Created
August 29, 2016 12:55
-
-
Save anonymous/74fa56e21bd8bb2b3020269967bc8413 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| bin/logstash --verbose -f /etc/logstash/conf.d/webserver.conf | |
| starting agent {:level=>:info} | |
| starting pipeline {:id=>"main", :level=>:info} | |
| Settings: Default pipeline workers: 1 | |
| Registering file input {:path=>["/etc/httpd/logs/access_log"], :level=>:info} | |
| No sincedb_path set, generating one based on the file path {:sincedb_path=>"/home/vishne0/.sincedb_b04f3cc6f697ac4a0e3b75cdc3664f75", :path=>["/etc/httpd/logs/access_log"], :level=>:info} | |
| Grok patterns path {:paths=>["/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.5/patterns", "/opt/logstash/patterns/*"], :level=>:info} | |
| Grok loading patterns from file {:path=>"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.5/patterns/linux-syslog", :level=>:info} | |
| Grok loading patterns from file {:path=>"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.5/patterns/nagios", :level=>:info} | |
| Grok loading patterns from file {:path=>"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.5/patterns/mcollective-patterns", :level=>:info} | |
| Grok loading patterns from file {:path=>"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.5/patterns/firewalls", :level=>:info} | |
| Grok loading patterns from file {:path=>"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.5/patterns/mcollective", :level=>:info} | |
| Grok loading patterns from file {:path=>"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.5/patterns/grok-patterns", :level=>:info} | |
| Grok loading patterns from file {:path=>"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.5/patterns/junos", :level=>:info} | |
| Grok loading patterns from file {:path=>"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.5/patterns/mongodb", :level=>:info} | |
| Grok loading patterns from file {:path=>"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.5/patterns/java", :level=>:info} | |
| Grok loading patterns from file {:path=>"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.5/patterns/ruby", :level=>:info} | |
| Grok loading patterns from file {:path=>"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.5/patterns/rails", :level=>:info} | |
| Grok loading patterns from file {:path=>"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.5/patterns/redis", :level=>:info} | |
| Grok loading patterns from file {:path=>"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.5/patterns/bro", :level=>:info} | |
| Grok loading patterns from file {:path=>"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.5/patterns/exim", :level=>:info} | |
| Grok loading patterns from file {:path=>"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.5/patterns/postgresql", :level=>:info} | |
| Grok loading patterns from file {:path=>"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.5/patterns/aws", :level=>:info} | |
| Grok loading patterns from file {:path=>"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.5/patterns/bacula", :level=>:info} | |
| Grok loading patterns from file {:path=>"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.5/patterns/haproxy", :level=>:info} | |
| Grok patterns path {:paths=>[], :level=>:info} | |
| Match data {:match=>{"message"=>"%{COMBINEDAPACHELOG}"}, :level=>:info} | |
| Grok compile {:field=>"message", :patterns=>["%{COMBINEDAPACHELOG}"], :level=>:info} | |
| Adding pattern {"SYSLOG5424PRINTASCII"=>"[!-~]+", :level=>:info} | |
| Adding pattern {"SYSLOGBASE2"=>"(?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource}+(?: %{SYSLOGPROG}:|)", :level=>:info} | |
| Adding pattern {"SYSLOGPAMSESSION"=>"%{SYSLOGBASE} (?=%{GREEDYDATA:message})%{WORD:pam_module}\\(%{DATA:pam_caller}\\): session %{WORD:pam_session_state} for user %{USERNAME:username}(?: by %{GREEDYDATA:pam_by})?", :level=>:info} | |
| Adding pattern {"CRON_ACTION"=>"[A-Z ]+", :level=>:info} | |
| Adding pattern {"CRONLOG"=>"%{SYSLOGBASE} \\(%{USER:user}\\) %{CRON_ACTION:action} \\(%{DATA:message}\\)", :level=>:info} | |
| Adding pattern {"SYSLOGLINE"=>"%{SYSLOGBASE2} %{GREEDYDATA:message}", :level=>:info} | |
| Adding pattern {"SYSLOG5424PRI"=>"<%{NONNEGINT:syslog5424_pri}>", :level=>:info} | |
| Adding pattern {"SYSLOG5424SD"=>"\\[%{DATA}\\]+", :level=>:info} | |
| Adding pattern {"SYSLOG5424BASE"=>"%{SYSLOG5424PRI}%{NONNEGINT:syslog5424_ver} +(?:%{TIMESTAMP_ISO8601:syslog5424_ts}|-) +(?:%{HOSTNAME:syslog5424_host}|-) +(-|%{SYSLOG5424PRINTASCII:syslog5424_app}) +(-|%{SYSLOG5424PRINTASCII:syslog5424_proc}) +(-|%{SYSLOG5424PRINTASCII:syslog5424_msgid}) +(?:%{SYSLOG5424SD:syslog5424_sd}|-|)", :level=>:info} | |
| Adding pattern {"SYSLOG5424LINE"=>"%{SYSLOG5424BASE} +%{GREEDYDATA:syslog5424_msg}", :level=>:info} | |
| Adding pattern {"NAGIOSTIME"=>"\\[%{NUMBER:nagios_epoch}\\]", :level=>:info} | |
| Adding pattern {"NAGIOS_TYPE_CURRENT_SERVICE_STATE"=>"CURRENT SERVICE STATE", :level=>:info} | |
| Adding pattern {"NAGIOS_TYPE_CURRENT_HOST_STATE"=>"CURRENT HOST STATE", :level=>:info} | |
| Adding pattern {"NAGIOS_TYPE_SERVICE_NOTIFICATION"=>"SERVICE NOTIFICATION", :level=>:info} | |
| Adding pattern {"NAGIOS_TYPE_HOST_NOTIFICATION"=>"HOST NOTIFICATION", :level=>:info} | |
| Adding pattern {"NAGIOS_TYPE_SERVICE_ALERT"=>"SERVICE ALERT", :level=>:info} | |
| Adding pattern {"NAGIOS_TYPE_HOST_ALERT"=>"HOST ALERT", :level=>:info} | |
| Adding pattern {"NAGIOS_TYPE_SERVICE_FLAPPING_ALERT"=>"SERVICE FLAPPING ALERT", :level=>:info} | |
| Adding pattern {"NAGIOS_TYPE_HOST_FLAPPING_ALERT"=>"HOST FLAPPING ALERT", :level=>:info} | |
| Adding pattern {"NAGIOS_TYPE_SERVICE_DOWNTIME_ALERT"=>"SERVICE DOWNTIME ALERT", :level=>:info} | |
| Adding pattern {"NAGIOS_TYPE_HOST_DOWNTIME_ALERT"=>"HOST DOWNTIME ALERT", :level=>:info} | |
| Adding pattern {"NAGIOS_TYPE_PASSIVE_SERVICE_CHECK"=>"PASSIVE SERVICE CHECK", :level=>:info} | |
| Adding pattern {"NAGIOS_TYPE_PASSIVE_HOST_CHECK"=>"PASSIVE HOST CHECK", :level=>:info} | |
| Adding pattern {"NAGIOS_TYPE_SERVICE_EVENT_HANDLER"=>"SERVICE EVENT HANDLER", :level=>:info} | |
| Adding pattern {"NAGIOS_TYPE_HOST_EVENT_HANDLER"=>"HOST EVENT HANDLER", :level=>:info} | |
| Adding pattern {"NAGIOS_TYPE_EXTERNAL_COMMAND"=>"EXTERNAL COMMAND", :level=>:info} | |
| Adding pattern {"NAGIOS_TYPE_TIMEPERIOD_TRANSITION"=>"TIMEPERIOD TRANSITION", :level=>:info} | |
| Adding pattern {"NAGIOS_EC_DISABLE_SVC_CHECK"=>"DISABLE_SVC_CHECK", :level=>:info} | |
| Adding pattern {"NAGIOS_EC_ENABLE_SVC_CHECK"=>"ENABLE_SVC_CHECK", :level=>:info} | |
| Adding pattern {"NAGIOS_EC_DISABLE_HOST_CHECK"=>"DISABLE_HOST_CHECK", :level=>:info} | |
