}/%{INT:haproxy.connections.retries:int} %{INT:haproxy.server_queue:int}/%{INT:haproxy.backend_queue:int}`,
}
View Source
var Httpd map[string]string = map[string]string{
"HTTPDUSER": `%{EMAILADDRESS}|%{USER}`,
"HTTPDERROR_DATE": `%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR}`,
"HTTPD_COMMONLOG": `%{IPORHOST:source.address} (?:-|%{HTTPDUSER:apache.access.user.identity}) (?:-|%{HTTPDUSER:user.name}) \[%{HTTPDATE:timestamp}\] "(?:%{WORD:http.request.method} %{NOTSPACE:url.original}(?: HTTP/%{NUMBER:http.version})?|%{DATA})" (?:-|%{INT:http.response.status_code:int}) (?:-|%{INT:http.response.body.size:long})`,
"HTTPD_COMBINEDLOG": `%{HTTPD_COMMONLOG} "(?:-|%{DATA:http.request.referrer})" "(?:-|%{DATA:user_agent.original})"`,
"HTTPD20_ERRORLOG": `\[%{HTTPDERROR_DATE:timestamp}\] \[%{LOGLEVEL:log.level}\] (?:\[client %{IPORHOST:source.address}\] )?%{GREEDYDATA:message}`,
"HTTPD24_ERRORLOG": `\[%{HTTPDERROR_DATE:timestamp}\] \[(?:%{WORD:apache.error.module})?:%{LOGLEVEL:log.level}\] \[pid %{POSINT:process.pid:long}(:tid %{INT:process.thread.id:int})?\](?: \(%{POSINT:apache.error.proxy.error.code}\)?%{DATA:apache.error.proxy.error.message}:)?(?: \[client %{IPORHOST:source.address}(?::%{POSINT:source.port:int})?\])?(?: %{DATA:error.code}:)? %{GREEDYDATA:message}`,
"HTTPD_ERRORLOG": `%{HTTPD20_ERRORLOG}|%{HTTPD24_ERRORLOG}`,
"COMMONAPACHELOG": `%{HTTPD_COMMONLOG}`,
"COMBINEDAPACHELOG": `%{HTTPD_COMBINEDLOG}`,
}
View Source
var Java map[string]string = map[string]string{
"JAVACLASS": `(?:[a-zA-Z$_][a-zA-Z$_0-9]*\.)*[a-zA-Z$_][a-zA-Z$_0-9]*`,
"JAVAFILE": `(?:[a-zA-Z$_0-9. -]+)`,
"JAVAMETHOD": `(?:(<(?:cl)?init>)|[a-zA-Z$_][a-zA-Z$_0-9]*)`,
"JAVASTACKTRACEPART": `%{SPACE}at %{JAVACLASS:java.log.origin.class.name}\.%{JAVAMETHOD:log.origin.function}\(%{JAVAFILE:log.origin.file.name}(?::%{INT:log.origin.file.line:int})?\)`,
"JAVATHREAD": `(?:[A-Z]{2}-Processor[\d]+)`,
"JAVALOGMESSAGE": `(?:.*)`,
"CATALINA7_DATESTAMP": `%{MONTH} %{MONTHDAY}, %{YEAR} %{HOUR}:%{MINUTE}:%{SECOND} (?:AM|PM)`,
"CATALINA7_LOG": `%{CATALINA7_DATESTAMP:timestamp} %{JAVACLASS:java.log.origin.class.name}(?: %{JAVAMETHOD:log.origin.function})?\s*(?:%{LOGLEVEL:log.level}:)? %{JAVALOGMESSAGE:message}`,
"CATALINA8_DATESTAMP": `%{MONTHDAY}-%{MONTH}-%{YEAR} %{HOUR}:%{MINUTE}:%{SECOND}`,
"CATALINA8_LOG": `%{CATALINA8_DATESTAMP:timestamp} %{LOGLEVEL:log.level} \[%{DATA:java.log.origin.thread.name}\] %{JAVACLASS:java.log.origin.class.name}\.(?:%{JAVAMETHOD:log.origin.function})? %{JAVALOGMESSAGE:message}`,