| Adding pattern {"NAGIOS_EC_ENABLE_HOST_CHECK"=>"ENABLE_HOST_CHECK", :level=>:info} | |
| Adding pattern {"NAGIOS_EC_PROCESS_SERVICE_CHECK_RESULT"=>"PROCESS_SERVICE_CHECK_RESULT", :level=>:info} | |
| Adding pattern {"NAGIOS_EC_PROCESS_HOST_CHECK_RESULT"=>"PROCESS_HOST_CHECK_RESULT", :level=>:info} | |
| Adding pattern {"NAGIOS_EC_SCHEDULE_SERVICE_DOWNTIME"=>"SCHEDULE_SERVICE_DOWNTIME", :level=>:info} | |
| Adding pattern {"NAGIOS_EC_SCHEDULE_HOST_DOWNTIME"=>"SCHEDULE_HOST_DOWNTIME", :level=>:info} | |
| Adding pattern {"NAGIOS_EC_DISABLE_HOST_SVC_NOTIFICATIONS"=>"DISABLE_HOST_SVC_NOTIFICATIONS", :level=>:info} | |
| Adding pattern {"NAGIOS_EC_ENABLE_HOST_SVC_NOTIFICATIONS"=>"ENABLE_HOST_SVC_NOTIFICATIONS", :level=>:info} | |
| Adding pattern {"NAGIOS_EC_DISABLE_HOST_NOTIFICATIONS"=>"DISABLE_HOST_NOTIFICATIONS", :level=>:info} | |
| Adding pattern {"NAGIOS_EC_ENABLE_HOST_NOTIFICATIONS"=>"ENABLE_HOST_NOTIFICATIONS", :level=>:info} | |
| Adding pattern {"NAGIOS_EC_DISABLE_SVC_NOTIFICATIONS"=>"DISABLE_SVC_NOTIFICATIONS", :level=>:info} | |
| Adding pattern {"NAGIOS_EC_ENABLE_SVC_NOTIFICATIONS"=>"ENABLE_SVC_NOTIFICATIONS", :level=>:info} | |
| Adding pattern {"NAGIOS_WARNING"=>"Warning:%{SPACE}%{GREEDYDATA:nagios_message}", :level=>:info} | |
| Adding pattern {"NAGIOS_CURRENT_SERVICE_STATE"=>"%{NAGIOS_TYPE_CURRENT_SERVICE_STATE:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{DATA:nagios_statetype};%{DATA:nagios_statecode};%{GREEDYDATA:nagios_message}", :level=>:info} | |
| Adding pattern {"NAGIOS_CURRENT_HOST_STATE"=>"%{NAGIOS_TYPE_CURRENT_HOST_STATE:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{DATA:nagios_statetype};%{DATA:nagios_statecode};%{GREEDYDATA:nagios_message}", :level=>:info} | |
| Adding pattern {"NAGIOS_SERVICE_NOTIFICATION"=>"%{NAGIOS_TYPE_SERVICE_NOTIFICATION:nagios_type}: %{DATA:nagios_notifyname};%{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{DATA:nagios_contact};%{GREEDYDATA:nagios_message}", :level=>:info} | |
| Adding pattern {"NAGIOS_HOST_NOTIFICATION"=>"%{NAGIOS_TYPE_HOST_NOTIFICATION:nagios_type}: %{DATA:nagios_notifyname};%{DATA:nagios_hostname};%{DATA:nagios_state};%{DATA:nagios_contact};%{GREEDYDATA:nagios_message}", :level=>:info} | |
| Adding pattern {"NAGIOS_SERVICE_ALERT"=>"%{NAGIOS_TYPE_SERVICE_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{DATA:nagios_statelevel};%{NUMBER:nagios_attempt};%{GREEDYDATA:nagios_message}", :level=>:info} | |
| Adding pattern {"NAGIOS_HOST_ALERT"=>"%{NAGIOS_TYPE_HOST_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{DATA:nagios_statelevel};%{NUMBER:nagios_attempt};%{GREEDYDATA:nagios_message}", :level=>:info} | |
| Adding pattern {"NAGIOS_SERVICE_FLAPPING_ALERT"=>"%{NAGIOS_TYPE_SERVICE_FLAPPING_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{GREEDYDATA:nagios_message}", :level=>:info} | |
| Adding pattern {"NAGIOS_HOST_FLAPPING_ALERT"=>"%{NAGIOS_TYPE_HOST_FLAPPING_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{GREEDYDATA:nagios_message}", :level=>:info} | |
| Adding pattern {"NAGIOS_SERVICE_DOWNTIME_ALERT"=>"%{NAGIOS_TYPE_SERVICE_DOWNTIME_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{GREEDYDATA:nagios_comment}", :level=>:info} | |
| Adding pattern {"NAGIOS_HOST_DOWNTIME_ALERT"=>"%{NAGIOS_TYPE_HOST_DOWNTIME_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{GREEDYDATA:nagios_comment}", :level=>:info} | |
| Adding pattern {"NAGIOS_PASSIVE_SERVICE_CHECK"=>"%{NAGIOS_TYPE_PASSIVE_SERVICE_CHECK:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{GREEDYDATA:nagios_comment}", :level=>:info} | |
| Adding pattern {"NAGIOS_PASSIVE_HOST_CHECK"=>"%{NAGIOS_TYPE_PASSIVE_HOST_CHECK:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{GREEDYDATA:nagios_comment}", :level=>:info} | |
| Adding pattern {"NAGIOS_SERVICE_EVENT_HANDLER"=>"%{NAGIOS_TYPE_SERVICE_EVENT_HANDLER:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{DATA:nagios_statelevel};%{DATA:nagios_event_handler_name}", :level=>:info} | |
| Adding pattern {"NAGIOS_HOST_EVENT_HANDLER"=>"%{NAGIOS_TYPE_HOST_EVENT_HANDLER:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{DATA:nagios_statelevel};%{DATA:nagios_event_handler_name}", :level=>:info} | |
| Adding pattern {"NAGIOS_TIMEPERIOD_TRANSITION"=>"%{NAGIOS_TYPE_TIMEPERIOD_TRANSITION:nagios_type}: %{DATA:nagios_service};%{DATA:nagios_unknown1};%{DATA:nagios_unknown2}", :level=>:info} | |
| Adding pattern {"NAGIOS_EC_LINE_DISABLE_SVC_CHECK"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_DISABLE_SVC_CHECK:nagios_command};%{DATA:nagios_hostname};%{DATA:nagios_service}", :level=>:info} | |
| Adding pattern {"NAGIOS_EC_LINE_DISABLE_HOST_CHECK"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_DISABLE_HOST_CHECK:nagios_command};%{DATA:nagios_hostname}", :level=>:info} | |
| Adding pattern {"NAGIOS_EC_LINE_ENABLE_SVC_CHECK"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_ENABLE_SVC_CHECK:nagios_command};%{DATA:nagios_hostname};%{DATA:nagios_service}", :level=>:info} | |
| Adding pattern {"NAGIOS_EC_LINE_ENABLE_HOST_CHECK"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_ENABLE_HOST_CHECK:nagios_command};%{DATA:nagios_hostname}", :level=>:info} | |
| Adding pattern {"NAGIOS_EC_LINE_PROCESS_SERVICE_CHECK_RESULT"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_PROCESS_SERVICE_CHECK_RESULT:nagios_command};%{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{GREEDYDATA:nagios_check_result}", :level=>:info} | |
| Adding pattern {"NAGIOS_EC_LINE_PROCESS_HOST_CHECK_RESULT"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_PROCESS_HOST_CHECK_RESULT:nagios_command};%{DATA:nagios_hostname};%{DATA:nagios_state};%{GREEDYDATA:nagios_check_result}", :level=>:info} | |
| Adding pattern {"NAGIOS_EC_LINE_DISABLE_HOST_SVC_NOTIFICATIONS"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_DISABLE_HOST_SVC_NOTIFICATIONS:nagios_command};%{GREEDYDATA:nagios_hostname}", :level=>:info} | |
| Adding pattern {"NAGIOS_EC_LINE_DISABLE_HOST_NOTIFICATIONS"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_DISABLE_HOST_NOTIFICATIONS:nagios_command};%{GREEDYDATA:nagios_hostname}", :level=>:info} | |
| Adding pattern {"NAGIOS_EC_LINE_DISABLE_SVC_NOTIFICATIONS"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_DISABLE_SVC_NOTIFICATIONS:nagios_command};%{DATA:nagios_hostname};%{GREEDYDATA:nagios_service}", :level=>:info} | |
| Adding pattern {"NAGIOS_EC_LINE_ENABLE_HOST_SVC_NOTIFICATIONS"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_ENABLE_HOST_SVC_NOTIFICATIONS:nagios_command};%{GREEDYDATA:nagios_hostname}", :level=>:info} | |
| Adding pattern {"NAGIOS_EC_LINE_ENABLE_HOST_NOTIFICATIONS"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_ENABLE_HOST_NOTIFICATIONS:nagios_command};%{GREEDYDATA:nagios_hostname}", :level=>:info} | |
| Adding pattern {"NAGIOS_EC_LINE_ENABLE_SVC_NOTIFICATIONS"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_ENABLE_SVC_NOTIFICATIONS:nagios_command};%{DATA:nagios_hostname};%{GREEDYDATA:nagios_service}", :level=>:info} | |
| Adding pattern {"NAGIOS_EC_LINE_SCHEDULE_HOST_DOWNTIME"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_SCHEDULE_HOST_DOWNTIME:nagios_command};%{DATA:nagios_hostname};%{NUMBER:nagios_start_time};%{NUMBER:nagios_end_time};%{NUMBER:nagios_fixed};%{NUMBER:nagios_trigger_id};%{NUMBER:nagios_duration};%{DATA:author};%{DATA:comment}", :level=>:info} | |
| Adding pattern {"NAGIOSLOGLINE"=>"%{NAGIOSTIME} (?:%{NAGIOS_WARNING}|%{NAGIOS_CURRENT_SERVICE_STATE}|%{NAGIOS_CURRENT_HOST_STATE}|%{NAGIOS_SERVICE_NOTIFICATION}|%{NAGIOS_HOST_NOTIFICATION}|%{NAGIOS_SERVICE_ALERT}|%{NAGIOS_HOST_ALERT}|%{NAGIOS_SERVICE_FLAPPING_ALERT}|%{NAGIOS_HOST_FLAPPING_ALERT}|%{NAGIOS_SERVICE_DOWNTIME_ALERT}|%{NAGIOS_HOST_DOWNTIME_ALERT}|%{NAGIOS_PASSIVE_SERVICE_CHECK}|%{NAGIOS_PASSIVE_HOST_CHECK}|%{NAGIOS_SERVICE_EVENT_HANDLER}|%{NAGIOS_HOST_EVENT_HANDLER}|%{NAGIOS_TIMEPERIOD_TRANSITION}|%{NAGIOS_EC_LINE_DISABLE_SVC_CHECK}|%{NAGIOS_EC_LINE_ENABLE_SVC_CHECK}|%{NAGIOS_EC_LINE_DISABLE_HOST_CHECK}|%{NAGIOS_EC_LINE_ENABLE_HOST_CHECK}|%{NAGIOS_EC_LINE_PROCESS_HOST_CHECK_RESULT}|%{NAGIOS_EC_LINE_PROCESS_SERVICE_CHECK_RESULT}|%{NAGIOS_EC_LINE_SCHEDULE_HOST_DOWNTIME}|%{NAGIOS_EC_LINE_DISABLE_HOST_SVC_NOTIFICATIONS}|%{NAGIOS_EC_LINE_ENABLE_HOST_SVC_NOTIFICATIONS}|%{NAGIOS_EC_LINE_DISABLE_HOST_NOTIFICATIONS}|%{NAGIOS_EC_LINE_ENABLE_HOST_NOTIFICATIONS}|%{NAGIOS_EC_LINE_DISABLE_SVC_NOTIFICATIONS}|%{NAGIOS_EC_LINE_ENABLE_SVC_NOTIFICATIONS})", :level=>:info} | |
| Adding pattern {"MCOLLECTIVE"=>"., \\[%{TIMESTAMP_ISO8601:timestamp} #%{POSINT:pid}\\]%{SPACE}%{LOGLEVEL:event_level}", :level=>:info} | |
| Adding pattern {"MCOLLECTIVEAUDIT"=>"%{TIMESTAMP_ISO8601:timestamp}:", :level=>:info} | |
| Adding pattern {"NETSCREENSESSIONLOG"=>"%{SYSLOGTIMESTAMP:date} %{IPORHOST:device} %{IPORHOST}: NetScreen device_id=%{WORD:device_id}%{DATA}: start_time=%{QUOTEDSTRING:start_time} duration=%{INT:duration} policy_id=%{INT:policy_id} service=%{DATA:service} proto=%{INT:proto} src zone=%{WORD:src_zone} dst zone=%{WORD:dst_zone} action=%{WORD:action} sent=%{INT:sent} rcvd=%{INT:rcvd} src=%{IPORHOST:src_ip} dst=%{IPORHOST:dst_ip} src_port=%{INT:src_port} dst_port=%{INT:dst_port} src-xlated ip=%{IPORHOST:src_xlated_ip} port=%{INT:src_xlated_port} dst-xlated ip=%{IPORHOST:dst_xlated_ip} port=%{INT:dst_xlated_port} session_id=%{INT:session_id} reason=%{GREEDYDATA:reason}", :level=>:info} | |
| Adding pattern {"CISCO_TAGGED_SYSLOG"=>"^<%{POSINT:syslog_pri}>%{CISCOTIMESTAMP:timestamp}( %{SYSLOGHOST:sysloghost})? ?: %%{CISCOTAG:ciscotag}:", :level=>:info} | |
| Adding pattern {"CISCOTIMESTAMP"=>"%{MONTH} +%{MONTHDAY}(?: %{YEAR})? %{TIME}", :level=>:info} | |
| Adding pattern {"CISCOTAG"=>"[A-Z0-9]+-%{INT}-(?:[A-Z0-9_]+)", :level=>:info} | |
| Adding pattern {"CISCO_ACTION"=>"Built|Teardown|Deny|Denied|denied|requested|permitted|denied by ACL|discarded|est-allowed|Dropping|created|deleted", :level=>:info} | |
| Adding pattern {"CISCO_REASON"=>"Duplicate TCP SYN|Failed to locate egress interface|Invalid transport field|No matching connection|DNS Response|DNS Query|(?:%{WORD}\\s*)*", :level=>:info} | |
| Adding pattern {"CISCO_DIRECTION"=>"Inbound|inbound|Outbound|outbound", :level=>:info} | |
| Adding pattern {"CISCO_INTERVAL"=>"first hit|%{INT}-second interval", :level=>:info} | |
| Adding pattern {"CISCO_XLATE_TYPE"=>"static|dynamic", :level=>:info} | |
| Adding pattern {"CISCOFW104001"=>"\\((?:Primary|Secondary)\\) Switching to ACTIVE - %{GREEDYDATA:switch_reason}", :level=>:info} | |
| Adding pattern {"CISCOFW104002"=>"\\((?:Primary|Secondary)\\) Switching to STANDBY - %{GREEDYDATA:switch_reason}", :level=>:info} | |
| Adding pattern {"CISCOFW104003"=>"\\((?:Primary|Secondary)\\) Switching to FAILED\\.", :level=>:info} | |
| Adding pattern {"CISCOFW104004"=>"\\((?:Primary|Secondary)\\) Switching to OK\\.", :level=>:info} | |
| Adding pattern {"CISCOFW105003"=>"\\((?:Primary|Secondary)\\) Monitoring on [Ii]nterface %{GREEDYDATA:interface_name} waiting", :level=>:info} | |
| Adding pattern {"CISCOFW105004"=>"\\((?:Primary|Secondary)\\) Monitoring on [Ii]nterface %{GREEDYDATA:interface_name} normal", :level=>:info} | |
| Adding pattern {"CISCOFW105005"=>"\\((?:Primary|Secondary)\\) Lost Failover communications with mate on [Ii]nterface %{GREEDYDATA:interface_name}", :level=>:info} | |
| Adding pattern {"CISCOFW105008"=>"\\((?:Primary|Secondary)\\) Testing [Ii]nterface %{GREEDYDATA:interface_name}", :level=>:info} | |
| Adding pattern {"CISCOFW105009"=>"\\((?:Primary|Secondary)\\) Testing on [Ii]nterface %{GREEDYDATA:interface_name} (?:Passed|Failed)", :level=>:info} | |
| Adding pattern {"CISCOFW106001"=>"%{CISCO_DIRECTION:direction} %{WORD:protocol} connection %{CISCO_ACTION:action} from %{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port} flags %{GREEDYDATA:tcp_flags} on interface %{GREEDYDATA:interface}", :level=>:info} | |
| Adding pattern {"CISCOFW106006_106007_106010"=>"%{CISCO_ACTION:action} %{CISCO_DIRECTION:direction} %{WORD:protocol} (?:from|src) %{IP:src_ip}/%{INT:src_port}(\\(%{DATA:src_fwuser}\\))? (?:to|dst) %{IP:dst_ip}/%{INT:dst_port}(\\(%{DATA:dst_fwuser}\\))? (?:on interface %{DATA:interface}|due to %{CISCO_REASON:reason})", :level=>:info} | |
| Adding pattern {"CISCOFW106014"=>"%{CISCO_ACTION:action} %{CISCO_DIRECTION:direction} %{WORD:protocol} src %{DATA:src_interface}:%{IP:src_ip}(\\(%{DATA:src_fwuser}\\))? dst %{DATA:dst_interface}:%{IP:dst_ip}(\\(%{DATA:dst_fwuser}\\))? \\(type %{INT:icmp_type}, code %{INT:icmp_code}\\)", :level=>:info} | |
| Adding pattern {"CISCOFW106015"=>"%{CISCO_ACTION:action} %{WORD:protocol} \\(%{DATA:policy_id}\\) from %{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port} flags %{DATA:tcp_flags} on interface %{GREEDYDATA:interface}", :level=>:info} | |
| Adding pattern {"CISCOFW106021"=>"%{CISCO_ACTION:action} %{WORD:protocol} reverse path check from %{IP:src_ip} to %{IP:dst_ip} on interface %{GREEDYDATA:interface}", :level=>:info} | |
| Adding pattern {"CISCOFW106023"=>"%{CISCO_ACTION:action}( protocol)? %{WORD:protocol} src %{DATA:src_interface}:%{DATA:src_ip}(/%{INT:src_port})?(\\(%{DATA:src_fwuser}\\))? dst %{DATA:dst_interface}:%{DATA:dst_ip}(/%{INT:dst_port})?(\\(%{DATA:dst_fwuser}\\))?( \\(type %{INT:icmp_type}, code %{INT:icmp_code}\\))? by access-group \"?%{DATA:policy_id}\"? \\[%{DATA:hashcode1}, %{DATA:hashcode2}\\]", :level=>:info} | |