"CATALINA_DATESTAMP": `(?:%{CATALINA8_DATESTAMP})|(?:%{CATALINA7_DATESTAMP})`,
"CATALINALOG": `(?:%{CATALINA8_LOG})|(?:%{CATALINA7_LOG})`,
"TOMCAT7_LOG": `%{CATALINA7_LOG}`,
"TOMCAT8_LOG": `%{CATALINA8_LOG}`,
"TOMCATLEGACY_DATESTAMP": `%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{HOUR}:%{MINUTE}:%{SECOND}(?: %{ISO8601_TIMEZONE})?`,
"TOMCATLEGACY_LOG": `%{TOMCATLEGACY_DATESTAMP:timestamp} \| %{LOGLEVEL:log.level} \| %{JAVACLASS:java.log.origin.class.name} - %{JAVALOGMESSAGE:message}`,
"TOMCAT_DATESTAMP": `(?:%{CATALINA8_DATESTAMP})|(?:%{CATALINA7_DATESTAMP})|(?:%{TOMCATLEGACY_DATESTAMP})`,
"TOMCATLOG": `(?:%{TOMCAT8_LOG})|(?:%{TOMCAT7_LOG})|(?:%{TOMCATLEGACY_LOG})`,
}
View Source
var Junos map[string]string = map[string]string{
"RT_FLOW_TAG": `(?:RT_FLOW_SESSION_CREATE|RT_FLOW_SESSION_CLOSE|RT_FLOW_SESSION_DENY)`,
"RT_FLOW_EVENT": `%{RT_FLOW_TAG}`,
"RT_FLOW1": `%{RT_FLOW_TAG:juniper.srx.tag}: %{GREEDYDATA:juniper.srx.reason}: %{IP:source.address}/%{INT:source.port:int}->%{IP:destination.address}/%{INT:destination.port:int} %{DATA:juniper.srx.service_name} %{IP:source.nat.ip}/%{INT:source.nat.port:int}->%{IP:destination.nat.ip}/%{INT:destination.nat.port:int} (?:(?:None)|(?:%{DATA:juniper.srx.src_nat_rule_name})) (?:(?:None)|(?:%{DATA:juniper.srx.dst_nat_rule_name})) %{INT:network.iana_number} %{DATA:rule.name} %{DATA:observer.ingress.zone} %{DATA:observer.egress.zone} %{INT:juniper.srx.session_id} \d+\(%{INT:source.bytes:long}\) \d+\(%{INT:destination.bytes:long}\) %{INT:juniper.srx.elapsed_time:int} .*`,
"RT_FLOW2": `%{RT_FLOW_TAG:juniper.srx.tag}: session created %{IP:source.address}/%{INT:source.port:int}->%{IP:destination.address}/%{INT:destination.port:int} %{DATA:juniper.srx.service_name} %{IP:source.nat.ip}/%{INT:source.nat.port:int}->%{IP:destination.nat.ip}/%{INT:destination.nat.port:int} (?:(?:None)|(?:%{DATA:juniper.srx.src_nat_rule_name})) (?:(?:None)|(?:%{DATA:juniper.srx.dst_nat_rule_name})) %{INT:network.iana_number} %{DATA:rule.name} %{DATA:observer.ingress.zone} %{DATA:observer.egress.zone} %{INT:juniper.srx.session_id} .*`,
"RT_FLOW3": `%{RT_FLOW_TAG:juniper.srx.tag}: session denied %{IP:source.address}/%{INT:source.port:int}->%{IP:destination.address}/%{INT:destination.port:int} %{DATA:juniper.srx.service_name} %{INT:network.iana_number}\(\d\) %{DATA:rule.name} %{DATA:observer.ingress.zone} %{DATA:observer.egress.zone} (.*)?`,
}
View Source
var MCollective map[string]string = map[string]string{