| Adding pattern {"CISCOFW106100_2_3"=>"access-list %{NOTSPACE:policy_id} %{CISCO_ACTION:action} %{WORD:protocol} for user '%{DATA:src_fwuser}' %{DATA:src_interface}/%{IP:src_ip}\\(%{INT:src_port}\\) -> %{DATA:dst_interface}/%{IP:dst_ip}\\(%{INT:dst_port}\\) hit-cnt %{INT:hit_count} %{CISCO_INTERVAL:interval} \\[%{DATA:hashcode1}, %{DATA:hashcode2}\\]", :level=>:info} | |
| Adding pattern {"CISCOFW106100"=>"access-list %{NOTSPACE:policy_id} %{CISCO_ACTION:action} %{WORD:protocol} %{DATA:src_interface}/%{IP:src_ip}\\(%{INT:src_port}\\)(\\(%{DATA:src_fwuser}\\))? -> %{DATA:dst_interface}/%{IP:dst_ip}\\(%{INT:dst_port}\\)(\\(%{DATA:src_fwuser}\\))? hit-cnt %{INT:hit_count} %{CISCO_INTERVAL:interval} \\[%{DATA:hashcode1}, %{DATA:hashcode2}\\]", :level=>:info} | |
| Adding pattern {"CISCOFW110002"=>"%{CISCO_REASON:reason} for %{WORD:protocol} from %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port}", :level=>:info} | |
| Adding pattern {"CISCOFW302010"=>"%{INT:connection_count} in use, %{INT:connection_count_max} most used", :level=>:info} | |
| Adding pattern {"CISCOFW302013_302014_302015_302016"=>"%{CISCO_ACTION:action}(?: %{CISCO_DIRECTION:direction})? %{WORD:protocol} connection %{INT:connection_id} for %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port}( \\(%{IP:src_mapped_ip}/%{INT:src_mapped_port}\\))?(\\(%{DATA:src_fwuser}\\))? to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port}( \\(%{IP:dst_mapped_ip}/%{INT:dst_mapped_port}\\))?(\\(%{DATA:dst_fwuser}\\))?( duration %{TIME:duration} bytes %{INT:bytes})?(?: %{CISCO_REASON:reason})?( \\(%{DATA:user}\\))?", :level=>:info} | |
| Adding pattern {"CISCOFW302020_302021"=>"%{CISCO_ACTION:action}(?: %{CISCO_DIRECTION:direction})? %{WORD:protocol} connection for faddr %{IP:dst_ip}/%{INT:icmp_seq_num}(?:\\(%{DATA:fwuser}\\))? gaddr %{IP:src_xlated_ip}/%{INT:icmp_code_xlated} laddr %{IP:src_ip}/%{INT:icmp_code}( \\(%{DATA:user}\\))?", :level=>:info} | |
| Adding pattern {"CISCOFW305011"=>"%{CISCO_ACTION:action} %{CISCO_XLATE_TYPE:xlate_type} %{WORD:protocol} translation from %{DATA:src_interface}:%{IP:src_ip}(/%{INT:src_port})?(\\(%{DATA:src_fwuser}\\))? to %{DATA:src_xlated_interface}:%{IP:src_xlated_ip}/%{DATA:src_xlated_port}", :level=>:info} | |
| Adding pattern {"CISCOFW313001_313004_313008"=>"%{CISCO_ACTION:action} %{WORD:protocol} type=%{INT:icmp_type}, code=%{INT:icmp_code} from %{IP:src_ip} on interface %{DATA:interface}( to %{IP:dst_ip})?", :level=>:info} | |
| Adding pattern {"CISCOFW313005"=>"%{CISCO_REASON:reason} for %{WORD:protocol} error message: %{WORD:err_protocol} src %{DATA:err_src_interface}:%{IP:err_src_ip}(\\(%{DATA:err_src_fwuser}\\))? dst %{DATA:err_dst_interface}:%{IP:err_dst_ip}(\\(%{DATA:err_dst_fwuser}\\))? \\(type %{INT:err_icmp_type}, code %{INT:err_icmp_code}\\) on %{DATA:interface} interface\\. Original IP payload: %{WORD:protocol} src %{IP:orig_src_ip}/%{INT:orig_src_port}(\\(%{DATA:orig_src_fwuser}\\))? dst %{IP:orig_dst_ip}/%{INT:orig_dst_port}(\\(%{DATA:orig_dst_fwuser}\\))?", :level=>:info} | |
| Adding pattern {"CISCOFW321001"=>"Resource '%{WORD:resource_name}' limit of %{POSINT:resource_limit} reached for system", :level=>:info} | |
| Adding pattern {"CISCOFW402117"=>"%{WORD:protocol}: Received a non-IPSec packet \\(protocol= %{WORD:orig_protocol}\\) from %{IP:src_ip} to %{IP:dst_ip}", :level=>:info} | |
| Adding pattern {"CISCOFW402119"=>"%{WORD:protocol}: Received an %{WORD:orig_protocol} packet \\(SPI= %{DATA:spi}, sequence number= %{DATA:seq_num}\\) from %{IP:src_ip} \\(user= %{DATA:user}\\) to %{IP:dst_ip} that failed anti-replay checking", :level=>:info} | |
| Adding pattern {"CISCOFW419001"=>"%{CISCO_ACTION:action} %{WORD:protocol} packet from %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port}, reason: %{GREEDYDATA:reason}", :level=>:info} | |
| Adding pattern {"CISCOFW419002"=>"%{CISCO_REASON:reason} from %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port} with different initial sequence number", :level=>:info} | |
| Adding pattern {"CISCOFW500004"=>"%{CISCO_REASON:reason} for protocol=%{WORD:protocol}, from %{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port}", :level=>:info} | |
| Adding pattern {"CISCOFW602303_602304"=>"%{WORD:protocol}: An %{CISCO_DIRECTION:direction} %{GREEDYDATA:tunnel_type} SA \\(SPI= %{DATA:spi}\\) between %{IP:src_ip} and %{IP:dst_ip} \\(user= %{DATA:user}\\) has been %{CISCO_ACTION:action}", :level=>:info} | |
| Adding pattern {"CISCOFW710001_710002_710003_710005_710006"=>"%{WORD:protocol} (?:request|access) %{CISCO_ACTION:action} from %{IP:src_ip}/%{INT:src_port} to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port}", :level=>:info} | |
| Adding pattern {"CISCOFW713172"=>"Group = %{GREEDYDATA:group}, IP = %{IP:src_ip}, Automatic NAT Detection Status:\\s+Remote end\\s*%{DATA:is_remote_natted}\\s*behind a NAT device\\s+This\\s+end\\s*%{DATA:is_local_natted}\\s*behind a NAT device", :level=>:info} | |
| Adding pattern {"CISCOFW733100"=>"\\[\\s*%{DATA:drop_type}\\s*\\] drop %{DATA:drop_rate_id} exceeded. Current burst rate is %{INT:drop_rate_current_burst} per second, max configured rate is %{INT:drop_rate_max_burst}; Current average rate is %{INT:drop_rate_current_avg} per second, max configured rate is %{INT:drop_rate_max_avg}; Cumulative total count is %{INT:drop_total_count}", :level=>:info} | |
| Adding pattern {"SHOREWALL"=>"(%{SYSLOGTIMESTAMP:timestamp}) (%{WORD:nf_host}) kernel:.*Shorewall:(%{WORD:nf_action1})?:(%{WORD:nf_action2})?.*IN=(%{USERNAME:nf_in_interface})?.*(OUT= *MAC=(%{COMMONMAC:nf_dst_mac}):(%{COMMONMAC:nf_src_mac})?|OUT=%{USERNAME:nf_out_interface}).*SRC=(%{IPV4:nf_src_ip}).*DST=(%{IPV4:nf_dst_ip}).*LEN=(%{WORD:nf_len}).?*TOS=(%{WORD:nf_tos}).?*PREC=(%{WORD:nf_prec}).?*TTL=(%{INT:nf_ttl}).?*ID=(%{INT:nf_id}).?*PROTO=(%{WORD:nf_protocol}).?*SPT=(%{INT:nf_src_port}?.*DPT=%{INT:nf_dst_port}?.*)", :level=>:info} | |
| Adding pattern {"MCOLLECTIVEAUDIT"=>"%{TIMESTAMP_ISO8601:timestamp}:", :level=>:info} | |
| Adding pattern {"USERNAME"=>"[a-zA-Z0-9._-]+", :level=>:info} | |
| Adding pattern {"USER"=>"%{USERNAME}", :level=>:info} | |
| Adding pattern {"EMAILLOCALPART"=>"[a-zA-Z][a-zA-Z0-9_.+-=:]+", :level=>:info} | |
| Adding pattern {"EMAILADDRESS"=>"%{EMAILLOCALPART}@%{HOSTNAME}", :level=>:info} | |
| Adding pattern {"HTTPDUSER"=>"%{EMAILADDRESS}|%{USER}", :level=>:info} | |
| Adding pattern {"INT"=>"(?:[+-]?(?:[0-9]+))", :level=>:info} | |
| Adding pattern {"BASE10NUM"=>"(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\\.[0-9]+)?)|(?:\\.[0-9]+)))", :level=>:info} | |
| Adding pattern {"NUMBER"=>"(?:%{BASE10NUM})", :level=>:info} | |
| Adding pattern {"BASE16NUM"=>"(?<![0-9A-Fa-f])(?:[+-]?(?:0x)?(?:[0-9A-Fa-f]+))", :level=>:info} | |
| Adding pattern {"BASE16FLOAT"=>"\\b(?<![0-9A-Fa-f.])(?:[+-]?(?:0x)?(?:(?:[0-9A-Fa-f]+(?:\\.[0-9A-Fa-f]*)?)|(?:\\.[0-9A-Fa-f]+)))\\b", :level=>:info} | |
| Adding pattern {"POSINT"=>"\\b(?:[1-9][0-9]*)\\b", :level=>:info} | |
| Adding pattern {"NONNEGINT"=>"\\b(?:[0-9]+)\\b", :level=>:info} | |
| Adding pattern {"WORD"=>"\\b\\w+\\b", :level=>:info} | |
| Adding pattern {"NOTSPACE"=>"\\S+", :level=>:info} | |
| Adding pattern {"SPACE"=>"\\s*", :level=>:info} | |
| Adding pattern {"DATA"=>".*?", :level=>:info} | |
| Adding pattern {"GREEDYDATA"=>".*", :level=>:info} | |
| Adding pattern {"QUOTEDSTRING"=>"(?>(?<!\\\\)(?>\"(?>\\\\.|[^\\\\\"]+)+\"|\"\"|(?>'(?>\\\\.|[^\\\\']+)+')|''|(?>`(?>\\\\.|[^\\\\`]+)+`)|``))", :level=>:info} | |
| Adding pattern {"UUID"=>"[A-Fa-f0-9]{8}-(?:[A-Fa-f0-9]{4}-){3}[A-Fa-f0-9]{12}", :level=>:info} | |
| Adding pattern {"MAC"=>"(?:%{CISCOMAC}|%{WINDOWSMAC}|%{COMMONMAC})", :level=>:info} | |
| Adding pattern {"CISCOMAC"=>"(?:(?:[A-Fa-f0-9]{4}\\.){2}[A-Fa-f0-9]{4})", :level=>:info} | |
| Adding pattern {"WINDOWSMAC"=>"(?:(?:[A-Fa-f0-9]{2}-){5}[A-Fa-f0-9]{2})", :level=>:info} | |
| Adding pattern {"COMMONMAC"=>"(?:(?:[A-Fa-f0-9]{2}:){5}[A-Fa-f0-9]{2})", :level=>:info} | |
| Adding pattern {"IPV6"=>"((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:)))(%.+)?", :level=>:info} | |
| Adding pattern {"IPV4"=>"(?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]))(?![0-9])", :level=>:info} | |
| Adding pattern {"IP"=>"(?:%{IPV6}|%{IPV4})", :level=>:info} | |
| Adding pattern {"HOSTNAME"=>"\\b(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\\b)", :level=>:info} | |
| Adding pattern {"IPORHOST"=>"(?:%{IP}|%{HOSTNAME})", :level=>:info} | |
| Adding pattern {"HOSTPORT"=>"%{IPORHOST}:%{POSINT}", :level=>:info} | |
| Adding pattern {"PATH"=>"(?:%{UNIXPATH}|%{WINPATH})", :level=>:info} | |
| Adding pattern {"UNIXPATH"=>"(/([\\w_%!$@:.,~-]+|\\\\.)*)+", :level=>:info} | |
| Adding pattern {"TTY"=>"(?:/dev/(pts|tty([pq])?)(\\w+)?/?(?:[0-9]+))", :level=>:info} | |
| Adding pattern {"WINPATH"=>"(?>[A-Za-z]+:|\\\\)(?:\\\\[^\\\\?*]*)+", :level=>:info} | |
| Adding pattern {"URIPROTO"=>"[A-Za-z]+(\\+[A-Za-z+]+)?", :level=>:info} | |
| Adding pattern {"URIHOST"=>"%{IPORHOST}(?::%{POSINT:port})?", :level=>:info} | |
| Adding pattern {"URIPATH"=>"(?:/[A-Za-z0-9$.+!*'(){},~:;=@#%&_\\-]*)+", :level=>:info} | |
| Adding pattern {"URIPARAM"=>"\\?[A-Za-z0-9$.+!*'|(){},~@#%&/=:;_?\\-\\[\\]<>]*", :level=>:info} | |
| Adding pattern {"URIPATHPARAM"=>"%{URIPATH}(?:%{URIPARAM})?", :level=>:info} | |
| Adding pattern {"URI"=>"%{URIPROTO}://(?:%{USER}(?::[^@]*)?@)?(?:%{URIHOST})?(?:%{URIPATHPARAM})?", :level=>:info} | |
| Adding pattern {"MONTH"=>"\\b(?:Jan(?:uary|uar)?|Feb(?:ruary|ruar)?|M(?:a|ä)?r(?:ch|z)?|Apr(?:il)?|Ma(?:y|i)?|Jun(?:e|i)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|O(?:c|k)?t(?:ober)?|Nov(?:ember)?|De(?:c|z)(?:ember)?)\\b", :level=>:info} | |
| Adding pattern {"MONTHNUM"=>"(?:0?[1-9]|1[0-2])", :level=>:info} | |
| Adding pattern {"MONTHNUM2"=>"(?:0[1-9]|1[0-2])", :level=>:info} | |
| Adding pattern {"MONTHDAY"=>"(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9])", :level=>:info} | |
| Adding pattern {"DAY"=>"(?:Mon(?:day)?|Tue(?:sday)?|Wed(?:nesday)?|Thu(?:rsday)?|Fri(?:day)?|Sat(?:urday)?|Sun(?:day)?)", :level=>:info} | |
| Adding pattern {"YEAR"=>"(?>\\d\\d){1,2}", :level=>:info} | |
| Adding pattern {"HOUR"=>"(?:2[0123]|[01]?[0-9])", :level=>:info} | |
| Adding pattern {"MINUTE"=>"(?:[0-5][0-9])", :level=>:info} | |
| Adding pattern {"SECOND"=>"(?:(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?)", :level=>:info} | |
| Adding pattern {"TIME"=>"(?!<[0-9])%{HOUR}:%{MINUTE}(?::%{SECOND})(?![0-9])", :level=>:info} | |
| Adding pattern {"DATE_US"=>"%{MONTHNUM}[/-]%{MONTHDAY}[/-]%{YEAR}", :level=>:info} | |
| Adding pattern {"DATE_EU"=>"%{MONTHDAY}[./-]%{MONTHNUM}[./-]%{YEAR}", :level=>:info} | |
| Adding pattern {"ISO8601_TIMEZONE"=>"(?:Z|[+-]%{HOUR}(?::?%{MINUTE}))", :level=>:info} | |
| Adding pattern {"ISO8601_SECOND"=>"(?:%{SECOND}|60)", :level=>:info} | |
| Adding pattern {"TIMESTAMP_ISO8601"=>"%{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?%{ISO8601_TIMEZONE}?", :level=>:info} | |
| Adding pattern {"DATE"=>"%{DATE_US}|%{DATE_EU}", :level=>:info} | |
| Adding pattern {"DATESTAMP"=>"%{DATE}[- ]%{TIME}", :level=>:info} | |
| Adding pattern {"TZ"=>"(?:[PMCE][SD]T|UTC)", :level=>:info} | |
| Adding pattern {"DATESTAMP_RFC822"=>"%{DAY} %{MONTH} %{MONTHDAY} %{YEAR} %{TIME} %{TZ}", :level=>:info} | |
| Adding pattern {"DATESTAMP_RFC2822"=>"%{DAY}, %{MONTHDAY} %{MONTH} %{YEAR} %{TIME} %{ISO8601_TIMEZONE}", :level=>:info} | |
| Adding pattern {"DATESTAMP_OTHER"=>"%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{TZ} %{YEAR}", :level=>:info} | |
| Adding pattern {"DATESTAMP_EVENTLOG"=>"%{YEAR}%{MONTHNUM2}%{MONTHDAY}%{HOUR}%{MINUTE}%{SECOND}", :level=>:info} | |
| Adding pattern {"HTTPDERROR_DATE"=>"%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR}", :level=>:info} | |
| Adding pattern {"SYSLOGTIMESTAMP"=>"%{MONTH} +%{MONTHDAY} %{TIME}", :level=>:info} | |
| Adding pattern {"PROG"=>"[\\x21-\\x5a\\x5c\\x5e-\\x7e]+", :level=>:info} | |
| Adding pattern {"SYSLOGPROG"=>"%{PROG:program}(?:\\[%{POSINT:pid}\\])?", :level=>:info} | |
| Adding pattern {"SYSLOGHOST"=>"%{IPORHOST}", :level=>:info} | |
| Adding pattern {"SYSLOGFACILITY"=>"<%{NONNEGINT:facility}.%{NONNEGINT:priority}>", :level=>:info} | |
| Adding pattern {"HTTPDATE"=>"%{MONTHDAY}/%{MONTH}/%{YEAR}:%{TIME} %{INT}", :level=>:info} | |
| Adding pattern {"QS"=>"%{QUOTEDSTRING}", :level=>:info} | |
| Adding pattern {"SYSLOGBASE"=>"%{SYSLOGTIMESTAMP:timestamp} (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource} %{SYSLOGPROG}:", :level=>:info} | |
| Adding pattern {"COMMONAPACHELOG"=>"%{IPORHOST:clientip} %{HTTPDUSER:ident} %{USER:auth} \\[%{HTTPDATE:timestamp}\\] \"(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})\" %{NUMBER:response} (?:%{NUMBER:bytes}|-)", :level=>:info} | |
| Adding pattern {"COMBINEDAPACHELOG"=>"%{COMMONAPACHELOG} %{QS:referrer} %{QS:agent}", :level=>:info} | |
| Adding pattern {"HTTPD20_ERRORLOG"=>"\\[%{HTTPDERROR_DATE:timestamp}\\] \\[%{LOGLEVEL:loglevel}\\] (?:\\[client %{IPORHOST:clientip}\\] ){0,1}%{GREEDYDATA:errormsg}", :level=>:info} | |
| Adding pattern {"HTTPD24_ERRORLOG"=>"\\[%{HTTPDERROR_DATE:timestamp}\\] \\[%{WORD:module}:%{LOGLEVEL:loglevel}\\] \\[pid %{POSINT:pid}:tid %{NUMBER:tid}\\]( \\(%{POSINT:proxy_errorcode}\\)%{DATA:proxy_errormessage}:)?( \\[client %{IPORHOST:client}:%{POSINT:clientport}\\])? %{DATA:errorcode}: %{GREEDYDATA:message}", :level=>:info} | |