"MCOLLECTIVE": `., \[%{TIMESTAMP_ISO8601:timestamp} #%{POSINT:process.pid:int}\]%{SPACE}%{LOGLEVEL:log.level}`,
"MCOLLECTIVEAUDIT": `%{TIMESTAMP_ISO8601:timestamp}:`,
}
View Source
var Maven map[string]string = map[string]string{
"MAVEN_VERSION": `(?:(\d+)\.)?(?:(\d+)\.)?(\*|\d+)(?:[.-](RELEASE|SNAPSHOT))?`,
}
View Source
var MongoDB map[string]string = map[string]string{
"MONGO_LOG": `%{SYSLOGTIMESTAMP:timestamp} \[%{WORD:db.mongodb.component}\] %{GREEDYDATA:message}`,
"MONGO_QUERY_CONTENT": `(.*?)`,
"MONGO_QUERY": `\{ %{MONGO_QUERY_CONTENT:MONGO_QUERY} \} ntoreturn:`,
"MONGO_SLOWQUERY": `%{WORD:db.mongodb.profile.op} %{MONGO_WORDDASH:db.mongodb.database}\.%{MONGO_WORDDASH:db.mongodb.collection} %{WORD}: \{ %{MONGO_QUERY_CONTENT:db.mongodb.query.original} \} ntoreturn:%{NONNEGINT:db.mongodb.profile.ntoreturn:int} ntoskip:%{NONNEGINT:db.mongodb.profile.ntoskip:int} nscanned:%{NONNEGINT:db.mongodb.profile.nscanned:int}.*? nreturned:%{NONNEGINT:db.mongodb.profile.nreturned:int}.*? %{INT:db.mongodb.profile.duration:int}ms`,
"MONGO_WORDDASH": `\b[\w-]+\b`,
"MONGO3_SEVERITY": `\w`,
"MONGO3_COMPONENT": `%{WORD}`,
"MONGO3_LOG": `%{TIMESTAMP_ISO8601:timestamp} %{MONGO3_SEVERITY:log.level} (?:-|%{MONGO3_COMPONENT:db.mongodb.component})%{SPACE}(?:\[%{DATA:db.mongodb.context}\])? %{GREEDYDATA:message}`,
}
View Source
var PostgreSQL map[string]string = map[string]string{
"POSTGRESQL": "%{DATESTAMP:timestamp} %{TZ:event.timezone} %{DATA:user.name} %{GREEDYDATA:postgresql.log.connection_id} %{POSINT:process.pid:int}",
}
View Source
var Rails map[string]string = map[string]string{
"RUUID": `\S{32}`,
"RCONTROLLER": `(?P<rails___controller___class>[^#]+)#(?P<rails___controller___action>\w+)`,
"RAILS3HEAD": `(?m)Started %{WORD:http.request.method} "%{URIPATHPARAM:url.original}" for %{IPORHOST:source.address} at (?<timestamp>%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{HOUR}:%{MINUTE}:%{SECOND} %{ISO8601_TIMEZONE})`,
"RPROCESSING": `\W*Processing by %{RCONTROLLER} as (?P<rails___request___format>\S+)(?:\W*Parameters: {%{DATA:rails.request.params}}\W*)?`,
"RAILS3FOOT": `Completed %{POSINT:http.response.status_code:int}%{DATA} in %{NUMBER:rails.request.duration.total:float}ms %{RAILS3PROFILE}%{GREEDYDATA}`,
"RAILS3PROFILE": `(?:\(Views: %{NUMBER:rails.request.duration.view:float}ms \| ActiveRecord: %{NUMBER:rails.request.duration.active_record:float}ms|\(ActiveRecord: %{NUMBER:rails.request.duration.active_record:float}ms)?`,