| Adding pattern {"HTTPD_ERRORLOG"=>"%{HTTPD20_ERRORLOG}|%{HTTPD24_ERRORLOG}", :level=>:info} | |
| Adding pattern {"LOGLEVEL"=>"([Aa]lert|ALERT|[Tt]race|TRACE|[Dd]ebug|DEBUG|[Nn]otice|NOTICE|[Ii]nfo|INFO|[Ww]arn?(?:ing)?|WARN?(?:ING)?|[Ee]rr?(?:or)?|ERR?(?:OR)?|[Cc]rit?(?:ical)?|CRIT?(?:ICAL)?|[Ff]atal|FATAL|[Ss]evere|SEVERE|EMERG(?:ENCY)?|[Ee]merg(?:ency)?)", :level=>:info} | |
| Adding pattern {"RT_FLOW_EVENT"=>"(RT_FLOW_SESSION_CREATE|RT_FLOW_SESSION_CLOSE|RT_FLOW_SESSION_DENY)", :level=>:info} | |
| Adding pattern {"RT_FLOW1"=>"%{RT_FLOW_EVENT:event}: %{GREEDYDATA:close-reason}: %{IP:src-ip}/%{INT:src-port}->%{IP:dst-ip}/%{INT:dst-port} %{DATA:service} %{IP:nat-src-ip}/%{INT:nat-src-port}->%{IP:nat-dst-ip}/%{INT:nat-dst-port} %{DATA:src-nat-rule-name} %{DATA:dst-nat-rule-name} %{INT:protocol-id} %{DATA:policy-name} %{DATA:from-zone} %{DATA:to-zone} %{INT:session-id} \\d+\\(%{DATA:sent}\\) \\d+\\(%{DATA:received}\\) %{INT:elapsed-time} .*", :level=>:info} | |
| Adding pattern {"RT_FLOW2"=>"%{RT_FLOW_EVENT:event}: session created %{IP:src-ip}/%{INT:src-port}->%{IP:dst-ip}/%{INT:dst-port} %{DATA:service} %{IP:nat-src-ip}/%{INT:nat-src-port}->%{IP:nat-dst-ip}/%{INT:nat-dst-port} %{DATA:src-nat-rule-name} %{DATA:dst-nat-rule-name} %{INT:protocol-id} %{DATA:policy-name} %{DATA:from-zone} %{DATA:to-zone} %{INT:session-id} .*", :level=>:info} | |
| Adding pattern {"RT_FLOW3"=>"%{RT_FLOW_EVENT:event}: session denied %{IP:src-ip}/%{INT:src-port}->%{IP:dst-ip}/%{INT:dst-port} %{DATA:service} %{INT:protocol-id}\\(\\d\\) %{DATA:policy-name} %{DATA:from-zone} %{DATA:to-zone} .*", :level=>:info} | |
| Adding pattern {"MONGO_LOG"=>"%{SYSLOGTIMESTAMP:timestamp} \\[%{WORD:component}\\] %{GREEDYDATA:message}", :level=>:info} | |
| Adding pattern {"MONGO_QUERY"=>"\\{ (?<={ ).*(?= } ntoreturn:) \\}", :level=>:info} | |
| Adding pattern {"MONGO_SLOWQUERY"=>"%{WORD} %{MONGO_WORDDASH:database}\\.%{MONGO_WORDDASH:collection} %{WORD}: %{MONGO_QUERY:query} %{WORD}:%{NONNEGINT:ntoreturn} %{WORD}:%{NONNEGINT:ntoskip} %{WORD}:%{NONNEGINT:nscanned}.*nreturned:%{NONNEGINT:nreturned}..+ (?<duration>[0-9]+)ms", :level=>:info} | |
| Adding pattern {"MONGO_WORDDASH"=>"\\b[\\w-]+\\b", :level=>:info} | |
| Adding pattern {"MONGO3_SEVERITY"=>"\\w", :level=>:info} | |
| Adding pattern {"MONGO3_COMPONENT"=>"%{WORD}|-", :level=>:info} | |
| Adding pattern {"MONGO3_LOG"=>"%{TIMESTAMP_ISO8601:timestamp} %{MONGO3_SEVERITY:severity} %{MONGO3_COMPONENT:component}%{SPACE}(?:\\[%{DATA:context}\\])? %{GREEDYDATA:message}", :level=>:info} | |
| Adding pattern {"JAVACLASS"=>"(?:[a-zA-Z$_][a-zA-Z$_0-9]*\\.)*[a-zA-Z$_][a-zA-Z$_0-9]*", :level=>:info} | |
| Adding pattern {"JAVAFILE"=>"(?:[A-Za-z0-9_. -]+)", :level=>:info} | |
| Adding pattern {"JAVAMETHOD"=>"(?:(<init>)|[a-zA-Z$_][a-zA-Z$_0-9]*)", :level=>:info} | |
| Adding pattern {"JAVASTACKTRACEPART"=>"%{SPACE}at %{JAVACLASS:class}\\.%{JAVAMETHOD:method}\\(%{JAVAFILE:file}(?::%{NUMBER:line})?\\)", :level=>:info} | |
| Adding pattern {"JAVATHREAD"=>"(?:[A-Z]{2}-Processor[\\d]+)", :level=>:info} | |
| Adding pattern {"JAVACLASS"=>"(?:[a-zA-Z0-9-]+\\.)+[A-Za-z0-9$]+", :level=>:info} | |
| Adding pattern {"JAVAFILE"=>"(?:[A-Za-z0-9_.-]+)", :level=>:info} | |
| Adding pattern {"JAVASTACKTRACEPART"=>"at %{JAVACLASS:class}\\.%{WORD:method}\\(%{JAVAFILE:file}:%{NUMBER:line}\\)", :level=>:info} | |
| Adding pattern {"JAVALOGMESSAGE"=>"(.*)", :level=>:info} | |
| Adding pattern {"CATALINA_DATESTAMP"=>"%{MONTH} %{MONTHDAY}, 20%{YEAR} %{HOUR}:?%{MINUTE}(?::?%{SECOND}) (?:AM|PM)", :level=>:info} | |
| Adding pattern {"TOMCAT_DATESTAMP"=>"20%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{HOUR}:?%{MINUTE}(?::?%{SECOND}) %{ISO8601_TIMEZONE}", :level=>:info} | |
| Adding pattern {"CATALINALOG"=>"%{CATALINA_DATESTAMP:timestamp} %{JAVACLASS:class} %{JAVALOGMESSAGE:logmessage}", :level=>:info} | |
| Adding pattern {"TOMCATLOG"=>"%{TOMCAT_DATESTAMP:timestamp} \\| %{LOGLEVEL:level} \\| %{JAVACLASS:class} - %{JAVALOGMESSAGE:logmessage}", :level=>:info} | |
| Adding pattern {"RUBY_LOGLEVEL"=>"(?:DEBUG|FATAL|ERROR|WARN|INFO)", :level=>:info} | |
| Adding pattern {"RUBY_LOGGER"=>"[DFEWI], \\[%{TIMESTAMP_ISO8601:timestamp} #%{POSINT:pid}\\] *%{RUBY_LOGLEVEL:loglevel} -- +%{DATA:progname}: %{GREEDYDATA:message}", :level=>:info} | |
| Adding pattern {"RUUID"=>"\\h{32}", :level=>:info} | |
| Adding pattern {"RCONTROLLER"=>"(?<controller>[^#]+)#(?<action>\\w+)", :level=>:info} | |
| Adding pattern {"RAILS3HEAD"=>"(?m)Started %{WORD:verb} \"%{URIPATHPARAM:request}\" for %{IPORHOST:clientip} at (?<timestamp>%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{HOUR}:%{MINUTE}:%{SECOND} %{ISO8601_TIMEZONE})", :level=>:info} | |
| Adding pattern {"RPROCESSING"=>"\\W*Processing by %{RCONTROLLER} as (?<format>\\S+)(?:\\W*Parameters: {%{DATA:params}}\\W*)?", :level=>:info} | |
| Adding pattern {"RAILS3FOOT"=>"Completed %{NUMBER:response}%{DATA} in %{NUMBER:totalms}ms %{RAILS3PROFILE}%{GREEDYDATA}", :level=>:info} | |
| Adding pattern {"RAILS3PROFILE"=>"(?:\\(Views: %{NUMBER:viewms}ms \\| ActiveRecord: %{NUMBER:activerecordms}ms|\\(ActiveRecord: %{NUMBER:activerecordms}ms)?", :level=>:info} | |
| Adding pattern {"RAILS3"=>"%{RAILS3HEAD}(?:%{RPROCESSING})?(?<context>(?:%{DATA}\\n)*)(?:%{RAILS3FOOT})?", :level=>:info} | |
| Adding pattern {"REDISTIMESTAMP"=>"%{MONTHDAY} %{MONTH} %{TIME}", :level=>:info} | |
| Adding pattern {"REDISLOG"=>"\\[%{POSINT:pid}\\] %{REDISTIMESTAMP:timestamp} \\* ", :level=>:info} | |
| Adding pattern {"BRO_HTTP"=>"%{NUMBER:ts}\\t%{NOTSPACE:uid}\\t%{IP:orig_h}\\t%{INT:orig_p}\\t%{IP:resp_h}\\t%{INT:resp_p}\\t%{INT:trans_depth}\\t%{GREEDYDATA:method}\\t%{GREEDYDATA:domain}\\t%{GREEDYDATA:uri}\\t%{GREEDYDATA:referrer}\\t%{GREEDYDATA:user_agent}\\t%{NUMBER:request_body_len}\\t%{NUMBER:response_body_len}\\t%{GREEDYDATA:status_code}\\t%{GREEDYDATA:status_msg}\\t%{GREEDYDATA:info_code}\\t%{GREEDYDATA:info_msg}\\t%{GREEDYDATA:filename}\\t%{GREEDYDATA:bro_tags}\\t%{GREEDYDATA:username}\\t%{GREEDYDATA:password}\\t%{GREEDYDATA:proxied}\\t%{GREEDYDATA:orig_fuids}\\t%{GREEDYDATA:orig_mime_types}\\t%{GREEDYDATA:resp_fuids}\\t%{GREEDYDATA:resp_mime_types}", :level=>:info} | |
| Adding pattern {"BRO_DNS"=>"%{NUMBER:ts}\\t%{NOTSPACE:uid}\\t%{IP:orig_h}\\t%{INT:orig_p}\\t%{IP:resp_h}\\t%{INT:resp_p}\\t%{WORD:proto}\\t%{INT:trans_id}\\t%{GREEDYDATA:query}\\t%{GREEDYDATA:qclass}\\t%{GREEDYDATA:qclass_name}\\t%{GREEDYDATA:qtype}\\t%{GREEDYDATA:qtype_name}\\t%{GREEDYDATA:rcode}\\t%{GREEDYDATA:rcode_name}\\t%{GREEDYDATA:AA}\\t%{GREEDYDATA:TC}\\t%{GREEDYDATA:RD}\\t%{GREEDYDATA:RA}\\t%{GREEDYDATA:Z}\\t%{GREEDYDATA:answers}\\t%{GREEDYDATA:TTLs}\\t%{GREEDYDATA:rejected}", :level=>:info} | |
| Adding pattern {"BRO_CONN"=>"%{NUMBER:ts}\\t%{NOTSPACE:uid}\\t%{IP:orig_h}\\t%{INT:orig_p}\\t%{IP:resp_h}\\t%{INT:resp_p}\\t%{WORD:proto}\\t%{GREEDYDATA:service}\\t%{NUMBER:duration}\\t%{NUMBER:orig_bytes}\\t%{NUMBER:resp_bytes}\\t%{GREEDYDATA:conn_state}\\t%{GREEDYDATA:local_orig}\\t%{GREEDYDATA:missed_bytes}\\t%{GREEDYDATA:history}\\t%{GREEDYDATA:orig_pkts}\\t%{GREEDYDATA:orig_ip_bytes}\\t%{GREEDYDATA:resp_pkts}\\t%{GREEDYDATA:resp_ip_bytes}\\t%{GREEDYDATA:tunnel_parents}", :level=>:info} | |
| Adding pattern {"BRO_FILES"=>"%{NUMBER:ts}\\t%{NOTSPACE:fuid}\\t%{IP:tx_hosts}\\t%{IP:rx_hosts}\\t%{NOTSPACE:conn_uids}\\t%{GREEDYDATA:source}\\t%{GREEDYDATA:depth}\\t%{GREEDYDATA:analyzers}\\t%{GREEDYDATA:mime_type}\\t%{GREEDYDATA:filename}\\t%{GREEDYDATA:duration}\\t%{GREEDYDATA:local_orig}\\t%{GREEDYDATA:is_orig}\\t%{GREEDYDATA:seen_bytes}\\t%{GREEDYDATA:total_bytes}\\t%{GREEDYDATA:missing_bytes}\\t%{GREEDYDATA:overflow_bytes}\\t%{GREEDYDATA:timedout}\\t%{GREEDYDATA:parent_fuid}\\t%{GREEDYDATA:md5}\\t%{GREEDYDATA:sha1}\\t%{GREEDYDATA:sha256}\\t%{GREEDYDATA:extracted}", :level=>:info} | |
| Adding pattern {"EXIM_MSGID"=>"[0-9A-Za-z]{6}-[0-9A-Za-z]{6}-[0-9A-Za-z]{2}", :level=>:info} | |
| Adding pattern {"EXIM_FLAGS"=>"(<=|[-=>*]>|[*]{2}|==)", :level=>:info} | |
| Adding pattern {"EXIM_DATE"=>"%{YEAR:exim_year}-%{MONTHNUM:exim_month}-%{MONTHDAY:exim_day} %{TIME:exim_time}", :level=>:info} | |
| Adding pattern {"EXIM_PID"=>"\\[%{POSINT}\\]", :level=>:info} | |
| Adding pattern {"EXIM_QT"=>"((\\d+y)?(\\d+w)?(\\d+d)?(\\d+h)?(\\d+m)?(\\d+s)?)", :level=>:info} | |
| Adding pattern {"EXIM_EXCLUDE_TERMS"=>"(Message is frozen|(Start|End) queue run| Warning: | retry time not reached | no (IP address|host name) found for (IP address|host) | unexpected disconnection while reading SMTP command | no immediate delivery: |another process is handling this message)", :level=>:info} | |
| Adding pattern {"EXIM_REMOTE_HOST"=>"(H=(%{NOTSPACE:remote_hostname} )?(\\(%{NOTSPACE:remote_heloname}\\) )?\\[%{IP:remote_host}\\])", :level=>:info} | |
| Adding pattern {"EXIM_INTERFACE"=>"(I=\\[%{IP:exim_interface}\\](:%{NUMBER:exim_interface_port}))", :level=>:info} | |
| Adding pattern {"EXIM_PROTOCOL"=>"(P=%{NOTSPACE:protocol})", :level=>:info} | |
| Adding pattern {"EXIM_MSG_SIZE"=>"(S=%{NUMBER:exim_msg_size})", :level=>:info} | |
| Adding pattern {"EXIM_HEADER_ID"=>"(id=%{NOTSPACE:exim_header_id})", :level=>:info} | |
| Adding pattern {"EXIM_SUBJECT"=>"(T=%{QS:exim_subject})", :level=>:info} | |
| Adding pattern {"POSTGRESQL"=>"%{DATESTAMP:timestamp} %{TZ} %{DATA:user_id} %{GREEDYDATA:connection_id} %{POSINT:pid}", :level=>:info} | |
| Adding pattern {"S3_REQUEST_LINE"=>"(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})", :level=>:info} | |
| Adding pattern {"S3_ACCESS_LOG"=>"%{WORD:owner} %{NOTSPACE:bucket} \\[%{HTTPDATE:timestamp}\\] %{IP:clientip} %{NOTSPACE:requester} %{NOTSPACE:request_id} %{NOTSPACE:operation} %{NOTSPACE:key} (?:\"%{S3_REQUEST_LINE}\"|-) (?:%{INT:response:int}|-) (?:-|%{NOTSPACE:error_code}) (?:%{INT:bytes:int}|-) (?:%{INT:object_size:int}|-) (?:%{INT:request_time_ms:int}|-) (?:%{INT:turnaround_time_ms:int}|-) (?:%{QS:referrer}|-) (?:\"?%{QS:agent}\"?|-) (?:-|%{NOTSPACE:version_id})", :level=>:info} | |
| Adding pattern {"ELB_URIPATHPARAM"=>"%{URIPATH:path}(?:%{URIPARAM:params})?", :level=>:info} | |
| Adding pattern {"ELB_URI"=>"%{URIPROTO:proto}://(?:%{USER}(?::[^@]*)?@)?(?:%{URIHOST:urihost})?(?:%{ELB_URIPATHPARAM})?", :level=>:info} | |
| Adding pattern {"ELB_REQUEST_LINE"=>"(?:%{WORD:verb} %{ELB_URI:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})", :level=>:info} | |
| Adding pattern {"ELB_ACCESS_LOG"=>"%{TIMESTAMP_ISO8601:timestamp} %{NOTSPACE:elb} %{IP:clientip}:%{INT:clientport:int} (?:(%{IP:backendip}:?:%{INT:backendport:int})|-) %{NUMBER:request_processing_time:float} %{NUMBER:backend_processing_time:float} %{NUMBER:response_processing_time:float} %{INT:response:int} %{INT:backend_response:int} %{INT:received_bytes:int} %{INT:bytes:int} \"%{ELB_REQUEST_LINE}\"", :level=>:info} | |
| Adding pattern {"BACULA_TIMESTAMP"=>"%{MONTHDAY}-%{MONTH} %{HOUR}:%{MINUTE}", :level=>:info} | |
| Adding pattern {"BACULA_HOST"=>"[a-zA-Z0-9-]+", :level=>:info} | |
| Adding pattern {"BACULA_VOLUME"=>"%{USER}", :level=>:info} | |
| Adding pattern {"BACULA_DEVICE"=>"%{USER}", :level=>:info} | |
| Adding pattern {"BACULA_DEVICEPATH"=>"%{UNIXPATH}", :level=>:info} | |
| Adding pattern {"BACULA_CAPACITY"=>"%{INT}{1,3}(,%{INT}{3})*", :level=>:info} | |
| Adding pattern {"BACULA_VERSION"=>"%{USER}", :level=>:info} | |
| Adding pattern {"BACULA_JOB"=>"%{USER}", :level=>:info} | |
| Adding pattern {"BACULA_LOG_MAX_CAPACITY"=>"User defined maximum volume capacity %{BACULA_CAPACITY} exceeded on device \\\"%{BACULA_DEVICE:device}\\\" \\(%{BACULA_DEVICEPATH}\\)", :level=>:info} | |
| Adding pattern {"BACULA_LOG_END_VOLUME"=>"End of medium on Volume \\\"%{BACULA_VOLUME:volume}\\\" Bytes=%{BACULA_CAPACITY} Blocks=%{BACULA_CAPACITY} at %{MONTHDAY}-%{MONTH}-%{YEAR} %{HOUR}:%{MINUTE}.", :level=>:info} | |
| Adding pattern {"BACULA_LOG_NEW_VOLUME"=>"Created new Volume \\\"%{BACULA_VOLUME:volume}\\\" in catalog.", :level=>:info} | |
| Adding pattern {"BACULA_LOG_NEW_LABEL"=>"Labeled new Volume \\\"%{BACULA_VOLUME:volume}\\\" on device \\\"%{BACULA_DEVICE:device}\\\" \\(%{BACULA_DEVICEPATH}\\).", :level=>:info} | |
| Adding pattern {"BACULA_LOG_WROTE_LABEL"=>"Wrote label to prelabeled Volume \\\"%{BACULA_VOLUME:volume}\\\" on device \\\"%{BACULA_DEVICE}\\\" \\(%{BACULA_DEVICEPATH}\\)", :level=>:info} | |
| Adding pattern {"BACULA_LOG_NEW_MOUNT"=>"New volume \\\"%{BACULA_VOLUME:volume}\\\" mounted on device \\\"%{BACULA_DEVICE:device}\\\" \\(%{BACULA_DEVICEPATH}\\) at %{MONTHDAY}-%{MONTH}-%{YEAR} %{HOUR}:%{MINUTE}.", :level=>:info} | |
| Adding pattern {"BACULA_LOG_NOOPEN"=>"\\s+Cannot open %{DATA}: ERR=%{GREEDYDATA:berror}", :level=>:info} | |
| Adding pattern {"BACULA_LOG_NOOPENDIR"=>"\\s+Could not open directory %{DATA}: ERR=%{GREEDYDATA:berror}", :level=>:info} | |
| Adding pattern {"BACULA_LOG_NOSTAT"=>"\\s+Could not stat %{DATA}: ERR=%{GREEDYDATA:berror}", :level=>:info} | |
| Adding pattern {"BACULA_LOG_NOJOBS"=>"There are no more Jobs associated with Volume \\\"%{BACULA_VOLUME:volume}\\\". Marking it purged.", :level=>:info} | |
| Adding pattern {"BACULA_LOG_ALL_RECORDS_PRUNED"=>"All records pruned from Volume \\\"%{BACULA_VOLUME:volume}\\\"; marking it \\\"Purged\\\"", :level=>:info} | |
| Adding pattern {"BACULA_LOG_BEGIN_PRUNE_JOBS"=>"Begin pruning Jobs older than %{INT} month %{INT} days .", :level=>:info} | |
| Adding pattern {"BACULA_LOG_BEGIN_PRUNE_FILES"=>"Begin pruning Files.", :level=>:info} | |