"RAILS3": `%{RAILS3HEAD}(?:%{RPROCESSING})?(?P<rails___request___explain___original>(?:%{DATA}\n)*)(?:%{RAILS3FOOT})?`,
}
View Source
var Redis map[string]string = map[string]string{
"REDISTIMESTAMP": `%{MONTHDAY} %{MONTH} %{TIME}`,
"REDISLOG": `\[%{POSINT:process.pid:int}\] %{REDISTIMESTAMP:timestamp} \*`,
"REDISMONLOG": `%{NUMBER:timestamp} \[%{INT:redis.database.id} %{IP:client.address}:%{POSINT:client.port:int}\] "%{WORD:redis.command.name}"\s?%{GREEDYDATA:redis.command.args}`,
}
View Source
var Ruby map[string]string = map[string]string{
"RUBY_LOGLEVEL": `(?:DEBUG|FATAL|ERROR|WARN|INFO)`,
"RUBY_LOGGER": `[DFEWI], \[%{TIMESTAMP_ISO8601:timestamp} #%{POSINT:process.pid:int}\] *%{RUBY_LOGLEVEL:log.level} -- +%{DATA:process.command}: %{GREEDYDATA:message}`,
}
View Source
var Squid map[string]string = map[string]string{
"SQUID3_STATUS": `(?:%{POSINT:http.response.status_code:int}|0|000)`,
"SQUID3": `%{NUMBER:timestamp}\s+%{NUMBER:squid.request.duration:int}\s%{IP:source.address}\s%{WORD:event.action}/%{SQUID3_STATUS}\s%{INT:http.response.bytes:long}\s%{WORD:http.request.method}\s%{NOTSPACE:url.original}\s(?:-|%{NOTSPACE:user.name})\s%{WORD:squid.hierarchy_code}/(?:-|%{IPORHOST:destination.address})\s(?:-|%{NOTSPACE:http.response.mime_type})`,
}
View Source
var Syslog map[string]string = map[string]string{
"SYSLOG5424PRINTASCII": `[!-~]+`,
"SYSLOGBASE2": `(?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp})(?: %{SYSLOGFACILITY})?(?: %{SYSLOGHOST:host.name})?(?: %{SYSLOGPROG}:)?`,
"SYSLOGPAMSESSION": `%{SYSLOGBASE} (%{GREEDYDATA:message})%{WORD:system.auth.pam.module}\(%{DATA:system.auth.pam.origin}\): session %{WORD:system.auth.pam.session_state} for user %{USERNAME:user.name}(?: by %{GREEDYDATA})?`,
"CRON_ACTION": `[A-Z ]+`,
"CRONLOG": `%{SYSLOGBASE} \(%{USER:user.name}\) %{CRON_ACTION:system.cron.action} \(%{DATA:message}\)`,
"SYSLOGLINE": `%{SYSLOGBASE2} %{GREEDYDATA:message}`,
"SYSLOG5424PRI": `<%{NONNEGINT:log.syslog.priority:int}>`,
"SYSLOG5424SD": `\[%{DATA}\]+`,
"SYSLOG5424BASE": `%{SYSLOG5424PRI}%{NONNEGINT:system.syslog.version} +(?:-|%{TIMESTAMP_ISO8601:timestamp}) +(?:-|%{IPORHOST:host.name}) +(?:-|%{SYSLOG5424PRINTASCII:process.command}) +(?:-|%{POSINT:process.pid:int}) +(?:-|%{SYSLOG5424PRINTASCII:event.code}) +(?:-|%{SYSLOG5424SD:system.syslog.structured_data})?`,
"SYSLOG5424LINE": `%{SYSLOG5424BASE} +%{GREEDYDATA:message}`,
}
Functions ¶
This section is empty.
Types ¶
This section is empty.
Source Files
Click to show internal directories.
Click to hide internal directories.