| Adding pattern {"BACULA_LOG_PRUNED_JOBS"=>"Pruned %{INT} Jobs* for client %{BACULA_HOST:client} from catalog.", :level=>:info} | |
| Adding pattern {"BACULA_LOG_PRUNED_FILES"=>"Pruned Files from %{INT} Jobs* for client %{BACULA_HOST:client} from catalog.", :level=>:info} | |
| Adding pattern {"BACULA_LOG_ENDPRUNE"=>"End auto prune.", :level=>:info} | |
| Adding pattern {"BACULA_LOG_STARTJOB"=>"Start Backup JobId %{INT}, Job=%{BACULA_JOB:job}", :level=>:info} | |
| Adding pattern {"BACULA_LOG_STARTRESTORE"=>"Start Restore Job %{BACULA_JOB:job}", :level=>:info} | |
| Adding pattern {"BACULA_LOG_USEDEVICE"=>"Using Device \\\"%{BACULA_DEVICE:device}\\\"", :level=>:info} | |
| Adding pattern {"BACULA_LOG_DIFF_FS"=>"\\s+%{UNIXPATH} is a different filesystem. Will not descend from %{UNIXPATH} into it.", :level=>:info} | |
| Adding pattern {"BACULA_LOG_JOBEND"=>"Job write elapsed time = %{DATA:elapsed}, Transfer rate = %{NUMBER} (K|M|G)? Bytes/second", :level=>:info} | |
| Adding pattern {"BACULA_LOG_NOPRUNE_JOBS"=>"No Jobs found to prune.", :level=>:info} | |
| Adding pattern {"BACULA_LOG_NOPRUNE_FILES"=>"No Files found to prune.", :level=>:info} | |
| Adding pattern {"BACULA_LOG_VOLUME_PREVWRITTEN"=>"Volume \\\"%{BACULA_VOLUME:volume}\\\" previously written, moving to end of data.", :level=>:info} | |
| Adding pattern {"BACULA_LOG_READYAPPEND"=>"Ready to append to end of Volume \\\"%{BACULA_VOLUME:volume}\\\" size=%{INT}", :level=>:info} | |
| Adding pattern {"BACULA_LOG_CANCELLING"=>"Cancelling duplicate JobId=%{INT}.", :level=>:info} | |
| Adding pattern {"BACULA_LOG_MARKCANCEL"=>"JobId %{INT}, Job %{BACULA_JOB:job} marked to be canceled.", :level=>:info} | |
| Adding pattern {"BACULA_LOG_CLIENT_RBJ"=>"shell command: run ClientRunBeforeJob \\\"%{GREEDYDATA:runjob}\\\"", :level=>:info} | |
| Adding pattern {"BACULA_LOG_VSS"=>"(Generate )?VSS (Writer)?", :level=>:info} | |
| Adding pattern {"BACULA_LOG_MAXSTART"=>"Fatal error: Job canceled because max start delay time exceeded.", :level=>:info} | |
| Adding pattern {"BACULA_LOG_DUPLICATE"=>"Fatal error: JobId %{INT:duplicate} already running. Duplicate job not allowed.", :level=>:info} | |
| Adding pattern {"BACULA_LOG_NOJOBSTAT"=>"Fatal error: No Job status returned from FD.", :level=>:info} | |
| Adding pattern {"BACULA_LOG_FATAL_CONN"=>"Fatal error: bsock.c:133 Unable to connect to (Client: %{BACULA_HOST:client}|Storage daemon) on %{HOSTNAME}:%{POSINT}. ERR=(?<berror>%{GREEDYDATA})", :level=>:info} | |
| Adding pattern {"BACULA_LOG_NO_CONNECT"=>"Warning: bsock.c:127 Could not connect to (Client: %{BACULA_HOST:client}|Storage daemon) on %{HOSTNAME}:%{POSINT}. ERR=(?<berror>%{GREEDYDATA})", :level=>:info} | |
| Adding pattern {"BACULA_LOG_NO_AUTH"=>"Fatal error: Unable to authenticate with File daemon at %{HOSTNAME}. Possible causes:", :level=>:info} | |
| Adding pattern {"BACULA_LOG_NOSUIT"=>"No prior or suitable Full backup found in catalog. Doing FULL backup.", :level=>:info} | |
| Adding pattern {"BACULA_LOG_NOPRIOR"=>"No prior Full backup Job record found.", :level=>:info} | |
| Adding pattern {"BACULA_LOG_JOB"=>"(Error: )?Bacula %{BACULA_HOST} %{BACULA_VERSION} \\(%{BACULA_VERSION}\\):", :level=>:info} | |
| Adding pattern {"BACULA_LOGLINE"=>"%{BACULA_TIMESTAMP:bts} %{BACULA_HOST:hostname} JobId %{INT:jobid}: (%{BACULA_LOG_MAX_CAPACITY}|%{BACULA_LOG_END_VOLUME}|%{BACULA_LOG_NEW_VOLUME}|%{BACULA_LOG_NEW_LABEL}|%{BACULA_LOG_WROTE_LABEL}|%{BACULA_LOG_NEW_MOUNT}|%{BACULA_LOG_NOOPEN}|%{BACULA_LOG_NOOPENDIR}|%{BACULA_LOG_NOSTAT}|%{BACULA_LOG_NOJOBS}|%{BACULA_LOG_ALL_RECORDS_PRUNED}|%{BACULA_LOG_BEGIN_PRUNE_JOBS}|%{BACULA_LOG_BEGIN_PRUNE_FILES}|%{BACULA_LOG_PRUNED_JOBS}|%{BACULA_LOG_PRUNED_FILES}|%{BACULA_LOG_ENDPRUNE}|%{BACULA_LOG_STARTJOB}|%{BACULA_LOG_STARTRESTORE}|%{BACULA_LOG_USEDEVICE}|%{BACULA_LOG_DIFF_FS}|%{BACULA_LOG_JOBEND}|%{BACULA_LOG_NOPRUNE_JOBS}|%{BACULA_LOG_NOPRUNE_FILES}|%{BACULA_LOG_VOLUME_PREVWRITTEN}|%{BACULA_LOG_READYAPPEND}|%{BACULA_LOG_CANCELLING}|%{BACULA_LOG_MARKCANCEL}|%{BACULA_LOG_CLIENT_RBJ}|%{BACULA_LOG_VSS}|%{BACULA_LOG_MAXSTART}|%{BACULA_LOG_DUPLICATE}|%{BACULA_LOG_NOJOBSTAT}|%{BACULA_LOG_FATAL_CONN}|%{BACULA_LOG_NO_CONNECT}|%{BACULA_LOG_NO_AUTH}|%{BACULA_LOG_NOSUIT}|%{BACULA_LOG_JOB}|%{BACULA_LOG_NOPRIOR})", :level=>:info} | |
| Adding pattern {"HAPROXYTIME"=>"(?!<[0-9])%{HOUR:haproxy_hour}:%{MINUTE:haproxy_minute}(?::%{SECOND:haproxy_second})(?![0-9])", :level=>:info} | |
| Adding pattern {"HAPROXYDATE"=>"%{MONTHDAY:haproxy_monthday}/%{MONTH:haproxy_month}/%{YEAR:haproxy_year}:%{HAPROXYTIME:haproxy_time}.%{INT:haproxy_milliseconds}", :level=>:info} | |
| Adding pattern {"HAPROXYCAPTUREDREQUESTHEADERS"=>"%{DATA:captured_request_headers}", :level=>:info} | |
| Adding pattern {"HAPROXYCAPTUREDRESPONSEHEADERS"=>"%{DATA:captured_response_headers}", :level=>:info} | |
| Adding pattern {"HAPROXYHTTPBASE"=>"%{IP:client_ip}:%{INT:client_port} \\[%{HAPROXYDATE:accept_date}\\] %{NOTSPACE:frontend_name} %{NOTSPACE:backend_name}/%{NOTSPACE:server_name} %{INT:time_request}/%{INT:time_queue}/%{INT:time_backend_connect}/%{INT:time_backend_response}/%{NOTSPACE:time_duration} %{INT:http_status_code} %{NOTSPACE:bytes_read} %{DATA:captured_request_cookie} %{DATA:captured_response_cookie} %{NOTSPACE:termination_state} %{INT:actconn}/%{INT:feconn}/%{INT:beconn}/%{INT:srvconn}/%{NOTSPACE:retries} %{INT:srv_queue}/%{INT:backend_queue} (\\{%{HAPROXYCAPTUREDREQUESTHEADERS}\\})?( )?(\\{%{HAPROXYCAPTUREDRESPONSEHEADERS}\\})?( )?\"(<BADREQ>|(%{WORD:http_verb} (%{URIPROTO:http_proto}://)?(?:%{USER:http_user}(?::[^@]*)?@)?(?:%{URIHOST:http_host})?(?:%{URIPATHPARAM:http_request})?( HTTP/%{NUMBER:http_version})?))?\"", :level=>:info} | |
| Adding pattern {"HAPROXYHTTP"=>"(?:%{SYSLOGTIMESTAMP:syslog_timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) %{IPORHOST:syslog_server} %{SYSLOGPROG}: %{HAPROXYHTTPBASE}", :level=>:info} | |
| Adding pattern {"HAPROXYTCP"=>"(?:%{SYSLOGTIMESTAMP:syslog_timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) %{IPORHOST:syslog_server} %{SYSLOGPROG}: %{IP:client_ip}:%{INT:client_port} \\[%{HAPROXYDATE:accept_date}\\] %{NOTSPACE:frontend_name} %{NOTSPACE:backend_name}/%{NOTSPACE:server_name} %{INT:time_queue}/%{INT:time_backend_connect}/%{NOTSPACE:time_duration} %{NOTSPACE:bytes_read} %{NOTSPACE:termination_state} %{INT:actconn}/%{INT:feconn}/%{INT:beconn}/%{INT:srvconn}/%{NOTSPACE:retries} %{INT:srv_queue}/%{INT:backend_queue}", :level=>:info} | |
| Starting pipeline {:id=>"main", :pipeline_workers=>1, :batch_size=>125, :batch_delay=>5, :max_inflight=>125, :level=>:info} | |
| Pipeline main started |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment