Skip to content

Instantly share code, notes, and snippets.

@tebeka
Created Jan 10, 2016
Embed
What would you like to do?
Logstash error
docker run \
--rm \
-v /home/miki/work/cyberint/misc/monitoring-poc:/code \
-p 25826:25826/udp \
logstash -f /code/logstash.conf -v
{:timestamp=>"2016-01-10T11:14:26.397000+0000", :message=>"Starting UDP listener", :address=>"0.0.0.0:25826", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.417000+0000", :message=>"Grok patterns path", :patterns_dir=>["/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.2/patterns", "/opt/logstash/patterns/*"], :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.425000+0000", :message=>"Grok loading patterns from file", :path=>"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.2/patterns/firewalls", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.426000+0000", :message=>"Grok loading patterns from file", :path=>"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.2/patterns/linux-syslog", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.434000+0000", :message=>"Grok loading patterns from file", :path=>"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.2/patterns/nagios", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.437000+0000", :message=>"Grok loading patterns from file", :path=>"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.2/patterns/mcollective", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.438000+0000", :message=>"Grok loading patterns from file", :path=>"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.2/patterns/bro", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.439000+0000", :message=>"Grok loading patterns from file", :path=>"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.2/patterns/haproxy", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.440000+0000", :message=>"Grok loading patterns from file", :path=>"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.2/patterns/bacula", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.440000+0000", :message=>"Grok loading patterns from file", :path=>"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.2/patterns/postgresql", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.441000+0000", :message=>"Grok loading patterns from file", :path=>"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.2/patterns/mongodb", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.442000+0000", :message=>"Grok loading patterns from file", :path=>"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.2/patterns/mcollective-patterns", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.442000+0000", :message=>"Grok loading patterns from file", :path=>"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.2/patterns/junos", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.443000+0000", :message=>"Grok loading patterns from file", :path=>"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.2/patterns/rails", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.444000+0000", :message=>"Grok loading patterns from file", :path=>"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.2/patterns/exim", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.444000+0000", :message=>"Grok loading patterns from file", :path=>"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.2/patterns/java", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.445000+0000", :message=>"Grok loading patterns from file", :path=>"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.2/patterns/redis", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.446000+0000", :message=>"Grok loading patterns from file", :path=>"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.2/patterns/aws", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.446000+0000", :message=>"Grok loading patterns from file", :path=>"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.2/patterns/ruby", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.447000+0000", :message=>"Grok loading patterns from file", :path=>"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.2/patterns/grok-patterns", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.448000+0000", :message=>"Match data", :match=>{"message"=>"%{DATESTAMP:timestamp} \\[%{DATA}\\] %{GREEDYDATA:message}"}, :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.449000+0000", :message=>"Grok compile", :field=>"message", :patterns=>["%{DATESTAMP:timestamp} \\[%{DATA}\\] %{GREEDYDATA:message}"], :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.455000+0000", :message=>"Adding pattern", "NETSCREENSESSIONLOG"=>"%{SYSLOGTIMESTAMP:date} %{IPORHOST:device} %{IPORHOST}: NetScreen device_id=%{WORD:device_id}%{DATA}: start_time=%{QUOTEDSTRING:start_time} duration=%{INT:duration} policy_id=%{INT:policy_id} service=%{DATA:service} proto=%{INT:proto} src zone=%{WORD:src_zone} dst zone=%{WORD:dst_zone} action=%{WORD:action} sent=%{INT:sent} rcvd=%{INT:rcvd} src=%{IPORHOST:src_ip} dst=%{IPORHOST:dst_ip} src_port=%{INT:src_port} dst_port=%{INT:dst_port} src-xlated ip=%{IPORHOST:src_xlated_ip} port=%{INT:src_xlated_port} dst-xlated ip=%{IPORHOST:dst_xlated_ip} port=%{INT:dst_xlated_port} session_id=%{INT:session_id} reason=%{GREEDYDATA:reason}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.457000+0000", :message=>"Adding pattern", "CISCO_TAGGED_SYSLOG"=>"^<%{POSINT:syslog_pri}>%{CISCOTIMESTAMP:timestamp}( %{SYSLOGHOST:sysloghost})? ?: %%{CISCOTAG:ciscotag}:", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.457000+0000", :message=>"Adding pattern", "CISCOTIMESTAMP"=>"%{MONTH} +%{MONTHDAY}(?: %{YEAR})? %{TIME}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.458000+0000", :message=>"Adding pattern", "CISCOTAG"=>"[A-Z0-9]+-%{INT}-(?:[A-Z0-9_]+)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.459000+0000", :message=>"Adding pattern", "CISCO_ACTION"=>"Built|Teardown|Deny|Denied|denied|requested|permitted|denied by ACL|discarded|est-allowed|Dropping|created|deleted", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.460000+0000", :message=>"Adding pattern", "CISCO_REASON"=>"Duplicate TCP SYN|Failed to locate egress interface|Invalid transport field|No matching connection|DNS Response|DNS Query|(?:%{WORD}\\s*)*", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.460000+0000", :message=>"Adding pattern", "CISCO_DIRECTION"=>"Inbound|inbound|Outbound|outbound", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.461000+0000", :message=>"Adding pattern", "CISCO_INTERVAL"=>"first hit|%{INT}-second interval", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.462000+0000", :message=>"Adding pattern", "CISCO_XLATE_TYPE"=>"static|dynamic", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.462000+0000", :message=>"Adding pattern", "CISCOFW104001"=>"\\((?:Primary|Secondary)\\) Switching to ACTIVE - %{GREEDYDATA:switch_reason}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.463000+0000", :message=>"Adding pattern", "CISCOFW104002"=>"\\((?:Primary|Secondary)\\) Switching to STANDBY - %{GREEDYDATA:switch_reason}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.464000+0000", :message=>"Adding pattern", "CISCOFW104003"=>"\\((?:Primary|Secondary)\\) Switching to FAILED\\.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.465000+0000", :message=>"Adding pattern", "CISCOFW104004"=>"\\((?:Primary|Secondary)\\) Switching to OK\\.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.466000+0000", :message=>"Adding pattern", "CISCOFW105003"=>"\\((?:Primary|Secondary)\\) Monitoring on [Ii]nterface %{GREEDYDATA:interface_name} waiting", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.466000+0000", :message=>"Adding pattern", "CISCOFW105004"=>"\\((?:Primary|Secondary)\\) Monitoring on [Ii]nterface %{GREEDYDATA:interface_name} normal", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.467000+0000", :message=>"Adding pattern", "CISCOFW105005"=>"\\((?:Primary|Secondary)\\) Lost Failover communications with mate on [Ii]nterface %{GREEDYDATA:interface_name}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.468000+0000", :message=>"Adding pattern", "CISCOFW105008"=>"\\((?:Primary|Secondary)\\) Testing [Ii]nterface %{GREEDYDATA:interface_name}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.468000+0000", :message=>"Adding pattern", "CISCOFW105009"=>"\\((?:Primary|Secondary)\\) Testing on [Ii]nterface %{GREEDYDATA:interface_name} (?:Passed|Failed)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.469000+0000", :message=>"Adding pattern", "CISCOFW106001"=>"%{CISCO_DIRECTION:direction} %{WORD:protocol} connection %{CISCO_ACTION:action} from %{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port} flags %{GREEDYDATA:tcp_flags} on interface %{GREEDYDATA:interface}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.470000+0000", :message=>"Adding pattern", "CISCOFW106006_106007_106010"=>"%{CISCO_ACTION:action} %{CISCO_DIRECTION:direction} %{WORD:protocol} (?:from|src) %{IP:src_ip}/%{INT:src_port}(\\(%{DATA:src_fwuser}\\))? (?:to|dst) %{IP:dst_ip}/%{INT:dst_port}(\\(%{DATA:dst_fwuser}\\))? (?:on interface %{DATA:interface}|due to %{CISCO_REASON:reason})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.470000+0000", :message=>"Adding pattern", "CISCOFW106014"=>"%{CISCO_ACTION:action} %{CISCO_DIRECTION:direction} %{WORD:protocol} src %{DATA:src_interface}:%{IP:src_ip}(\\(%{DATA:src_fwuser}\\))? dst %{DATA:dst_interface}:%{IP:dst_ip}(\\(%{DATA:dst_fwuser}\\))? \\(type %{INT:icmp_type}, code %{INT:icmp_code}\\)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.471000+0000", :message=>"Adding pattern", "CISCOFW106015"=>"%{CISCO_ACTION:action} %{WORD:protocol} \\(%{DATA:policy_id}\\) from %{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port} flags %{DATA:tcp_flags} on interface %{GREEDYDATA:interface}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.472000+0000", :message=>"Adding pattern", "CISCOFW106021"=>"%{CISCO_ACTION:action} %{WORD:protocol} reverse path check from %{IP:src_ip} to %{IP:dst_ip} on interface %{GREEDYDATA:interface}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.472000+0000", :message=>"Adding pattern", "CISCOFW106023"=>"%{CISCO_ACTION:action}( protocol)? %{WORD:protocol} src %{DATA:src_interface}:%{DATA:src_ip}(/%{INT:src_port})?(\\(%{DATA:src_fwuser}\\))? dst %{DATA:dst_interface}:%{DATA:dst_ip}(/%{INT:dst_port})?(\\(%{DATA:dst_fwuser}\\))?( \\(type %{INT:icmp_type}, code %{INT:icmp_code}\\))? by access-group \"?%{DATA:policy_id}\"? \\[%{DATA:hashcode1}, %{DATA:hashcode2}\\]", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.473000+0000", :message=>"Adding pattern", "CISCOFW106100_2_3"=>"access-list %{NOTSPACE:policy_id} %{CISCO_ACTION:action} %{WORD:protocol} for user '%{DATA:src_fwuser}' %{DATA:src_interface}/%{IP:src_ip}\\(%{INT:src_port}\\) -> %{DATA:dst_interface}/%{IP:dst_ip}\\(%{INT:dst_port}\\) hit-cnt %{INT:hit_count} %{CISCO_INTERVAL:interval} \\[%{DATA:hashcode1}, %{DATA:hashcode2}\\]", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.478000+0000", :message=>"Adding pattern", "CISCOFW106100"=>"access-list %{NOTSPACE:policy_id} %{CISCO_ACTION:action} %{WORD:protocol} %{DATA:src_interface}/%{IP:src_ip}\\(%{INT:src_port}\\)(\\(%{DATA:src_fwuser}\\))? -> %{DATA:dst_interface}/%{IP:dst_ip}\\(%{INT:dst_port}\\)(\\(%{DATA:src_fwuser}\\))? hit-cnt %{INT:hit_count} %{CISCO_INTERVAL:interval} \\[%{DATA:hashcode1}, %{DATA:hashcode2}\\]", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.484000+0000", :message=>"Adding pattern", "CISCOFW110002"=>"%{CISCO_REASON:reason} for %{WORD:protocol} from %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.494000+0000", :message=>"Adding pattern", "CISCOFW302010"=>"%{INT:connection_count} in use, %{INT:connection_count_max} most used", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.495000+0000", :message=>"Adding pattern", "CISCOFW302013_302014_302015_302016"=>"%{CISCO_ACTION:action}(?: %{CISCO_DIRECTION:direction})? %{WORD:protocol} connection %{INT:connection_id} for %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port}( \\(%{IP:src_mapped_ip}/%{INT:src_mapped_port}\\))?(\\(%{DATA:src_fwuser}\\))? to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port}( \\(%{IP:dst_mapped_ip}/%{INT:dst_mapped_port}\\))?(\\(%{DATA:dst_fwuser}\\))?( duration %{TIME:duration} bytes %{INT:bytes})?(?: %{CISCO_REASON:reason})?( \\(%{DATA:user}\\))?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.496000+0000", :message=>"Adding pattern", "CISCOFW302020_302021"=>"%{CISCO_ACTION:action}(?: %{CISCO_DIRECTION:direction})? %{WORD:protocol} connection for faddr %{IP:dst_ip}/%{INT:icmp_seq_num}(?:\\(%{DATA:fwuser}\\))? gaddr %{IP:src_xlated_ip}/%{INT:icmp_code_xlated} laddr %{IP:src_ip}/%{INT:icmp_code}( \\(%{DATA:user}\\))?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.498000+0000", :message=>"Adding pattern", "CISCOFW305011"=>"%{CISCO_ACTION:action} %{CISCO_XLATE_TYPE:xlate_type} %{WORD:protocol} translation from %{DATA:src_interface}:%{IP:src_ip}(/%{INT:src_port})?(\\(%{DATA:src_fwuser}\\))? to %{DATA:src_xlated_interface}:%{IP:src_xlated_ip}/%{DATA:src_xlated_port}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.499000+0000", :message=>"Adding pattern", "CISCOFW313001_313004_313008"=>"%{CISCO_ACTION:action} %{WORD:protocol} type=%{INT:icmp_type}, code=%{INT:icmp_code} from %{IP:src_ip} on interface %{DATA:interface}( to %{IP:dst_ip})?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.500000+0000", :message=>"Adding pattern", "CISCOFW313005"=>"%{CISCO_REASON:reason} for %{WORD:protocol} error message: %{WORD:err_protocol} src %{DATA:err_src_interface}:%{IP:err_src_ip}(\\(%{DATA:err_src_fwuser}\\))? dst %{DATA:err_dst_interface}:%{IP:err_dst_ip}(\\(%{DATA:err_dst_fwuser}\\))? \\(type %{INT:err_icmp_type}, code %{INT:err_icmp_code}\\) on %{DATA:interface} interface\\. Original IP payload: %{WORD:protocol} src %{IP:orig_src_ip}/%{INT:orig_src_port}(\\(%{DATA:orig_src_fwuser}\\))? dst %{IP:orig_dst_ip}/%{INT:orig_dst_port}(\\(%{DATA:orig_dst_fwuser}\\))?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.501000+0000", :message=>"Adding pattern", "CISCOFW321001"=>"Resource '%{WORD:resource_name}' limit of %{POSINT:resource_limit} reached for system", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.502000+0000", :message=>"Adding pattern", "CISCOFW402117"=>"%{WORD:protocol}: Received a non-IPSec packet \\(protocol= %{WORD:orig_protocol}\\) from %{IP:src_ip} to %{IP:dst_ip}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.502000+0000", :message=>"Adding pattern", "CISCOFW402119"=>"%{WORD:protocol}: Received an %{WORD:orig_protocol} packet \\(SPI= %{DATA:spi}, sequence number= %{DATA:seq_num}\\) from %{IP:src_ip} \\(user= %{DATA:user}\\) to %{IP:dst_ip} that failed anti-replay checking", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.503000+0000", :message=>"Adding pattern", "CISCOFW419001"=>"%{CISCO_ACTION:action} %{WORD:protocol} packet from %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port}, reason: %{GREEDYDATA:reason}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.504000+0000", :message=>"Adding pattern", "CISCOFW419002"=>"%{CISCO_REASON:reason} from %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port} with different initial sequence number", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.504000+0000", :message=>"Adding pattern", "CISCOFW500004"=>"%{CISCO_REASON:reason} for protocol=%{WORD:protocol}, from %{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.505000+0000", :message=>"Adding pattern", "CISCOFW602303_602304"=>"%{WORD:protocol}: An %{CISCO_DIRECTION:direction} %{GREEDYDATA:tunnel_type} SA \\(SPI= %{DATA:spi}\\) between %{IP:src_ip} and %{IP:dst_ip} \\(user= %{DATA:user}\\) has been %{CISCO_ACTION:action}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.506000+0000", :message=>"Adding pattern", "CISCOFW710001_710002_710003_710005_710006"=>"%{WORD:protocol} (?:request|access) %{CISCO_ACTION:action} from %{IP:src_ip}/%{INT:src_port} to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.507000+0000", :message=>"Adding pattern", "CISCOFW713172"=>"Group = %{GREEDYDATA:group}, IP = %{IP:src_ip}, Automatic NAT Detection Status:\\s+Remote end\\s*%{DATA:is_remote_natted}\\s*behind a NAT device\\s+This\\s+end\\s*%{DATA:is_local_natted}\\s*behind a NAT device", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.508000+0000", :message=>"Adding pattern", "CISCOFW733100"=>"\\[\\s*%{DATA:drop_type}\\s*\\] drop %{DATA:drop_rate_id} exceeded. Current burst rate is %{INT:drop_rate_current_burst} per second, max configured rate is %{INT:drop_rate_max_burst}; Current average rate is %{INT:drop_rate_current_avg} per second, max configured rate is %{INT:drop_rate_max_avg}; Cumulative total count is %{INT:drop_total_count}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.508000+0000", :message=>"Adding pattern", "SHOREWALL"=>"(%{SYSLOGTIMESTAMP:timestamp}) (%{WORD:nf_host}) kernel:.*Shorewall:(%{WORD:nf_action1})?:(%{WORD:nf_action2})?.*IN=(%{USERNAME:nf_in_interface})?.*(OUT= *MAC=(%{COMMONMAC:nf_dst_mac}):(%{COMMONMAC:nf_src_mac})?|OUT=%{USERNAME:nf_out_interface}).*SRC=(%{IPV4:nf_src_ip}).*DST=(%{IPV4:nf_dst_ip}).*LEN=(%{WORD:nf_len}).?*TOS=(%{WORD:nf_tos}).?*PREC=(%{WORD:nf_prec}).?*TTL=(%{INT:nf_ttl}).?*ID=(%{INT:nf_id}).?*PROTO=(%{WORD:nf_protocol}).?*SPT=(%{INT:nf_src_port}?.*DPT=%{INT:nf_dst_port}?.*)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.510000+0000", :message=>"Adding pattern", "SYSLOG5424PRINTASCII"=>"[!-~]+", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.511000+0000", :message=>"Adding pattern", "SYSLOGBASE2"=>"(?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource}+(?: %{SYSLOGPROG}:|)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.512000+0000", :message=>"Adding pattern", "SYSLOGPAMSESSION"=>"%{SYSLOGBASE} (?=%{GREEDYDATA:message})%{WORD:pam_module}\\(%{DATA:pam_caller}\\): session %{WORD:pam_session_state} for user %{USERNAME:username}(?: by %{GREEDYDATA:pam_by})?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.513000+0000", :message=>"Adding pattern", "CRON_ACTION"=>"[A-Z ]+", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.514000+0000", :message=>"Adding pattern", "CRONLOG"=>"%{SYSLOGBASE} \\(%{USER:user}\\) %{CRON_ACTION:action} \\(%{DATA:message}\\)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.515000+0000", :message=>"Adding pattern", "SYSLOGLINE"=>"%{SYSLOGBASE2} %{GREEDYDATA:message}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.516000+0000", :message=>"Adding pattern", "SYSLOG5424PRI"=>"<%{NONNEGINT:syslog5424_pri}>", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.523000+0000", :message=>"Adding pattern", "SYSLOG5424SD"=>"\\[%{DATA}\\]+", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.525000+0000", :message=>"Adding pattern", "SYSLOG5424BASE"=>"%{SYSLOG5424PRI}%{NONNEGINT:syslog5424_ver} +(?:%{TIMESTAMP_ISO8601:syslog5424_ts}|-) +(?:%{HOSTNAME:syslog5424_host}|-) +(-|%{SYSLOG5424PRINTASCII:syslog5424_app}) +(-|%{SYSLOG5424PRINTASCII:syslog5424_proc}) +(-|%{SYSLOG5424PRINTASCII:syslog5424_msgid}) +(?:%{SYSLOG5424SD:syslog5424_sd}|-|)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.526000+0000", :message=>"Adding pattern", "SYSLOG5424LINE"=>"%{SYSLOG5424BASE} +%{GREEDYDATA:syslog5424_msg}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.528000+0000", :message=>"Adding pattern", "NAGIOSTIME"=>"\\[%{NUMBER:nagios_epoch}\\]", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.529000+0000", :message=>"Adding pattern", "NAGIOS_TYPE_CURRENT_SERVICE_STATE"=>"CURRENT SERVICE STATE", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.530000+0000", :message=>"Adding pattern", "NAGIOS_TYPE_CURRENT_HOST_STATE"=>"CURRENT HOST STATE", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.531000+0000", :message=>"Adding pattern", "NAGIOS_TYPE_SERVICE_NOTIFICATION"=>"SERVICE NOTIFICATION", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.531000+0000", :message=>"Adding pattern", "NAGIOS_TYPE_HOST_NOTIFICATION"=>"HOST NOTIFICATION", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.532000+0000", :message=>"Adding pattern", "NAGIOS_TYPE_SERVICE_ALERT"=>"SERVICE ALERT", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.533000+0000", :message=>"Adding pattern", "NAGIOS_TYPE_HOST_ALERT"=>"HOST ALERT", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.533000+0000", :message=>"Adding pattern", "NAGIOS_TYPE_SERVICE_FLAPPING_ALERT"=>"SERVICE FLAPPING ALERT", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.535000+0000", :message=>"Adding pattern", "NAGIOS_TYPE_HOST_FLAPPING_ALERT"=>"HOST FLAPPING ALERT", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.536000+0000", :message=>"Adding pattern", "NAGIOS_TYPE_SERVICE_DOWNTIME_ALERT"=>"SERVICE DOWNTIME ALERT", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.537000+0000", :message=>"Adding pattern", "NAGIOS_TYPE_HOST_DOWNTIME_ALERT"=>"HOST DOWNTIME ALERT", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.539000+0000", :message=>"Adding pattern", "NAGIOS_TYPE_PASSIVE_SERVICE_CHECK"=>"PASSIVE SERVICE CHECK", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.540000+0000", :message=>"Adding pattern", "NAGIOS_TYPE_PASSIVE_HOST_CHECK"=>"PASSIVE HOST CHECK", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.540000+0000", :message=>"Adding pattern", "NAGIOS_TYPE_SERVICE_EVENT_HANDLER"=>"SERVICE EVENT HANDLER", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.541000+0000", :message=>"Adding pattern", "NAGIOS_TYPE_HOST_EVENT_HANDLER"=>"HOST EVENT HANDLER", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.544000+0000", :message=>"Adding pattern", "NAGIOS_TYPE_EXTERNAL_COMMAND"=>"EXTERNAL COMMAND", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.545000+0000", :message=>"Adding pattern", "NAGIOS_TYPE_TIMEPERIOD_TRANSITION"=>"TIMEPERIOD TRANSITION", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.546000+0000", :message=>"Adding pattern", "NAGIOS_EC_DISABLE_SVC_CHECK"=>"DISABLE_SVC_CHECK", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.547000+0000", :message=>"Adding pattern", "NAGIOS_EC_ENABLE_SVC_CHECK"=>"ENABLE_SVC_CHECK", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.547000+0000", :message=>"Adding pattern", "NAGIOS_EC_DISABLE_HOST_CHECK"=>"DISABLE_HOST_CHECK", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.548000+0000", :message=>"Adding pattern", "NAGIOS_EC_ENABLE_HOST_CHECK"=>"ENABLE_HOST_CHECK", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.548000+0000", :message=>"Adding pattern", "NAGIOS_EC_PROCESS_SERVICE_CHECK_RESULT"=>"PROCESS_SERVICE_CHECK_RESULT", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.549000+0000", :message=>"Adding pattern", "NAGIOS_EC_PROCESS_HOST_CHECK_RESULT"=>"PROCESS_HOST_CHECK_RESULT", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.549000+0000", :message=>"Adding pattern", "NAGIOS_EC_SCHEDULE_SERVICE_DOWNTIME"=>"SCHEDULE_SERVICE_DOWNTIME", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.550000+0000", :message=>"Adding pattern", "NAGIOS_EC_SCHEDULE_HOST_DOWNTIME"=>"SCHEDULE_HOST_DOWNTIME", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.551000+0000", :message=>"Adding pattern", "NAGIOS_EC_DISABLE_HOST_SVC_NOTIFICATIONS"=>"DISABLE_HOST_SVC_NOTIFICATIONS", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.551000+0000", :message=>"Adding pattern", "NAGIOS_EC_ENABLE_HOST_SVC_NOTIFICATIONS"=>"ENABLE_HOST_SVC_NOTIFICATIONS", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.553000+0000", :message=>"Adding pattern", "NAGIOS_EC_DISABLE_HOST_NOTIFICATIONS"=>"DISABLE_HOST_NOTIFICATIONS", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.554000+0000", :message=>"Adding pattern", "NAGIOS_EC_ENABLE_HOST_NOTIFICATIONS"=>"ENABLE_HOST_NOTIFICATIONS", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.554000+0000", :message=>"Adding pattern", "NAGIOS_EC_DISABLE_SVC_NOTIFICATIONS"=>"DISABLE_SVC_NOTIFICATIONS", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.558000+0000", :message=>"Adding pattern", "NAGIOS_EC_ENABLE_SVC_NOTIFICATIONS"=>"ENABLE_SVC_NOTIFICATIONS", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.558000+0000", :message=>"Adding pattern", "NAGIOS_WARNING"=>"Warning:%{SPACE}%{GREEDYDATA:nagios_message}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.559000+0000", :message=>"Adding pattern", "NAGIOS_CURRENT_SERVICE_STATE"=>"%{NAGIOS_TYPE_CURRENT_SERVICE_STATE:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{DATA:nagios_statetype};%{DATA:nagios_statecode};%{GREEDYDATA:nagios_message}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.560000+0000", :message=>"Adding pattern", "NAGIOS_CURRENT_HOST_STATE"=>"%{NAGIOS_TYPE_CURRENT_HOST_STATE:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{DATA:nagios_statetype};%{DATA:nagios_statecode};%{GREEDYDATA:nagios_message}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.561000+0000", :message=>"Adding pattern", "NAGIOS_SERVICE_NOTIFICATION"=>"%{NAGIOS_TYPE_SERVICE_NOTIFICATION:nagios_type}: %{DATA:nagios_notifyname};%{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{DATA:nagios_contact};%{GREEDYDATA:nagios_message}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.564000+0000", :message=>"Adding pattern", "NAGIOS_HOST_NOTIFICATION"=>"%{NAGIOS_TYPE_HOST_NOTIFICATION:nagios_type}: %{DATA:nagios_notifyname};%{DATA:nagios_hostname};%{DATA:nagios_state};%{DATA:nagios_contact};%{GREEDYDATA:nagios_message}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.565000+0000", :message=>"Adding pattern", "NAGIOS_SERVICE_ALERT"=>"%{NAGIOS_TYPE_SERVICE_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{DATA:nagios_statelevel};%{NUMBER:nagios_attempt};%{GREEDYDATA:nagios_message}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.566000+0000", :message=>"Adding pattern", "NAGIOS_HOST_ALERT"=>"%{NAGIOS_TYPE_HOST_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{DATA:nagios_statelevel};%{NUMBER:nagios_attempt};%{GREEDYDATA:nagios_message}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.567000+0000", :message=>"Adding pattern", "NAGIOS_SERVICE_FLAPPING_ALERT"=>"%{NAGIOS_TYPE_SERVICE_FLAPPING_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{GREEDYDATA:nagios_message}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.567000+0000", :message=>"Adding pattern", "NAGIOS_HOST_FLAPPING_ALERT"=>"%{NAGIOS_TYPE_HOST_FLAPPING_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{GREEDYDATA:nagios_message}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.568000+0000", :message=>"Adding pattern", "NAGIOS_SERVICE_DOWNTIME_ALERT"=>"%{NAGIOS_TYPE_SERVICE_DOWNTIME_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{GREEDYDATA:nagios_comment}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.569000+0000", :message=>"Adding pattern", "NAGIOS_HOST_DOWNTIME_ALERT"=>"%{NAGIOS_TYPE_HOST_DOWNTIME_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{GREEDYDATA:nagios_comment}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.569000+0000", :message=>"Adding pattern", "NAGIOS_PASSIVE_SERVICE_CHECK"=>"%{NAGIOS_TYPE_PASSIVE_SERVICE_CHECK:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{GREEDYDATA:nagios_comment}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.570000+0000", :message=>"Adding pattern", "NAGIOS_PASSIVE_HOST_CHECK"=>"%{NAGIOS_TYPE_PASSIVE_HOST_CHECK:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{GREEDYDATA:nagios_comment}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.571000+0000", :message=>"Adding pattern", "NAGIOS_SERVICE_EVENT_HANDLER"=>"%{NAGIOS_TYPE_SERVICE_EVENT_HANDLER:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{DATA:nagios_statelevel};%{DATA:nagios_event_handler_name}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.571000+0000", :message=>"Adding pattern", "NAGIOS_HOST_EVENT_HANDLER"=>"%{NAGIOS_TYPE_HOST_EVENT_HANDLER:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{DATA:nagios_statelevel};%{DATA:nagios_event_handler_name}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.572000+0000", :message=>"Adding pattern", "NAGIOS_TIMEPERIOD_TRANSITION"=>"%{NAGIOS_TYPE_TIMEPERIOD_TRANSITION:nagios_type}: %{DATA:nagios_service};%{DATA:nagios_unknown1};%{DATA:nagios_unknown2}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.573000+0000", :message=>"Adding pattern", "NAGIOS_EC_LINE_DISABLE_SVC_CHECK"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_DISABLE_SVC_CHECK:nagios_command};%{DATA:nagios_hostname};%{DATA:nagios_service}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.573000+0000", :message=>"Adding pattern", "NAGIOS_EC_LINE_DISABLE_HOST_CHECK"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_DISABLE_HOST_CHECK:nagios_command};%{DATA:nagios_hostname}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.574000+0000", :message=>"Adding pattern", "NAGIOS_EC_LINE_ENABLE_SVC_CHECK"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_ENABLE_SVC_CHECK:nagios_command};%{DATA:nagios_hostname};%{DATA:nagios_service}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.575000+0000", :message=>"Adding pattern", "NAGIOS_EC_LINE_ENABLE_HOST_CHECK"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_ENABLE_HOST_CHECK:nagios_command};%{DATA:nagios_hostname}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.576000+0000", :message=>"Adding pattern", "NAGIOS_EC_LINE_PROCESS_SERVICE_CHECK_RESULT"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_PROCESS_SERVICE_CHECK_RESULT:nagios_command};%{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{GREEDYDATA:nagios_check_result}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.576000+0000", :message=>"Adding pattern", "NAGIOS_EC_LINE_PROCESS_HOST_CHECK_RESULT"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_PROCESS_HOST_CHECK_RESULT:nagios_command};%{DATA:nagios_hostname};%{DATA:nagios_state};%{GREEDYDATA:nagios_check_result}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.577000+0000", :message=>"Adding pattern", "NAGIOS_EC_LINE_DISABLE_HOST_SVC_NOTIFICATIONS"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_DISABLE_HOST_SVC_NOTIFICATIONS:nagios_command};%{GREEDYDATA:nagios_hostname}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.578000+0000", :message=>"Adding pattern", "NAGIOS_EC_LINE_DISABLE_HOST_NOTIFICATIONS"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_DISABLE_HOST_NOTIFICATIONS:nagios_command};%{GREEDYDATA:nagios_hostname}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.579000+0000", :message=>"Adding pattern", "NAGIOS_EC_LINE_DISABLE_SVC_NOTIFICATIONS"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_DISABLE_SVC_NOTIFICATIONS:nagios_command};%{DATA:nagios_hostname};%{GREEDYDATA:nagios_service}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.579000+0000", :message=>"Adding pattern", "NAGIOS_EC_LINE_ENABLE_HOST_SVC_NOTIFICATIONS"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_ENABLE_HOST_SVC_NOTIFICATIONS:nagios_command};%{GREEDYDATA:nagios_hostname}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.580000+0000", :message=>"Adding pattern", "NAGIOS_EC_LINE_ENABLE_HOST_NOTIFICATIONS"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_ENABLE_HOST_NOTIFICATIONS:nagios_command};%{GREEDYDATA:nagios_hostname}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.580000+0000", :message=>"Adding pattern", "NAGIOS_EC_LINE_ENABLE_SVC_NOTIFICATIONS"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_ENABLE_SVC_NOTIFICATIONS:nagios_command};%{DATA:nagios_hostname};%{GREEDYDATA:nagios_service}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.581000+0000", :message=>"Adding pattern", "NAGIOS_EC_LINE_SCHEDULE_HOST_DOWNTIME"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_SCHEDULE_HOST_DOWNTIME:nagios_command};%{DATA:nagios_hostname};%{NUMBER:nagios_start_time};%{NUMBER:nagios_end_time};%{NUMBER:nagios_fixed};%{NUMBER:nagios_trigger_id};%{NUMBER:nagios_duration};%{DATA:author};%{DATA:comment}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.582000+0000", :message=>"Adding pattern", "NAGIOSLOGLINE"=>"%{NAGIOSTIME} (?:%{NAGIOS_WARNING}|%{NAGIOS_CURRENT_SERVICE_STATE}|%{NAGIOS_CURRENT_HOST_STATE}|%{NAGIOS_SERVICE_NOTIFICATION}|%{NAGIOS_HOST_NOTIFICATION}|%{NAGIOS_SERVICE_ALERT}|%{NAGIOS_HOST_ALERT}|%{NAGIOS_SERVICE_FLAPPING_ALERT}|%{NAGIOS_HOST_FLAPPING_ALERT}|%{NAGIOS_SERVICE_DOWNTIME_ALERT}|%{NAGIOS_HOST_DOWNTIME_ALERT}|%{NAGIOS_PASSIVE_SERVICE_CHECK}|%{NAGIOS_PASSIVE_HOST_CHECK}|%{NAGIOS_SERVICE_EVENT_HANDLER}|%{NAGIOS_HOST_EVENT_HANDLER}|%{NAGIOS_TIMEPERIOD_TRANSITION}|%{NAGIOS_EC_LINE_DISABLE_SVC_CHECK}|%{NAGIOS_EC_LINE_ENABLE_SVC_CHECK}|%{NAGIOS_EC_LINE_DISABLE_HOST_CHECK}|%{NAGIOS_EC_LINE_ENABLE_HOST_CHECK}|%{NAGIOS_EC_LINE_PROCESS_HOST_CHECK_RESULT}|%{NAGIOS_EC_LINE_PROCESS_SERVICE_CHECK_RESULT}|%{NAGIOS_EC_LINE_SCHEDULE_HOST_DOWNTIME}|%{NAGIOS_EC_LINE_DISABLE_HOST_SVC_NOTIFICATIONS}|%{NAGIOS_EC_LINE_ENABLE_HOST_SVC_NOTIFICATIONS}|%{NAGIOS_EC_LINE_DISABLE_HOST_NOTIFICATIONS}|%{NAGIOS_EC_LINE_ENABLE_HOST_NOTIFICATIONS}|%{NAGIOS_EC_LINE_DISABLE_SVC_NOTIFICATIONS}|%{NAGIOS_EC_LINE_ENABLE_SVC_NOTIFICATIONS})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.583000+0000", :message=>"Adding pattern", "MCOLLECTIVEAUDIT"=>"%{TIMESTAMP_ISO8601:timestamp}:", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.584000+0000", :message=>"Adding pattern", "BRO_HTTP"=>"%{NUMBER:ts}\\t%{NOTSPACE:uid}\\t%{IP:orig_h}\\t%{INT:orig_p}\\t%{IP:resp_h}\\t%{INT:resp_p}\\t%{INT:trans_depth}\\t%{GREEDYDATA:method}\\t%{GREEDYDATA:domain}\\t%{GREEDYDATA:uri}\\t%{GREEDYDATA:referrer}\\t%{GREEDYDATA:user_agent}\\t%{NUMBER:request_body_len}\\t%{NUMBER:response_body_len}\\t%{GREEDYDATA:status_code}\\t%{GREEDYDATA:status_msg}\\t%{GREEDYDATA:info_code}\\t%{GREEDYDATA:info_msg}\\t%{GREEDYDATA:filename}\\t%{GREEDYDATA:bro_tags}\\t%{GREEDYDATA:username}\\t%{GREEDYDATA:password}\\t%{GREEDYDATA:proxied}\\t%{GREEDYDATA:orig_fuids}\\t%{GREEDYDATA:orig_mime_types}\\t%{GREEDYDATA:resp_fuids}\\t%{GREEDYDATA:resp_mime_types}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.585000+0000", :message=>"Adding pattern", "BRO_DNS"=>"%{NUMBER:ts}\\t%{NOTSPACE:uid}\\t%{IP:orig_h}\\t%{INT:orig_p}\\t%{IP:resp_h}\\t%{INT:resp_p}\\t%{WORD:proto}\\t%{INT:trans_id}\\t%{GREEDYDATA:query}\\t%{GREEDYDATA:qclass}\\t%{GREEDYDATA:qclass_name}\\t%{GREEDYDATA:qtype}\\t%{GREEDYDATA:qtype_name}\\t%{GREEDYDATA:rcode}\\t%{GREEDYDATA:rcode_name}\\t%{GREEDYDATA:AA}\\t%{GREEDYDATA:TC}\\t%{GREEDYDATA:RD}\\t%{GREEDYDATA:RA}\\t%{GREEDYDATA:Z}\\t%{GREEDYDATA:answers}\\t%{GREEDYDATA:TTLs}\\t%{GREEDYDATA:rejected}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.586000+0000", :message=>"Adding pattern", "BRO_CONN"=>"%{NUMBER:ts}\\t%{NOTSPACE:uid}\\t%{IP:orig_h}\\t%{INT:orig_p}\\t%{IP:resp_h}\\t%{INT:resp_p}\\t%{WORD:proto}\\t%{GREEDYDATA:service}\\t%{NUMBER:duration}\\t%{NUMBER:orig_bytes}\\t%{NUMBER:resp_bytes}\\t%{GREEDYDATA:conn_state}\\t%{GREEDYDATA:local_orig}\\t%{GREEDYDATA:missed_bytes}\\t%{GREEDYDATA:history}\\t%{GREEDYDATA:orig_pkts}\\t%{GREEDYDATA:orig_ip_bytes}\\t%{GREEDYDATA:resp_pkts}\\t%{GREEDYDATA:resp_ip_bytes}\\t%{GREEDYDATA:tunnel_parents}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.586000+0000", :message=>"Adding pattern", "BRO_FILES"=>"%{NUMBER:ts}\\t%{NOTSPACE:fuid}\\t%{IP:tx_hosts}\\t%{IP:rx_hosts}\\t%{NOTSPACE:conn_uids}\\t%{GREEDYDATA:source}\\t%{GREEDYDATA:depth}\\t%{GREEDYDATA:analyzers}\\t%{GREEDYDATA:mime_type}\\t%{GREEDYDATA:filename}\\t%{GREEDYDATA:duration}\\t%{GREEDYDATA:local_orig}\\t%{GREEDYDATA:is_orig}\\t%{GREEDYDATA:seen_bytes}\\t%{GREEDYDATA:total_bytes}\\t%{GREEDYDATA:missing_bytes}\\t%{GREEDYDATA:overflow_bytes}\\t%{GREEDYDATA:timedout}\\t%{GREEDYDATA:parent_fuid}\\t%{GREEDYDATA:md5}\\t%{GREEDYDATA:sha1}\\t%{GREEDYDATA:sha256}\\t%{GREEDYDATA:extracted}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.588000+0000", :message=>"Adding pattern", "HAPROXYTIME"=>"(?!<[0-9])%{HOUR:haproxy_hour}:%{MINUTE:haproxy_minute}(?::%{SECOND:haproxy_second})(?![0-9])", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.589000+0000", :message=>"Adding pattern", "HAPROXYDATE"=>"%{MONTHDAY:haproxy_monthday}/%{MONTH:haproxy_month}/%{YEAR:haproxy_year}:%{HAPROXYTIME:haproxy_time}.%{INT:haproxy_milliseconds}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.589000+0000", :message=>"Adding pattern", "HAPROXYCAPTUREDREQUESTHEADERS"=>"%{DATA:captured_request_headers}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.590000+0000", :message=>"Adding pattern", "HAPROXYCAPTUREDRESPONSEHEADERS"=>"%{DATA:captured_response_headers}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.591000+0000", :message=>"Adding pattern", "HAPROXYHTTPBASE"=>"%{IP:client_ip}:%{INT:client_port} \\[%{HAPROXYDATE:accept_date}\\] %{NOTSPACE:frontend_name} %{NOTSPACE:backend_name}/%{NOTSPACE:server_name} %{INT:time_request}/%{INT:time_queue}/%{INT:time_backend_connect}/%{INT:time_backend_response}/%{NOTSPACE:time_duration} %{INT:http_status_code} %{NOTSPACE:bytes_read} %{DATA:captured_request_cookie} %{DATA:captured_response_cookie} %{NOTSPACE:termination_state} %{INT:actconn}/%{INT:feconn}/%{INT:beconn}/%{INT:srvconn}/%{NOTSPACE:retries} %{INT:srv_queue}/%{INT:backend_queue} (\\{%{HAPROXYCAPTUREDREQUESTHEADERS}\\})?( )?(\\{%{HAPROXYCAPTUREDRESPONSEHEADERS}\\})?( )?\"(<BADREQ>|(%{WORD:http_verb} (%{URIPROTO:http_proto}://)?(?:%{USER:http_user}(?::[^@]*)?@)?(?:%{URIHOST:http_host})?(?:%{URIPATHPARAM:http_request})?( HTTP/%{NUMBER:http_version})?))?\"", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.591000+0000", :message=>"Adding pattern", "HAPROXYHTTP"=>"(?:%{SYSLOGTIMESTAMP:syslog_timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) %{IPORHOST:syslog_server} %{SYSLOGPROG}: %{HAPROXYHTTPBASE}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.592000+0000", :message=>"Adding pattern", "HAPROXYTCP"=>"(?:%{SYSLOGTIMESTAMP:syslog_timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) %{IPORHOST:syslog_server} %{SYSLOGPROG}: %{IP:client_ip}:%{INT:client_port} \\[%{HAPROXYDATE:accept_date}\\] %{NOTSPACE:frontend_name} %{NOTSPACE:backend_name}/%{NOTSPACE:server_name} %{INT:time_queue}/%{INT:time_backend_connect}/%{NOTSPACE:time_duration} %{NOTSPACE:bytes_read} %{NOTSPACE:termination_state} %{INT:actconn}/%{INT:feconn}/%{INT:beconn}/%{INT:srvconn}/%{NOTSPACE:retries} %{INT:srv_queue}/%{INT:backend_queue}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.593000+0000", :message=>"Adding pattern", "BACULA_TIMESTAMP"=>"%{MONTHDAY}-%{MONTH} %{HOUR}:%{MINUTE}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.594000+0000", :message=>"Adding pattern", "BACULA_HOST"=>"[a-zA-Z0-9-]+", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.594000+0000", :message=>"Adding pattern", "BACULA_VOLUME"=>"%{USER}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.595000+0000", :message=>"Adding pattern", "BACULA_DEVICE"=>"%{USER}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.595000+0000", :message=>"Adding pattern", "BACULA_DEVICEPATH"=>"%{UNIXPATH}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.596000+0000", :message=>"Adding pattern", "BACULA_CAPACITY"=>"%{INT}{1,3}(,%{INT}{3})*", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.596000+0000", :message=>"Adding pattern", "BACULA_VERSION"=>"%{USER}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.596000+0000", :message=>"Adding pattern", "BACULA_JOB"=>"%{USER}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.597000+0000", :message=>"Adding pattern", "BACULA_LOG_MAX_CAPACITY"=>"User defined maximum volume capacity %{BACULA_CAPACITY} exceeded on device \\\"%{BACULA_DEVICE:device}\\\" \\(%{BACULA_DEVICEPATH}\\)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.597000+0000", :message=>"Adding pattern", "BACULA_LOG_END_VOLUME"=>"End of medium on Volume \\\"%{BACULA_VOLUME:volume}\\\" Bytes=%{BACULA_CAPACITY} Blocks=%{BACULA_CAPACITY} at %{MONTHDAY}-%{MONTH}-%{YEAR} %{HOUR}:%{MINUTE}.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.598000+0000", :message=>"Adding pattern", "BACULA_LOG_NEW_VOLUME"=>"Created new Volume \\\"%{BACULA_VOLUME:volume}\\\" in catalog.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.598000+0000", :message=>"Adding pattern", "BACULA_LOG_NEW_LABEL"=>"Labeled new Volume \\\"%{BACULA_VOLUME:volume}\\\" on device \\\"%{BACULA_DEVICE:device}\\\" \\(%{BACULA_DEVICEPATH}\\).", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.599000+0000", :message=>"Adding pattern", "BACULA_LOG_WROTE_LABEL"=>"Wrote label to prelabeled Volume \\\"%{BACULA_VOLUME:volume}\\\" on device \\\"%{BACULA_DEVICE}\\\" \\(%{BACULA_DEVICEPATH}\\)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.599000+0000", :message=>"Adding pattern", "BACULA_LOG_NEW_MOUNT"=>"New volume \\\"%{BACULA_VOLUME:volume}\\\" mounted on device \\\"%{BACULA_DEVICE:device}\\\" \\(%{BACULA_DEVICEPATH}\\) at %{MONTHDAY}-%{MONTH}-%{YEAR} %{HOUR}:%{MINUTE}.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.600000+0000", :message=>"Adding pattern", "BACULA_LOG_NOOPEN"=>"\\s+Cannot open %{DATA}: ERR=%{GREEDYDATA:berror}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.600000+0000", :message=>"Adding pattern", "BACULA_LOG_NOOPENDIR"=>"\\s+Could not open directory %{DATA}: ERR=%{GREEDYDATA:berror}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.601000+0000", :message=>"Adding pattern", "BACULA_LOG_NOSTAT"=>"\\s+Could not stat %{DATA}: ERR=%{GREEDYDATA:berror}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.601000+0000", :message=>"Adding pattern", "BACULA_LOG_NOJOBS"=>"There are no more Jobs associated with Volume \\\"%{BACULA_VOLUME:volume}\\\". Marking it purged.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.602000+0000", :message=>"Adding pattern", "BACULA_LOG_ALL_RECORDS_PRUNED"=>"All records pruned from Volume \\\"%{BACULA_VOLUME:volume}\\\"; marking it \\\"Purged\\\"", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.602000+0000", :message=>"Adding pattern", "BACULA_LOG_BEGIN_PRUNE_JOBS"=>"Begin pruning Jobs older than %{INT} month %{INT} days .", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.603000+0000", :message=>"Adding pattern", "BACULA_LOG_BEGIN_PRUNE_FILES"=>"Begin pruning Files.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.603000+0000", :message=>"Adding pattern", "BACULA_LOG_PRUNED_JOBS"=>"Pruned %{INT} Jobs* for client %{BACULA_HOST:client} from catalog.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.603000+0000", :message=>"Adding pattern", "BACULA_LOG_PRUNED_FILES"=>"Pruned Files from %{INT} Jobs* for client %{BACULA_HOST:client} from catalog.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.604000+0000", :message=>"Adding pattern", "BACULA_LOG_ENDPRUNE"=>"End auto prune.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.605000+0000", :message=>"Adding pattern", "BACULA_LOG_STARTJOB"=>"Start Backup JobId %{INT}, Job=%{BACULA_JOB:job}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.605000+0000", :message=>"Adding pattern", "BACULA_LOG_STARTRESTORE"=>"Start Restore Job %{BACULA_JOB:job}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.606000+0000", :message=>"Adding pattern", "BACULA_LOG_USEDEVICE"=>"Using Device \\\"%{BACULA_DEVICE:device}\\\"", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.606000+0000", :message=>"Adding pattern", "BACULA_LOG_DIFF_FS"=>"\\s+%{UNIXPATH} is a different filesystem. Will not descend from %{UNIXPATH} into it.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.607000+0000", :message=>"Adding pattern", "BACULA_LOG_JOBEND"=>"Job write elapsed time = %{DATA:elapsed}, Transfer rate = %{NUMBER} (K|M|G)? Bytes/second", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.607000+0000", :message=>"Adding pattern", "BACULA_LOG_NOPRUNE_JOBS"=>"No Jobs found to prune.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.608000+0000", :message=>"Adding pattern", "BACULA_LOG_NOPRUNE_FILES"=>"No Files found to prune.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.608000+0000", :message=>"Adding pattern", "BACULA_LOG_VOLUME_PREVWRITTEN"=>"Volume \\\"%{BACULA_VOLUME:volume}\\\" previously written, moving to end of data.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.609000+0000", :message=>"Adding pattern", "BACULA_LOG_READYAPPEND"=>"Ready to append to end of Volume \\\"%{BACULA_VOLUME:volume}\\\" size=%{INT}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.609000+0000", :message=>"Adding pattern", "BACULA_LOG_CANCELLING"=>"Cancelling duplicate JobId=%{INT}.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.610000+0000", :message=>"Adding pattern", "BACULA_LOG_MARKCANCEL"=>"JobId %{INT}, Job %{BACULA_JOB:job} marked to be canceled.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.610000+0000", :message=>"Adding pattern", "BACULA_LOG_CLIENT_RBJ"=>"shell command: run ClientRunBeforeJob \\\"%{GREEDYDATA:runjob}\\\"", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.611000+0000", :message=>"Adding pattern", "BACULA_LOG_VSS"=>"(Generate )?VSS (Writer)?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.611000+0000", :message=>"Adding pattern", "BACULA_LOG_MAXSTART"=>"Fatal error: Job canceled because max start delay time exceeded.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.612000+0000", :message=>"Adding pattern", "BACULA_LOG_DUPLICATE"=>"Fatal error: JobId %{INT:duplicate} already running. Duplicate job not allowed.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.612000+0000", :message=>"Adding pattern", "BACULA_LOG_NOJOBSTAT"=>"Fatal error: No Job status returned from FD.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.612000+0000", :message=>"Adding pattern", "BACULA_LOG_FATAL_CONN"=>"Fatal error: bsock.c:133 Unable to connect to (Client: %{BACULA_HOST:client}|Storage daemon) on %{HOSTNAME}:%{POSINT}. ERR=(?<berror>%{GREEDYDATA})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.613000+0000", :message=>"Adding pattern", "BACULA_LOG_NO_CONNECT"=>"Warning: bsock.c:127 Could not connect to (Client: %{BACULA_HOST:client}|Storage daemon) on %{HOSTNAME}:%{POSINT}. ERR=(?<berror>%{GREEDYDATA})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.613000+0000", :message=>"Adding pattern", "BACULA_LOG_NO_AUTH"=>"Fatal error: Unable to authenticate with File daemon at %{HOSTNAME}. Possible causes:", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.614000+0000", :message=>"Adding pattern", "BACULA_LOG_NOSUIT"=>"No prior or suitable Full backup found in catalog. Doing FULL backup.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.614000+0000", :message=>"Adding pattern", "BACULA_LOG_NOPRIOR"=>"No prior Full backup Job record found.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.615000+0000", :message=>"Adding pattern", "BACULA_LOG_JOB"=>"(Error: )?Bacula %{BACULA_HOST} %{BACULA_VERSION} \\(%{BACULA_VERSION}\\):", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.615000+0000", :message=>"Adding pattern", "BACULA_LOGLINE"=>"%{BACULA_TIMESTAMP:bts} %{BACULA_HOST:hostname} JobId %{INT:jobid}: (%{BACULA_LOG_MAX_CAPACITY}|%{BACULA_LOG_END_VOLUME}|%{BACULA_LOG_NEW_VOLUME}|%{BACULA_LOG_NEW_LABEL}|%{BACULA_LOG_WROTE_LABEL}|%{BACULA_LOG_NEW_MOUNT}|%{BACULA_LOG_NOOPEN}|%{BACULA_LOG_NOOPENDIR}|%{BACULA_LOG_NOSTAT}|%{BACULA_LOG_NOJOBS}|%{BACULA_LOG_ALL_RECORDS_PRUNED}|%{BACULA_LOG_BEGIN_PRUNE_JOBS}|%{BACULA_LOG_BEGIN_PRUNE_FILES}|%{BACULA_LOG_PRUNED_JOBS}|%{BACULA_LOG_PRUNED_FILES}|%{BACULA_LOG_ENDPRUNE}|%{BACULA_LOG_STARTJOB}|%{BACULA_LOG_STARTRESTORE}|%{BACULA_LOG_USEDEVICE}|%{BACULA_LOG_DIFF_FS}|%{BACULA_LOG_JOBEND}|%{BACULA_LOG_NOPRUNE_JOBS}|%{BACULA_LOG_NOPRUNE_FILES}|%{BACULA_LOG_VOLUME_PREVWRITTEN}|%{BACULA_LOG_READYAPPEND}|%{BACULA_LOG_CANCELLING}|%{BACULA_LOG_MARKCANCEL}|%{BACULA_LOG_CLIENT_RBJ}|%{BACULA_LOG_VSS}|%{BACULA_LOG_MAXSTART}|%{BACULA_LOG_DUPLICATE}|%{BACULA_LOG_NOJOBSTAT}|%{BACULA_LOG_FATAL_CONN}|%{BACULA_LOG_NO_CONNECT}|%{BACULA_LOG_NO_AUTH}|%{BACULA_LOG_NOSUIT}|%{BACULA_LOG_JOB}|%{BACULA_LOG_NOPRIOR})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.616000+0000", :message=>"Adding pattern", "POSTGRESQL"=>"%{DATESTAMP:timestamp} %{TZ} %{DATA:user_id} %{GREEDYDATA:connection_id} %{POSINT:pid}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.618000+0000", :message=>"Adding pattern", "MONGO_LOG"=>"%{SYSLOGTIMESTAMP:timestamp} \\[%{WORD:component}\\] %{GREEDYDATA:message}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.618000+0000", :message=>"Adding pattern", "MONGO_QUERY"=>"\\{ (?<={ ).*(?= } ntoreturn:) \\}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.619000+0000", :message=>"Adding pattern", "MONGO_SLOWQUERY"=>"%{WORD} %{MONGO_WORDDASH:database}\\.%{MONGO_WORDDASH:collection} %{WORD}: %{MONGO_QUERY:query} %{WORD}:%{NONNEGINT:ntoreturn} %{WORD}:%{NONNEGINT:ntoskip} %{WORD}:%{NONNEGINT:nscanned}.*nreturned:%{NONNEGINT:nreturned}..+ (?<duration>[0-9]+)ms", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.620000+0000", :message=>"Adding pattern", "MONGO_WORDDASH"=>"\\b[\\w-]+\\b", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.620000+0000", :message=>"Adding pattern", "MONGO3_SEVERITY"=>"\\w", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.621000+0000", :message=>"Adding pattern", "MONGO3_COMPONENT"=>"%{WORD}|-", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.621000+0000", :message=>"Adding pattern", "MONGO3_LOG"=>"%{TIMESTAMP_ISO8601:timestamp} %{MONGO3_SEVERITY:severity} %{MONGO3_COMPONENT:component}%{SPACE}(?:\\[%{DATA:context}\\])? %{GREEDYDATA:message}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.622000+0000", :message=>"Adding pattern", "MCOLLECTIVE"=>"., \\[%{TIMESTAMP_ISO8601:timestamp} #%{POSINT:pid}\\]%{SPACE}%{LOGLEVEL:event_level}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.623000+0000", :message=>"Adding pattern", "MCOLLECTIVEAUDIT"=>"%{TIMESTAMP_ISO8601:timestamp}:", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.624000+0000", :message=>"Adding pattern", "RT_FLOW_EVENT"=>"(RT_FLOW_SESSION_CREATE|RT_FLOW_SESSION_CLOSE|RT_FLOW_SESSION_DENY)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.625000+0000", :message=>"Adding pattern", "RT_FLOW1"=>"%{RT_FLOW_EVENT:event}: %{GREEDYDATA:close-reason}: %{IP:src-ip}/%{INT:src-port}->%{IP:dst-ip}/%{INT:dst-port} %{DATA:service} %{IP:nat-src-ip}/%{INT:nat-src-port}->%{IP:nat-dst-ip}/%{INT:nat-dst-port} %{DATA:src-nat-rule-name} %{DATA:dst-nat-rule-name} %{INT:protocol-id} %{DATA:policy-name} %{DATA:from-zone} %{DATA:to-zone} %{INT:session-id} \\d+\\(%{DATA:sent}\\) \\d+\\(%{DATA:received}\\) %{INT:elapsed-time} .*", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.625000+0000", :message=>"Adding pattern", "RT_FLOW2"=>"%{RT_FLOW_EVENT:event}: session created %{IP:src-ip}/%{INT:src-port}->%{IP:dst-ip}/%{INT:dst-port} %{DATA:service} %{IP:nat-src-ip}/%{INT:nat-src-port}->%{IP:nat-dst-ip}/%{INT:nat-dst-port} %{DATA:src-nat-rule-name} %{DATA:dst-nat-rule-name} %{INT:protocol-id} %{DATA:policy-name} %{DATA:from-zone} %{DATA:to-zone} %{INT:session-id} .*", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.626000+0000", :message=>"Adding pattern", "RT_FLOW3"=>"%{RT_FLOW_EVENT:event}: session denied %{IP:src-ip}/%{INT:src-port}->%{IP:dst-ip}/%{INT:dst-port} %{DATA:service} %{INT:protocol-id}\\(\\d\\) %{DATA:policy-name} %{DATA:from-zone} %{DATA:to-zone} .*", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.627000+0000", :message=>"Adding pattern", "RUUID"=>"\\h{32}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.628000+0000", :message=>"Adding pattern", "RCONTROLLER"=>"(?<controller>[^#]+)#(?<action>\\w+)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.629000+0000", :message=>"Adding pattern", "RAILS3HEAD"=>"(?m)Started %{WORD:verb} \"%{URIPATHPARAM:request}\" for %{IPORHOST:clientip} at (?<timestamp>%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{HOUR}:%{MINUTE}:%{SECOND} %{ISO8601_TIMEZONE})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.630000+0000", :message=>"Adding pattern", "RPROCESSING"=>"\\W*Processing by %{RCONTROLLER} as (?<format>\\S+)(?:\\W*Parameters: {%{DATA:params}}\\W*)?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.631000+0000", :message=>"Adding pattern", "RAILS3FOOT"=>"Completed %{NUMBER:response}%{DATA} in %{NUMBER:totalms}ms %{RAILS3PROFILE}%{GREEDYDATA}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.632000+0000", :message=>"Adding pattern", "RAILS3PROFILE"=>"(?:\\(Views: %{NUMBER:viewms}ms \\| ActiveRecord: %{NUMBER:activerecordms}ms|\\(ActiveRecord: %{NUMBER:activerecordms}ms)?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.633000+0000", :message=>"Adding pattern", "RAILS3"=>"%{RAILS3HEAD}(?:%{RPROCESSING})?(?<context>(?:%{DATA}\\n)*)(?:%{RAILS3FOOT})?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.635000+0000", :message=>"Adding pattern", "EXIM_MSGID"=>"[0-9A-Za-z]{6}-[0-9A-Za-z]{6}-[0-9A-Za-z]{2}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.636000+0000", :message=>"Adding pattern", "EXIM_FLAGS"=>"(<=|[-=>*]>|[*]{2}|==)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.637000+0000", :message=>"Adding pattern", "EXIM_DATE"=>"%{YEAR:exim_year}-%{MONTHNUM:exim_month}-%{MONTHDAY:exim_day} %{TIME:exim_time}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.638000+0000", :message=>"Adding pattern", "EXIM_PID"=>"\\[%{POSINT}\\]", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.639000+0000", :message=>"Adding pattern", "EXIM_QT"=>"((\\d+y)?(\\d+w)?(\\d+d)?(\\d+h)?(\\d+m)?(\\d+s)?)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.639000+0000", :message=>"Adding pattern", "EXIM_EXCLUDE_TERMS"=>"(Message is frozen|(Start|End) queue run| Warning: | retry time not reached | no (IP address|host name) found for (IP address|host) | unexpected disconnection while reading SMTP command | no immediate delivery: |another process is handling this message)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.640000+0000", :message=>"Adding pattern", "EXIM_REMOTE_HOST"=>"(H=(%{NOTSPACE:remote_hostname} )?(\\(%{NOTSPACE:remote_heloname}\\) )?\\[%{IP:remote_host}\\])", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.641000+0000", :message=>"Adding pattern", "EXIM_INTERFACE"=>"(I=\\[%{IP:exim_interface}\\](:%{NUMBER:exim_interface_port}))", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.642000+0000", :message=>"Adding pattern", "EXIM_PROTOCOL"=>"(P=%{NOTSPACE:protocol})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.642000+0000", :message=>"Adding pattern", "EXIM_MSG_SIZE"=>"(S=%{NUMBER:exim_msg_size})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.643000+0000", :message=>"Adding pattern", "EXIM_HEADER_ID"=>"(id=%{NOTSPACE:exim_header_id})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.644000+0000", :message=>"Adding pattern", "EXIM_SUBJECT"=>"(T=%{QS:exim_subject})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.646000+0000", :message=>"Adding pattern", "JAVACLASS"=>"(?:[a-zA-Z$_][a-zA-Z$_0-9]*\\.)*[a-zA-Z$_][a-zA-Z$_0-9]*", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.647000+0000", :message=>"Adding pattern", "JAVAFILE"=>"(?:[A-Za-z0-9_. -]+)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.648000+0000", :message=>"Adding pattern", "JAVAMETHOD"=>"(?:(<init>)|[a-zA-Z$_][a-zA-Z$_0-9]*)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.648000+0000", :message=>"Adding pattern", "JAVASTACKTRACEPART"=>"%{SPACE}at %{JAVACLASS:class}\\.%{JAVAMETHOD:method}\\(%{JAVAFILE:file}(?::%{NUMBER:line})?\\)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.649000+0000", :message=>"Adding pattern", "JAVATHREAD"=>"(?:[A-Z]{2}-Processor[\\d]+)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.650000+0000", :message=>"Adding pattern", "JAVACLASS"=>"(?:[a-zA-Z0-9-]+\\.)+[A-Za-z0-9$]+", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.651000+0000", :message=>"Adding pattern", "JAVAFILE"=>"(?:[A-Za-z0-9_.-]+)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.652000+0000", :message=>"Adding pattern", "JAVASTACKTRACEPART"=>"at %{JAVACLASS:class}\\.%{WORD:method}\\(%{JAVAFILE:file}:%{NUMBER:line}\\)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.654000+0000", :message=>"Adding pattern", "JAVALOGMESSAGE"=>"(.*)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.655000+0000", :message=>"Adding pattern", "CATALINA_DATESTAMP"=>"%{MONTH} %{MONTHDAY}, 20%{YEAR} %{HOUR}:?%{MINUTE}(?::?%{SECOND}) (?:AM|PM)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.657000+0000", :message=>"Adding pattern", "TOMCAT_DATESTAMP"=>"20%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{HOUR}:?%{MINUTE}(?::?%{SECOND}) %{ISO8601_TIMEZONE}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.658000+0000", :message=>"Adding pattern", "CATALINALOG"=>"%{CATALINA_DATESTAMP:timestamp} %{JAVACLASS:class} %{JAVALOGMESSAGE:logmessage}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.659000+0000", :message=>"Adding pattern", "TOMCATLOG"=>"%{TOMCAT_DATESTAMP:timestamp} \\| %{LOGLEVEL:level} \\| %{JAVACLASS:class} - %{JAVALOGMESSAGE:logmessage}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.664000+0000", :message=>"Adding pattern", "REDISTIMESTAMP"=>"%{MONTHDAY} %{MONTH} %{TIME}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.666000+0000", :message=>"Adding pattern", "REDISLOG"=>"\\[%{POSINT:pid}\\] %{REDISTIMESTAMP:timestamp} \\* ", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.668000+0000", :message=>"Adding pattern", "S3_REQUEST_LINE"=>"(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.671000+0000", :message=>"Adding pattern", "S3_ACCESS_LOG"=>"%{WORD:owner} %{NOTSPACE:bucket} \\[%{HTTPDATE:timestamp}\\] %{IP:clientip} %{NOTSPACE:requester} %{NOTSPACE:request_id} %{NOTSPACE:operation} %{NOTSPACE:key} (?:\"%{S3_REQUEST_LINE}\"|-) (?:%{INT:response:int}|-) (?:-|%{NOTSPACE:error_code}) (?:%{INT:bytes:int}|-) (?:%{INT:object_size:int}|-) (?:%{INT:request_time_ms:int}|-) (?:%{INT:turnaround_time_ms:int}|-) (?:%{QS:referrer}|-) (?:\"?%{QS:agent}\"?|-) (?:-|%{NOTSPACE:version_id})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.672000+0000", :message=>"Adding pattern", "ELB_URIPATHPARAM"=>"%{URIPATH:path}(?:%{URIPARAM:params})?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.674000+0000", :message=>"Adding pattern", "ELB_URI"=>"%{URIPROTO:proto}://(?:%{USER}(?::[^@]*)?@)?(?:%{URIHOST:urihost})?(?:%{ELB_URIPATHPARAM})?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.675000+0000", :message=>"Adding pattern", "ELB_REQUEST_LINE"=>"(?:%{WORD:verb} %{ELB_URI:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.679000+0000", :message=>"Adding pattern", "ELB_ACCESS_LOG"=>"%{TIMESTAMP_ISO8601:timestamp} %{NOTSPACE:elb} %{IP:clientip}:%{INT:clientport:int} (?:(%{IP:backendip}:?:%{INT:backendport:int})|-) %{NUMBER:request_processing_time:float} %{NUMBER:backend_processing_time:float} %{NUMBER:response_processing_time:float} %{INT:response:int} %{INT:backend_response:int} %{INT:received_bytes:int} %{INT:bytes:int} \"%{ELB_REQUEST_LINE}\"", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.681000+0000", :message=>"Adding pattern", "RUBY_LOGLEVEL"=>"(?:DEBUG|FATAL|ERROR|WARN|INFO)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.682000+0000", :message=>"Adding pattern", "RUBY_LOGGER"=>"[DFEWI], \\[%{TIMESTAMP_ISO8601:timestamp} #%{POSINT:pid}\\] *%{RUBY_LOGLEVEL:loglevel} -- +%{DATA:progname}: %{GREEDYDATA:message}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.685000+0000", :message=>"Adding pattern", "USERNAME"=>"[a-zA-Z0-9._-]+", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.688000+0000", :message=>"Adding pattern", "USER"=>"%{USERNAME}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.689000+0000", :message=>"Adding pattern", "EMAILLOCALPART"=>"[a-zA-Z][a-zA-Z0-9_.+-=:]+", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.690000+0000", :message=>"Adding pattern", "EMAILADDRESS"=>"%{EMAILLOCALPART}@%{HOSTNAME}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.691000+0000", :message=>"Adding pattern", "HTTPDUSER"=>"%{EMAILADDRESS}|%{USER}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.692000+0000", :message=>"Adding pattern", "INT"=>"(?:[+-]?(?:[0-9]+))", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.693000+0000", :message=>"Adding pattern", "BASE10NUM"=>"(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\\.[0-9]+)?)|(?:\\.[0-9]+)))", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.694000+0000", :message=>"Adding pattern", "NUMBER"=>"(?:%{BASE10NUM})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.695000+0000", :message=>"Adding pattern", "BASE16NUM"=>"(?<![0-9A-Fa-f])(?:[+-]?(?:0x)?(?:[0-9A-Fa-f]+))", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.695000+0000", :message=>"Adding pattern", "BASE16FLOAT"=>"\\b(?<![0-9A-Fa-f.])(?:[+-]?(?:0x)?(?:(?:[0-9A-Fa-f]+(?:\\.[0-9A-Fa-f]*)?)|(?:\\.[0-9A-Fa-f]+)))\\b", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.696000+0000", :message=>"Adding pattern", "POSINT"=>"\\b(?:[1-9][0-9]*)\\b", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.697000+0000", :message=>"Adding pattern", "NONNEGINT"=>"\\b(?:[0-9]+)\\b", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.697000+0000", :message=>"Adding pattern", "WORD"=>"\\b\\w+\\b", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.698000+0000", :message=>"Adding pattern", "NOTSPACE"=>"\\S+", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.699000+0000", :message=>"Adding pattern", "SPACE"=>"\\s*", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.700000+0000", :message=>"Adding pattern", "DATA"=>".*?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.701000+0000", :message=>"Adding pattern", "GREEDYDATA"=>".*", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.702000+0000", :message=>"Adding pattern", "QUOTEDSTRING"=>"(?>(?<!\\\\)(?>\"(?>\\\\.|[^\\\\\"]+)+\"|\"\"|(?>'(?>\\\\.|[^\\\\']+)+')|''|(?>`(?>\\\\.|[^\\\\`]+)+`)|``))", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.703000+0000", :message=>"Adding pattern", "UUID"=>"[A-Fa-f0-9]{8}-(?:[A-Fa-f0-9]{4}-){3}[A-Fa-f0-9]{12}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.703000+0000", :message=>"Adding pattern", "MAC"=>"(?:%{CISCOMAC}|%{WINDOWSMAC}|%{COMMONMAC})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.704000+0000", :message=>"Adding pattern", "CISCOMAC"=>"(?:(?:[A-Fa-f0-9]{4}\\.){2}[A-Fa-f0-9]{4})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.705000+0000", :message=>"Adding pattern", "WINDOWSMAC"=>"(?:(?:[A-Fa-f0-9]{2}-){5}[A-Fa-f0-9]{2})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.706000+0000", :message=>"Adding pattern", "COMMONMAC"=>"(?:(?:[A-Fa-f0-9]{2}:){5}[A-Fa-f0-9]{2})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.707000+0000", :message=>"Adding pattern", "IPV6"=>"((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:)))(%.+)?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.709000+0000", :message=>"Adding pattern", "IPV4"=>"(?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]))(?![0-9])", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.710000+0000", :message=>"Adding pattern", "IP"=>"(?:%{IPV6}|%{IPV4})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.710000+0000", :message=>"Adding pattern", "HOSTNAME"=>"\\b(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\\b)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.711000+0000", :message=>"Adding pattern", "IPORHOST"=>"(?:%{IP}|%{HOSTNAME})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.712000+0000", :message=>"Adding pattern", "HOSTPORT"=>"%{IPORHOST}:%{POSINT}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.712000+0000", :message=>"Adding pattern", "PATH"=>"(?:%{UNIXPATH}|%{WINPATH})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.713000+0000", :message=>"Adding pattern", "UNIXPATH"=>"(/([\\w_%!$@:.,~-]+|\\\\.)*)+", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.714000+0000", :message=>"Adding pattern", "TTY"=>"(?:/dev/(pts|tty([pq])?)(\\w+)?/?(?:[0-9]+))", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.714000+0000", :message=>"Adding pattern", "WINPATH"=>"(?>[A-Za-z]+:|\\\\)(?:\\\\[^\\\\?*]*)+", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.715000+0000", :message=>"Adding pattern", "URIPROTO"=>"[A-Za-z]+(\\+[A-Za-z+]+)?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.716000+0000", :message=>"Adding pattern", "URIHOST"=>"%{IPORHOST}(?::%{POSINT:port})?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.716000+0000", :message=>"Adding pattern", "URIPATH"=>"(?:/[A-Za-z0-9$.+!*'(){},~:;=@#%_\\-]*)+", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.717000+0000", :message=>"Adding pattern", "URIPARAM"=>"\\?[A-Za-z0-9$.+!*'|(){},~@#%&/=:;_?\\-\\[\\]<>]*", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.717000+0000", :message=>"Adding pattern", "URIPATHPARAM"=>"%{URIPATH}(?:%{URIPARAM})?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.718000+0000", :message=>"Adding pattern", "URI"=>"%{URIPROTO}://(?:%{USER}(?::[^@]*)?@)?(?:%{URIHOST})?(?:%{URIPATHPARAM})?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.719000+0000", :message=>"Adding pattern", "MONTH"=>"\\b(?:Jan(?:uary|uar)?|Feb(?:ruary|ruar)?|M(?:a|ä)?r(?:ch|z)?|Apr(?:il)?|Ma(?:y|i)?|Jun(?:e|i)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|O(?:c|k)?t(?:ober)?|Nov(?:ember)?|De(?:c|z)(?:ember)?)\\b", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.720000+0000", :message=>"Adding pattern", "MONTHNUM"=>"(?:0?[1-9]|1[0-2])", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.721000+0000", :message=>"Adding pattern", "MONTHNUM2"=>"(?:0[1-9]|1[0-2])", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.721000+0000", :message=>"Adding pattern", "MONTHDAY"=>"(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9])", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.722000+0000", :message=>"Adding pattern", "DAY"=>"(?:Mon(?:day)?|Tue(?:sday)?|Wed(?:nesday)?|Thu(?:rsday)?|Fri(?:day)?|Sat(?:urday)?|Sun(?:day)?)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.723000+0000", :message=>"Adding pattern", "YEAR"=>"(?>\\d\\d){1,2}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.724000+0000", :message=>"Adding pattern", "HOUR"=>"(?:2[0123]|[01]?[0-9])", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.725000+0000", :message=>"Adding pattern", "MINUTE"=>"(?:[0-5][0-9])", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.725000+0000", :message=>"Adding pattern", "SECOND"=>"(?:(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.726000+0000", :message=>"Adding pattern", "TIME"=>"(?!<[0-9])%{HOUR}:%{MINUTE}(?::%{SECOND})(?![0-9])", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.727000+0000", :message=>"Adding pattern", "DATE_US"=>"%{MONTHNUM}[/-]%{MONTHDAY}[/-]%{YEAR}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.727000+0000", :message=>"Adding pattern", "DATE_EU"=>"%{MONTHDAY}[./-]%{MONTHNUM}[./-]%{YEAR}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.728000+0000", :message=>"Adding pattern", "ISO8601_TIMEZONE"=>"(?:Z|[+-]%{HOUR}(?::?%{MINUTE}))", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.729000+0000", :message=>"Adding pattern", "ISO8601_SECOND"=>"(?:%{SECOND}|60)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.730000+0000", :message=>"Adding pattern", "TIMESTAMP_ISO8601"=>"%{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?%{ISO8601_TIMEZONE}?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.731000+0000", :message=>"Adding pattern", "DATE"=>"%{DATE_US}|%{DATE_EU}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.732000+0000", :message=>"Adding pattern", "DATESTAMP"=>"%{DATE}[- ]%{TIME}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.733000+0000", :message=>"Adding pattern", "TZ"=>"(?:[PMCE][SD]T|UTC)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.734000+0000", :message=>"Adding pattern", "DATESTAMP_RFC822"=>"%{DAY} %{MONTH} %{MONTHDAY} %{YEAR} %{TIME} %{TZ}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.735000+0000", :message=>"Adding pattern", "DATESTAMP_RFC2822"=>"%{DAY}, %{MONTHDAY} %{MONTH} %{YEAR} %{TIME} %{ISO8601_TIMEZONE}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.736000+0000", :message=>"Adding pattern", "DATESTAMP_OTHER"=>"%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{TZ} %{YEAR}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.737000+0000", :message=>"Adding pattern", "DATESTAMP_EVENTLOG"=>"%{YEAR}%{MONTHNUM2}%{MONTHDAY}%{HOUR}%{MINUTE}%{SECOND}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.737000+0000", :message=>"Adding pattern", "HTTPDERROR_DATE"=>"%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.738000+0000", :message=>"Adding pattern", "SYSLOGTIMESTAMP"=>"%{MONTH} +%{MONTHDAY} %{TIME}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.739000+0000", :message=>"Adding pattern", "PROG"=>"[\\x21-\\x5a\\x5c\\x5e-\\x7e]+", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.739000+0000", :message=>"Adding pattern", "SYSLOGPROG"=>"%{PROG:program}(?:\\[%{POSINT:pid}\\])?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.740000+0000", :message=>"Adding pattern", "SYSLOGHOST"=>"%{IPORHOST}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.740000+0000", :message=>"Adding pattern", "SYSLOGFACILITY"=>"<%{NONNEGINT:facility}.%{NONNEGINT:priority}>", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.741000+0000", :message=>"Adding pattern", "HTTPDATE"=>"%{MONTHDAY}/%{MONTH}/%{YEAR}:%{TIME} %{INT}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.742000+0000", :message=>"Adding pattern", "QS"=>"%{QUOTEDSTRING}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.743000+0000", :message=>"Adding pattern", "SYSLOGBASE"=>"%{SYSLOGTIMESTAMP:timestamp} (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource} %{SYSLOGPROG}:", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.743000+0000", :message=>"Adding pattern", "COMMONAPACHELOG"=>"%{IPORHOST:clientip} %{HTTPDUSER:ident} %{USER:auth} \\[%{HTTPDATE:timestamp}\\] \"(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})\" %{NUMBER:response} (?:%{NUMBER:bytes}|-)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.744000+0000", :message=>"Adding pattern", "COMBINEDAPACHELOG"=>"%{COMMONAPACHELOG} %{QS:referrer} %{QS:agent}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.745000+0000", :message=>"Adding pattern", "HTTPD20_ERRORLOG"=>"\\[%{HTTPDERROR_DATE:timestamp}\\] \\[%{LOGLEVEL:loglevel}\\] (?:\\[client %{IPORHOST:clientip}\\] ){0,1}%{GREEDYDATA:errormsg}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.746000+0000", :message=>"Adding pattern", "HTTPD24_ERRORLOG"=>"\\[%{HTTPDERROR_DATE:timestamp}\\] \\[%{WORD:module}:%{LOGLEVEL:loglevel}\\] \\[pid %{POSINT:pid}:tid %{NUMBER:tid}\\]( \\(%{POSINT:proxy_errorcode}\\)%{DATA:proxy_errormessage}:)?( \\[client %{IPORHOST:client}:%{POSINT:clientport}\\])? %{DATA:errorcode}: %{GREEDYDATA:message}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.747000+0000", :message=>"Adding pattern", "HTTPD_ERRORLOG"=>"%{HTTPD20_ERRORLOG}|%{HTTPD24_ERRORLOG}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.747000+0000", :message=>"Adding pattern", "LOGLEVEL"=>"([Aa]lert|ALERT|[Tt]race|TRACE|[Dd]ebug|DEBUG|[Nn]otice|NOTICE|[Ii]nfo|INFO|[Ww]arn?(?:ing)?|WARN?(?:ING)?|[Ee]rr?(?:or)?|ERR?(?:OR)?|[Cc]rit?(?:ical)?|CRIT?(?:ICAL)?|[Ff]atal|FATAL|[Ss]evere|SEVERE|EMERG(?:ENCY)?|[Ee]merg(?:ency)?)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.754000+0000", :message=>"Grok patterns path", :patterns_dir=>["/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.2/patterns", "/opt/logstash/patterns/*"], :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.770000+0000", :message=>"Grok loading patterns from file", :path=>"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.2/patterns/firewalls", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.771000+0000", :message=>"Grok loading patterns from file", :path=>"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.2/patterns/linux-syslog", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.772000+0000", :message=>"Grok loading patterns from file", :path=>"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.2/patterns/nagios", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.773000+0000", :message=>"Grok loading patterns from file", :path=>"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.2/patterns/mcollective", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.774000+0000", :message=>"Grok loading patterns from file", :path=>"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.2/patterns/bro", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.774000+0000", :message=>"Grok loading patterns from file", :path=>"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.2/patterns/haproxy", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.775000+0000", :message=>"Grok loading patterns from file", :path=>"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.2/patterns/bacula", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.775000+0000", :message=>"Grok loading patterns from file", :path=>"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.2/patterns/postgresql", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.776000+0000", :message=>"Grok loading patterns from file", :path=>"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.2/patterns/mongodb", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.777000+0000", :message=>"Grok loading patterns from file", :path=>"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.2/patterns/mcollective-patterns", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.777000+0000", :message=>"Grok loading patterns from file", :path=>"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.2/patterns/junos", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.778000+0000", :message=>"Grok loading patterns from file", :path=>"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.2/patterns/rails", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.779000+0000", :message=>"Grok loading patterns from file", :path=>"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.2/patterns/exim", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.779000+0000", :message=>"Grok loading patterns from file", :path=>"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.2/patterns/java", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.780000+0000", :message=>"Grok loading patterns from file", :path=>"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.2/patterns/redis", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.780000+0000", :message=>"Grok loading patterns from file", :path=>"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.2/patterns/aws", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.781000+0000", :message=>"Grok loading patterns from file", :path=>"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.2/patterns/ruby", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.782000+0000", :message=>"Grok loading patterns from file", :path=>"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.2/patterns/grok-patterns", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.782000+0000", :message=>"Match data", :match=>{"message"=>"\\[%{DATA:levelname}\\] %{GREEDYDATA:message}", "overwrite"=>["message"], "add_field"=>{"levelname"=>"%{levelname}", "orig_levelname"=>"%{levelname}"}}, :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.783000+0000", :message=>"Grok compile", :field=>"message", :patterns=>["\\[%{DATA:levelname}\\] %{GREEDYDATA:message}"], :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.785000+0000", :message=>"Adding pattern", "NETSCREENSESSIONLOG"=>"%{SYSLOGTIMESTAMP:date} %{IPORHOST:device} %{IPORHOST}: NetScreen device_id=%{WORD:device_id}%{DATA}: start_time=%{QUOTEDSTRING:start_time} duration=%{INT:duration} policy_id=%{INT:policy_id} service=%{DATA:service} proto=%{INT:proto} src zone=%{WORD:src_zone} dst zone=%{WORD:dst_zone} action=%{WORD:action} sent=%{INT:sent} rcvd=%{INT:rcvd} src=%{IPORHOST:src_ip} dst=%{IPORHOST:dst_ip} src_port=%{INT:src_port} dst_port=%{INT:dst_port} src-xlated ip=%{IPORHOST:src_xlated_ip} port=%{INT:src_xlated_port} dst-xlated ip=%{IPORHOST:dst_xlated_ip} port=%{INT:dst_xlated_port} session_id=%{INT:session_id} reason=%{GREEDYDATA:reason}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.786000+0000", :message=>"Adding pattern", "CISCO_TAGGED_SYSLOG"=>"^<%{POSINT:syslog_pri}>%{CISCOTIMESTAMP:timestamp}( %{SYSLOGHOST:sysloghost})? ?: %%{CISCOTAG:ciscotag}:", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.786000+0000", :message=>"Adding pattern", "CISCOTIMESTAMP"=>"%{MONTH} +%{MONTHDAY}(?: %{YEAR})? %{TIME}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.787000+0000", :message=>"Adding pattern", "CISCOTAG"=>"[A-Z0-9]+-%{INT}-(?:[A-Z0-9_]+)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.787000+0000", :message=>"Adding pattern", "CISCO_ACTION"=>"Built|Teardown|Deny|Denied|denied|requested|permitted|denied by ACL|discarded|est-allowed|Dropping|created|deleted", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.788000+0000", :message=>"Adding pattern", "CISCO_REASON"=>"Duplicate TCP SYN|Failed to locate egress interface|Invalid transport field|No matching connection|DNS Response|DNS Query|(?:%{WORD}\\s*)*", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.789000+0000", :message=>"Adding pattern", "CISCO_DIRECTION"=>"Inbound|inbound|Outbound|outbound", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.789000+0000", :message=>"Adding pattern", "CISCO_INTERVAL"=>"first hit|%{INT}-second interval", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.790000+0000", :message=>"Adding pattern", "CISCO_XLATE_TYPE"=>"static|dynamic", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.791000+0000", :message=>"Adding pattern", "CISCOFW104001"=>"\\((?:Primary|Secondary)\\) Switching to ACTIVE - %{GREEDYDATA:switch_reason}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.791000+0000", :message=>"Adding pattern", "CISCOFW104002"=>"\\((?:Primary|Secondary)\\) Switching to STANDBY - %{GREEDYDATA:switch_reason}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.792000+0000", :message=>"Adding pattern", "CISCOFW104003"=>"\\((?:Primary|Secondary)\\) Switching to FAILED\\.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.793000+0000", :message=>"Adding pattern", "CISCOFW104004"=>"\\((?:Primary|Secondary)\\) Switching to OK\\.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.794000+0000", :message=>"Adding pattern", "CISCOFW105003"=>"\\((?:Primary|Secondary)\\) Monitoring on [Ii]nterface %{GREEDYDATA:interface_name} waiting", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.794000+0000", :message=>"Adding pattern", "CISCOFW105004"=>"\\((?:Primary|Secondary)\\) Monitoring on [Ii]nterface %{GREEDYDATA:interface_name} normal", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.795000+0000", :message=>"Adding pattern", "CISCOFW105005"=>"\\((?:Primary|Secondary)\\) Lost Failover communications with mate on [Ii]nterface %{GREEDYDATA:interface_name}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.796000+0000", :message=>"Adding pattern", "CISCOFW105008"=>"\\((?:Primary|Secondary)\\) Testing [Ii]nterface %{GREEDYDATA:interface_name}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.796000+0000", :message=>"Adding pattern", "CISCOFW105009"=>"\\((?:Primary|Secondary)\\) Testing on [Ii]nterface %{GREEDYDATA:interface_name} (?:Passed|Failed)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.797000+0000", :message=>"Adding pattern", "CISCOFW106001"=>"%{CISCO_DIRECTION:direction} %{WORD:protocol} connection %{CISCO_ACTION:action} from %{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port} flags %{GREEDYDATA:tcp_flags} on interface %{GREEDYDATA:interface}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.798000+0000", :message=>"Adding pattern", "CISCOFW106006_106007_106010"=>"%{CISCO_ACTION:action} %{CISCO_DIRECTION:direction} %{WORD:protocol} (?:from|src) %{IP:src_ip}/%{INT:src_port}(\\(%{DATA:src_fwuser}\\))? (?:to|dst) %{IP:dst_ip}/%{INT:dst_port}(\\(%{DATA:dst_fwuser}\\))? (?:on interface %{DATA:interface}|due to %{CISCO_REASON:reason})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.799000+0000", :message=>"Adding pattern", "CISCOFW106014"=>"%{CISCO_ACTION:action} %{CISCO_DIRECTION:direction} %{WORD:protocol} src %{DATA:src_interface}:%{IP:src_ip}(\\(%{DATA:src_fwuser}\\))? dst %{DATA:dst_interface}:%{IP:dst_ip}(\\(%{DATA:dst_fwuser}\\))? \\(type %{INT:icmp_type}, code %{INT:icmp_code}\\)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.799000+0000", :message=>"Adding pattern", "CISCOFW106015"=>"%{CISCO_ACTION:action} %{WORD:protocol} \\(%{DATA:policy_id}\\) from %{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port} flags %{DATA:tcp_flags} on interface %{GREEDYDATA:interface}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.800000+0000", :message=>"Adding pattern", "CISCOFW106021"=>"%{CISCO_ACTION:action} %{WORD:protocol} reverse path check from %{IP:src_ip} to %{IP:dst_ip} on interface %{GREEDYDATA:interface}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.801000+0000", :message=>"Adding pattern", "CISCOFW106023"=>"%{CISCO_ACTION:action}( protocol)? %{WORD:protocol} src %{DATA:src_interface}:%{DATA:src_ip}(/%{INT:src_port})?(\\(%{DATA:src_fwuser}\\))? dst %{DATA:dst_interface}:%{DATA:dst_ip}(/%{INT:dst_port})?(\\(%{DATA:dst_fwuser}\\))?( \\(type %{INT:icmp_type}, code %{INT:icmp_code}\\))? by access-group \"?%{DATA:policy_id}\"? \\[%{DATA:hashcode1}, %{DATA:hashcode2}\\]", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.801000+0000", :message=>"Adding pattern", "CISCOFW106100_2_3"=>"access-list %{NOTSPACE:policy_id} %{CISCO_ACTION:action} %{WORD:protocol} for user '%{DATA:src_fwuser}' %{DATA:src_interface}/%{IP:src_ip}\\(%{INT:src_port}\\) -> %{DATA:dst_interface}/%{IP:dst_ip}\\(%{INT:dst_port}\\) hit-cnt %{INT:hit_count} %{CISCO_INTERVAL:interval} \\[%{DATA:hashcode1}, %{DATA:hashcode2}\\]", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.803000+0000", :message=>"Adding pattern", "CISCOFW106100"=>"access-list %{NOTSPACE:policy_id} %{CISCO_ACTION:action} %{WORD:protocol} %{DATA:src_interface}/%{IP:src_ip}\\(%{INT:src_port}\\)(\\(%{DATA:src_fwuser}\\))? -> %{DATA:dst_interface}/%{IP:dst_ip}\\(%{INT:dst_port}\\)(\\(%{DATA:src_fwuser}\\))? hit-cnt %{INT:hit_count} %{CISCO_INTERVAL:interval} \\[%{DATA:hashcode1}, %{DATA:hashcode2}\\]", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.804000+0000", :message=>"Adding pattern", "CISCOFW110002"=>"%{CISCO_REASON:reason} for %{WORD:protocol} from %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.805000+0000", :message=>"Adding pattern", "CISCOFW302010"=>"%{INT:connection_count} in use, %{INT:connection_count_max} most used", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.806000+0000", :message=>"Adding pattern", "CISCOFW302013_302014_302015_302016"=>"%{CISCO_ACTION:action}(?: %{CISCO_DIRECTION:direction})? %{WORD:protocol} connection %{INT:connection_id} for %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port}( \\(%{IP:src_mapped_ip}/%{INT:src_mapped_port}\\))?(\\(%{DATA:src_fwuser}\\))? to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port}( \\(%{IP:dst_mapped_ip}/%{INT:dst_mapped_port}\\))?(\\(%{DATA:dst_fwuser}\\))?( duration %{TIME:duration} bytes %{INT:bytes})?(?: %{CISCO_REASON:reason})?( \\(%{DATA:user}\\))?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.807000+0000", :message=>"Adding pattern", "CISCOFW302020_302021"=>"%{CISCO_ACTION:action}(?: %{CISCO_DIRECTION:direction})? %{WORD:protocol} connection for faddr %{IP:dst_ip}/%{INT:icmp_seq_num}(?:\\(%{DATA:fwuser}\\))? gaddr %{IP:src_xlated_ip}/%{INT:icmp_code_xlated} laddr %{IP:src_ip}/%{INT:icmp_code}( \\(%{DATA:user}\\))?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.808000+0000", :message=>"Adding pattern", "CISCOFW305011"=>"%{CISCO_ACTION:action} %{CISCO_XLATE_TYPE:xlate_type} %{WORD:protocol} translation from %{DATA:src_interface}:%{IP:src_ip}(/%{INT:src_port})?(\\(%{DATA:src_fwuser}\\))? to %{DATA:src_xlated_interface}:%{IP:src_xlated_ip}/%{DATA:src_xlated_port}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.809000+0000", :message=>"Adding pattern", "CISCOFW313001_313004_313008"=>"%{CISCO_ACTION:action} %{WORD:protocol} type=%{INT:icmp_type}, code=%{INT:icmp_code} from %{IP:src_ip} on interface %{DATA:interface}( to %{IP:dst_ip})?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.810000+0000", :message=>"Adding pattern", "CISCOFW313005"=>"%{CISCO_REASON:reason} for %{WORD:protocol} error message: %{WORD:err_protocol} src %{DATA:err_src_interface}:%{IP:err_src_ip}(\\(%{DATA:err_src_fwuser}\\))? dst %{DATA:err_dst_interface}:%{IP:err_dst_ip}(\\(%{DATA:err_dst_fwuser}\\))? \\(type %{INT:err_icmp_type}, code %{INT:err_icmp_code}\\) on %{DATA:interface} interface\\. Original IP payload: %{WORD:protocol} src %{IP:orig_src_ip}/%{INT:orig_src_port}(\\(%{DATA:orig_src_fwuser}\\))? dst %{IP:orig_dst_ip}/%{INT:orig_dst_port}(\\(%{DATA:orig_dst_fwuser}\\))?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.811000+0000", :message=>"Adding pattern", "CISCOFW321001"=>"Resource '%{WORD:resource_name}' limit of %{POSINT:resource_limit} reached for system", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.812000+0000", :message=>"Adding pattern", "CISCOFW402117"=>"%{WORD:protocol}: Received a non-IPSec packet \\(protocol= %{WORD:orig_protocol}\\) from %{IP:src_ip} to %{IP:dst_ip}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.813000+0000", :message=>"Adding pattern", "CISCOFW402119"=>"%{WORD:protocol}: Received an %{WORD:orig_protocol} packet \\(SPI= %{DATA:spi}, sequence number= %{DATA:seq_num}\\) from %{IP:src_ip} \\(user= %{DATA:user}\\) to %{IP:dst_ip} that failed anti-replay checking", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.814000+0000", :message=>"Adding pattern", "CISCOFW419001"=>"%{CISCO_ACTION:action} %{WORD:protocol} packet from %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port}, reason: %{GREEDYDATA:reason}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.815000+0000", :message=>"Adding pattern", "CISCOFW419002"=>"%{CISCO_REASON:reason} from %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port} with different initial sequence number", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.816000+0000", :message=>"Adding pattern", "CISCOFW500004"=>"%{CISCO_REASON:reason} for protocol=%{WORD:protocol}, from %{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.816000+0000", :message=>"Adding pattern", "CISCOFW602303_602304"=>"%{WORD:protocol}: An %{CISCO_DIRECTION:direction} %{GREEDYDATA:tunnel_type} SA \\(SPI= %{DATA:spi}\\) between %{IP:src_ip} and %{IP:dst_ip} \\(user= %{DATA:user}\\) has been %{CISCO_ACTION:action}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.817000+0000", :message=>"Adding pattern", "CISCOFW710001_710002_710003_710005_710006"=>"%{WORD:protocol} (?:request|access) %{CISCO_ACTION:action} from %{IP:src_ip}/%{INT:src_port} to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.817000+0000", :message=>"Adding pattern", "CISCOFW713172"=>"Group = %{GREEDYDATA:group}, IP = %{IP:src_ip}, Automatic NAT Detection Status:\\s+Remote end\\s*%{DATA:is_remote_natted}\\s*behind a NAT device\\s+This\\s+end\\s*%{DATA:is_local_natted}\\s*behind a NAT device", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.818000+0000", :message=>"Adding pattern", "CISCOFW733100"=>"\\[\\s*%{DATA:drop_type}\\s*\\] drop %{DATA:drop_rate_id} exceeded. Current burst rate is %{INT:drop_rate_current_burst} per second, max configured rate is %{INT:drop_rate_max_burst}; Current average rate is %{INT:drop_rate_current_avg} per second, max configured rate is %{INT:drop_rate_max_avg}; Cumulative total count is %{INT:drop_total_count}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.819000+0000", :message=>"Adding pattern", "SHOREWALL"=>"(%{SYSLOGTIMESTAMP:timestamp}) (%{WORD:nf_host}) kernel:.*Shorewall:(%{WORD:nf_action1})?:(%{WORD:nf_action2})?.*IN=(%{USERNAME:nf_in_interface})?.*(OUT= *MAC=(%{COMMONMAC:nf_dst_mac}):(%{COMMONMAC:nf_src_mac})?|OUT=%{USERNAME:nf_out_interface}).*SRC=(%{IPV4:nf_src_ip}).*DST=(%{IPV4:nf_dst_ip}).*LEN=(%{WORD:nf_len}).?*TOS=(%{WORD:nf_tos}).?*PREC=(%{WORD:nf_prec}).?*TTL=(%{INT:nf_ttl}).?*ID=(%{INT:nf_id}).?*PROTO=(%{WORD:nf_protocol}).?*SPT=(%{INT:nf_src_port}?.*DPT=%{INT:nf_dst_port}?.*)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.820000+0000", :message=>"Adding pattern", "SYSLOG5424PRINTASCII"=>"[!-~]+", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.821000+0000", :message=>"Adding pattern", "SYSLOGBASE2"=>"(?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource}+(?: %{SYSLOGPROG}:|)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.821000+0000", :message=>"Adding pattern", "SYSLOGPAMSESSION"=>"%{SYSLOGBASE} (?=%{GREEDYDATA:message})%{WORD:pam_module}\\(%{DATA:pam_caller}\\): session %{WORD:pam_session_state} for user %{USERNAME:username}(?: by %{GREEDYDATA:pam_by})?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.822000+0000", :message=>"Adding pattern", "CRON_ACTION"=>"[A-Z ]+", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.822000+0000", :message=>"Adding pattern", "CRONLOG"=>"%{SYSLOGBASE} \\(%{USER:user}\\) %{CRON_ACTION:action} \\(%{DATA:message}\\)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.823000+0000", :message=>"Adding pattern", "SYSLOGLINE"=>"%{SYSLOGBASE2} %{GREEDYDATA:message}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.824000+0000", :message=>"Adding pattern", "SYSLOG5424PRI"=>"<%{NONNEGINT:syslog5424_pri}>", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.825000+0000", :message=>"Adding pattern", "SYSLOG5424SD"=>"\\[%{DATA}\\]+", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.826000+0000", :message=>"Adding pattern", "SYSLOG5424BASE"=>"%{SYSLOG5424PRI}%{NONNEGINT:syslog5424_ver} +(?:%{TIMESTAMP_ISO8601:syslog5424_ts}|-) +(?:%{HOSTNAME:syslog5424_host}|-) +(-|%{SYSLOG5424PRINTASCII:syslog5424_app}) +(-|%{SYSLOG5424PRINTASCII:syslog5424_proc}) +(-|%{SYSLOG5424PRINTASCII:syslog5424_msgid}) +(?:%{SYSLOG5424SD:syslog5424_sd}|-|)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.826000+0000", :message=>"Adding pattern", "SYSLOG5424LINE"=>"%{SYSLOG5424BASE} +%{GREEDYDATA:syslog5424_msg}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.828000+0000", :message=>"Adding pattern", "NAGIOSTIME"=>"\\[%{NUMBER:nagios_epoch}\\]", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.828000+0000", :message=>"Adding pattern", "NAGIOS_TYPE_CURRENT_SERVICE_STATE"=>"CURRENT SERVICE STATE", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.829000+0000", :message=>"Adding pattern", "NAGIOS_TYPE_CURRENT_HOST_STATE"=>"CURRENT HOST STATE", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.830000+0000", :message=>"Adding pattern", "NAGIOS_TYPE_SERVICE_NOTIFICATION"=>"SERVICE NOTIFICATION", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.830000+0000", :message=>"Adding pattern", "NAGIOS_TYPE_HOST_NOTIFICATION"=>"HOST NOTIFICATION", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.831000+0000", :message=>"Adding pattern", "NAGIOS_TYPE_SERVICE_ALERT"=>"SERVICE ALERT", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.832000+0000", :message=>"Adding pattern", "NAGIOS_TYPE_HOST_ALERT"=>"HOST ALERT", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.832000+0000", :message=>"Adding pattern", "NAGIOS_TYPE_SERVICE_FLAPPING_ALERT"=>"SERVICE FLAPPING ALERT", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.833000+0000", :message=>"Adding pattern", "NAGIOS_TYPE_HOST_FLAPPING_ALERT"=>"HOST FLAPPING ALERT", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.834000+0000", :message=>"Adding pattern", "NAGIOS_TYPE_SERVICE_DOWNTIME_ALERT"=>"SERVICE DOWNTIME ALERT", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.834000+0000", :message=>"Adding pattern", "NAGIOS_TYPE_HOST_DOWNTIME_ALERT"=>"HOST DOWNTIME ALERT", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.835000+0000", :message=>"Adding pattern", "NAGIOS_TYPE_PASSIVE_SERVICE_CHECK"=>"PASSIVE SERVICE CHECK", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.835000+0000", :message=>"Adding pattern", "NAGIOS_TYPE_PASSIVE_HOST_CHECK"=>"PASSIVE HOST CHECK", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.836000+0000", :message=>"Adding pattern", "NAGIOS_TYPE_SERVICE_EVENT_HANDLER"=>"SERVICE EVENT HANDLER", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.836000+0000", :message=>"Adding pattern", "NAGIOS_TYPE_HOST_EVENT_HANDLER"=>"HOST EVENT HANDLER", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.837000+0000", :message=>"Adding pattern", "NAGIOS_TYPE_EXTERNAL_COMMAND"=>"EXTERNAL COMMAND", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.837000+0000", :message=>"Adding pattern", "NAGIOS_TYPE_TIMEPERIOD_TRANSITION"=>"TIMEPERIOD TRANSITION", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.838000+0000", :message=>"Adding pattern", "NAGIOS_EC_DISABLE_SVC_CHECK"=>"DISABLE_SVC_CHECK", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.839000+0000", :message=>"Adding pattern", "NAGIOS_EC_ENABLE_SVC_CHECK"=>"ENABLE_SVC_CHECK", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.839000+0000", :message=>"Adding pattern", "NAGIOS_EC_DISABLE_HOST_CHECK"=>"DISABLE_HOST_CHECK", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.840000+0000", :message=>"Adding pattern", "NAGIOS_EC_ENABLE_HOST_CHECK"=>"ENABLE_HOST_CHECK", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.841000+0000", :message=>"Adding pattern", "NAGIOS_EC_PROCESS_SERVICE_CHECK_RESULT"=>"PROCESS_SERVICE_CHECK_RESULT", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.842000+0000", :message=>"Adding pattern", "NAGIOS_EC_PROCESS_HOST_CHECK_RESULT"=>"PROCESS_HOST_CHECK_RESULT", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.843000+0000", :message=>"Adding pattern", "NAGIOS_EC_SCHEDULE_SERVICE_DOWNTIME"=>"SCHEDULE_SERVICE_DOWNTIME", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.843000+0000", :message=>"Adding pattern", "NAGIOS_EC_SCHEDULE_HOST_DOWNTIME"=>"SCHEDULE_HOST_DOWNTIME", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.844000+0000", :message=>"Adding pattern", "NAGIOS_EC_DISABLE_HOST_SVC_NOTIFICATIONS"=>"DISABLE_HOST_SVC_NOTIFICATIONS", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.845000+0000", :message=>"Adding pattern", "NAGIOS_EC_ENABLE_HOST_SVC_NOTIFICATIONS"=>"ENABLE_HOST_SVC_NOTIFICATIONS", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.845000+0000", :message=>"Adding pattern", "NAGIOS_EC_DISABLE_HOST_NOTIFICATIONS"=>"DISABLE_HOST_NOTIFICATIONS", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.846000+0000", :message=>"Adding pattern", "NAGIOS_EC_ENABLE_HOST_NOTIFICATIONS"=>"ENABLE_HOST_NOTIFICATIONS", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.847000+0000", :message=>"Adding pattern", "NAGIOS_EC_DISABLE_SVC_NOTIFICATIONS"=>"DISABLE_SVC_NOTIFICATIONS", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.848000+0000", :message=>"Adding pattern", "NAGIOS_EC_ENABLE_SVC_NOTIFICATIONS"=>"ENABLE_SVC_NOTIFICATIONS", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.848000+0000", :message=>"Adding pattern", "NAGIOS_WARNING"=>"Warning:%{SPACE}%{GREEDYDATA:nagios_message}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.849000+0000", :message=>"Adding pattern", "NAGIOS_CURRENT_SERVICE_STATE"=>"%{NAGIOS_TYPE_CURRENT_SERVICE_STATE:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{DATA:nagios_statetype};%{DATA:nagios_statecode};%{GREEDYDATA:nagios_message}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.849000+0000", :message=>"Adding pattern", "NAGIOS_CURRENT_HOST_STATE"=>"%{NAGIOS_TYPE_CURRENT_HOST_STATE:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{DATA:nagios_statetype};%{DATA:nagios_statecode};%{GREEDYDATA:nagios_message}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.850000+0000", :message=>"Adding pattern", "NAGIOS_SERVICE_NOTIFICATION"=>"%{NAGIOS_TYPE_SERVICE_NOTIFICATION:nagios_type}: %{DATA:nagios_notifyname};%{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{DATA:nagios_contact};%{GREEDYDATA:nagios_message}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.851000+0000", :message=>"Adding pattern", "NAGIOS_HOST_NOTIFICATION"=>"%{NAGIOS_TYPE_HOST_NOTIFICATION:nagios_type}: %{DATA:nagios_notifyname};%{DATA:nagios_hostname};%{DATA:nagios_state};%{DATA:nagios_contact};%{GREEDYDATA:nagios_message}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.852000+0000", :message=>"Adding pattern", "NAGIOS_SERVICE_ALERT"=>"%{NAGIOS_TYPE_SERVICE_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{DATA:nagios_statelevel};%{NUMBER:nagios_attempt};%{GREEDYDATA:nagios_message}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.852000+0000", :message=>"Adding pattern", "NAGIOS_HOST_ALERT"=>"%{NAGIOS_TYPE_HOST_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{DATA:nagios_statelevel};%{NUMBER:nagios_attempt};%{GREEDYDATA:nagios_message}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.853000+0000", :message=>"Adding pattern", "NAGIOS_SERVICE_FLAPPING_ALERT"=>"%{NAGIOS_TYPE_SERVICE_FLAPPING_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{GREEDYDATA:nagios_message}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.854000+0000", :message=>"Adding pattern", "NAGIOS_HOST_FLAPPING_ALERT"=>"%{NAGIOS_TYPE_HOST_FLAPPING_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{GREEDYDATA:nagios_message}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.854000+0000", :message=>"Adding pattern", "NAGIOS_SERVICE_DOWNTIME_ALERT"=>"%{NAGIOS_TYPE_SERVICE_DOWNTIME_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{GREEDYDATA:nagios_comment}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.855000+0000", :message=>"Adding pattern", "NAGIOS_HOST_DOWNTIME_ALERT"=>"%{NAGIOS_TYPE_HOST_DOWNTIME_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{GREEDYDATA:nagios_comment}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.855000+0000", :message=>"Adding pattern", "NAGIOS_PASSIVE_SERVICE_CHECK"=>"%{NAGIOS_TYPE_PASSIVE_SERVICE_CHECK:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{GREEDYDATA:nagios_comment}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.856000+0000", :message=>"Adding pattern", "NAGIOS_PASSIVE_HOST_CHECK"=>"%{NAGIOS_TYPE_PASSIVE_HOST_CHECK:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{GREEDYDATA:nagios_comment}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.857000+0000", :message=>"Adding pattern", "NAGIOS_SERVICE_EVENT_HANDLER"=>"%{NAGIOS_TYPE_SERVICE_EVENT_HANDLER:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{DATA:nagios_statelevel};%{DATA:nagios_event_handler_name}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.858000+0000", :message=>"Adding pattern", "NAGIOS_HOST_EVENT_HANDLER"=>"%{NAGIOS_TYPE_HOST_EVENT_HANDLER:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{DATA:nagios_statelevel};%{DATA:nagios_event_handler_name}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.860000+0000", :message=>"Adding pattern", "NAGIOS_TIMEPERIOD_TRANSITION"=>"%{NAGIOS_TYPE_TIMEPERIOD_TRANSITION:nagios_type}: %{DATA:nagios_service};%{DATA:nagios_unknown1};%{DATA:nagios_unknown2}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.861000+0000", :message=>"Adding pattern", "NAGIOS_EC_LINE_DISABLE_SVC_CHECK"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_DISABLE_SVC_CHECK:nagios_command};%{DATA:nagios_hostname};%{DATA:nagios_service}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.862000+0000", :message=>"Adding pattern", "NAGIOS_EC_LINE_DISABLE_HOST_CHECK"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_DISABLE_HOST_CHECK:nagios_command};%{DATA:nagios_hostname}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.863000+0000", :message=>"Adding pattern", "NAGIOS_EC_LINE_ENABLE_SVC_CHECK"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_ENABLE_SVC_CHECK:nagios_command};%{DATA:nagios_hostname};%{DATA:nagios_service}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.864000+0000", :message=>"Adding pattern", "NAGIOS_EC_LINE_ENABLE_HOST_CHECK"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_ENABLE_HOST_CHECK:nagios_command};%{DATA:nagios_hostname}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.864000+0000", :message=>"Adding pattern", "NAGIOS_EC_LINE_PROCESS_SERVICE_CHECK_RESULT"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_PROCESS_SERVICE_CHECK_RESULT:nagios_command};%{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{GREEDYDATA:nagios_check_result}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.865000+0000", :message=>"Adding pattern", "NAGIOS_EC_LINE_PROCESS_HOST_CHECK_RESULT"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_PROCESS_HOST_CHECK_RESULT:nagios_command};%{DATA:nagios_hostname};%{DATA:nagios_state};%{GREEDYDATA:nagios_check_result}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.866000+0000", :message=>"Adding pattern", "NAGIOS_EC_LINE_DISABLE_HOST_SVC_NOTIFICATIONS"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_DISABLE_HOST_SVC_NOTIFICATIONS:nagios_command};%{GREEDYDATA:nagios_hostname}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.866000+0000", :message=>"Adding pattern", "NAGIOS_EC_LINE_DISABLE_HOST_NOTIFICATIONS"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_DISABLE_HOST_NOTIFICATIONS:nagios_command};%{GREEDYDATA:nagios_hostname}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.867000+0000", :message=>"Adding pattern", "NAGIOS_EC_LINE_DISABLE_SVC_NOTIFICATIONS"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_DISABLE_SVC_NOTIFICATIONS:nagios_command};%{DATA:nagios_hostname};%{GREEDYDATA:nagios_service}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.868000+0000", :message=>"Adding pattern", "NAGIOS_EC_LINE_ENABLE_HOST_SVC_NOTIFICATIONS"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_ENABLE_HOST_SVC_NOTIFICATIONS:nagios_command};%{GREEDYDATA:nagios_hostname}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.869000+0000", :message=>"Adding pattern", "NAGIOS_EC_LINE_ENABLE_HOST_NOTIFICATIONS"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_ENABLE_HOST_NOTIFICATIONS:nagios_command};%{GREEDYDATA:nagios_hostname}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.869000+0000", :message=>"Adding pattern", "NAGIOS_EC_LINE_ENABLE_SVC_NOTIFICATIONS"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_ENABLE_SVC_NOTIFICATIONS:nagios_command};%{DATA:nagios_hostname};%{GREEDYDATA:nagios_service}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.870000+0000", :message=>"Adding pattern", "NAGIOS_EC_LINE_SCHEDULE_HOST_DOWNTIME"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_SCHEDULE_HOST_DOWNTIME:nagios_command};%{DATA:nagios_hostname};%{NUMBER:nagios_start_time};%{NUMBER:nagios_end_time};%{NUMBER:nagios_fixed};%{NUMBER:nagios_trigger_id};%{NUMBER:nagios_duration};%{DATA:author};%{DATA:comment}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.871000+0000", :message=>"Adding pattern", "NAGIOSLOGLINE"=>"%{NAGIOSTIME} (?:%{NAGIOS_WARNING}|%{NAGIOS_CURRENT_SERVICE_STATE}|%{NAGIOS_CURRENT_HOST_STATE}|%{NAGIOS_SERVICE_NOTIFICATION}|%{NAGIOS_HOST_NOTIFICATION}|%{NAGIOS_SERVICE_ALERT}|%{NAGIOS_HOST_ALERT}|%{NAGIOS_SERVICE_FLAPPING_ALERT}|%{NAGIOS_HOST_FLAPPING_ALERT}|%{NAGIOS_SERVICE_DOWNTIME_ALERT}|%{NAGIOS_HOST_DOWNTIME_ALERT}|%{NAGIOS_PASSIVE_SERVICE_CHECK}|%{NAGIOS_PASSIVE_HOST_CHECK}|%{NAGIOS_SERVICE_EVENT_HANDLER}|%{NAGIOS_HOST_EVENT_HANDLER}|%{NAGIOS_TIMEPERIOD_TRANSITION}|%{NAGIOS_EC_LINE_DISABLE_SVC_CHECK}|%{NAGIOS_EC_LINE_ENABLE_SVC_CHECK}|%{NAGIOS_EC_LINE_DISABLE_HOST_CHECK}|%{NAGIOS_EC_LINE_ENABLE_HOST_CHECK}|%{NAGIOS_EC_LINE_PROCESS_HOST_CHECK_RESULT}|%{NAGIOS_EC_LINE_PROCESS_SERVICE_CHECK_RESULT}|%{NAGIOS_EC_LINE_SCHEDULE_HOST_DOWNTIME}|%{NAGIOS_EC_LINE_DISABLE_HOST_SVC_NOTIFICATIONS}|%{NAGIOS_EC_LINE_ENABLE_HOST_SVC_NOTIFICATIONS}|%{NAGIOS_EC_LINE_DISABLE_HOST_NOTIFICATIONS}|%{NAGIOS_EC_LINE_ENABLE_HOST_NOTIFICATIONS}|%{NAGIOS_EC_LINE_DISABLE_SVC_NOTIFICATIONS}|%{NAGIOS_EC_LINE_ENABLE_SVC_NOTIFICATIONS})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.873000+0000", :message=>"Adding pattern", "MCOLLECTIVEAUDIT"=>"%{TIMESTAMP_ISO8601:timestamp}:", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.874000+0000", :message=>"Adding pattern", "BRO_HTTP"=>"%{NUMBER:ts}\\t%{NOTSPACE:uid}\\t%{IP:orig_h}\\t%{INT:orig_p}\\t%{IP:resp_h}\\t%{INT:resp_p}\\t%{INT:trans_depth}\\t%{GREEDYDATA:method}\\t%{GREEDYDATA:domain}\\t%{GREEDYDATA:uri}\\t%{GREEDYDATA:referrer}\\t%{GREEDYDATA:user_agent}\\t%{NUMBER:request_body_len}\\t%{NUMBER:response_body_len}\\t%{GREEDYDATA:status_code}\\t%{GREEDYDATA:status_msg}\\t%{GREEDYDATA:info_code}\\t%{GREEDYDATA:info_msg}\\t%{GREEDYDATA:filename}\\t%{GREEDYDATA:bro_tags}\\t%{GREEDYDATA:username}\\t%{GREEDYDATA:password}\\t%{GREEDYDATA:proxied}\\t%{GREEDYDATA:orig_fuids}\\t%{GREEDYDATA:orig_mime_types}\\t%{GREEDYDATA:resp_fuids}\\t%{GREEDYDATA:resp_mime_types}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.875000+0000", :message=>"Adding pattern", "BRO_DNS"=>"%{NUMBER:ts}\\t%{NOTSPACE:uid}\\t%{IP:orig_h}\\t%{INT:orig_p}\\t%{IP:resp_h}\\t%{INT:resp_p}\\t%{WORD:proto}\\t%{INT:trans_id}\\t%{GREEDYDATA:query}\\t%{GREEDYDATA:qclass}\\t%{GREEDYDATA:qclass_name}\\t%{GREEDYDATA:qtype}\\t%{GREEDYDATA:qtype_name}\\t%{GREEDYDATA:rcode}\\t%{GREEDYDATA:rcode_name}\\t%{GREEDYDATA:AA}\\t%{GREEDYDATA:TC}\\t%{GREEDYDATA:RD}\\t%{GREEDYDATA:RA}\\t%{GREEDYDATA:Z}\\t%{GREEDYDATA:answers}\\t%{GREEDYDATA:TTLs}\\t%{GREEDYDATA:rejected}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.876000+0000", :message=>"Adding pattern", "BRO_CONN"=>"%{NUMBER:ts}\\t%{NOTSPACE:uid}\\t%{IP:orig_h}\\t%{INT:orig_p}\\t%{IP:resp_h}\\t%{INT:resp_p}\\t%{WORD:proto}\\t%{GREEDYDATA:service}\\t%{NUMBER:duration}\\t%{NUMBER:orig_bytes}\\t%{NUMBER:resp_bytes}\\t%{GREEDYDATA:conn_state}\\t%{GREEDYDATA:local_orig}\\t%{GREEDYDATA:missed_bytes}\\t%{GREEDYDATA:history}\\t%{GREEDYDATA:orig_pkts}\\t%{GREEDYDATA:orig_ip_bytes}\\t%{GREEDYDATA:resp_pkts}\\t%{GREEDYDATA:resp_ip_bytes}\\t%{GREEDYDATA:tunnel_parents}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.877000+0000", :message=>"Adding pattern", "BRO_FILES"=>"%{NUMBER:ts}\\t%{NOTSPACE:fuid}\\t%{IP:tx_hosts}\\t%{IP:rx_hosts}\\t%{NOTSPACE:conn_uids}\\t%{GREEDYDATA:source}\\t%{GREEDYDATA:depth}\\t%{GREEDYDATA:analyzers}\\t%{GREEDYDATA:mime_type}\\t%{GREEDYDATA:filename}\\t%{GREEDYDATA:duration}\\t%{GREEDYDATA:local_orig}\\t%{GREEDYDATA:is_orig}\\t%{GREEDYDATA:seen_bytes}\\t%{GREEDYDATA:total_bytes}\\t%{GREEDYDATA:missing_bytes}\\t%{GREEDYDATA:overflow_bytes}\\t%{GREEDYDATA:timedout}\\t%{GREEDYDATA:parent_fuid}\\t%{GREEDYDATA:md5}\\t%{GREEDYDATA:sha1}\\t%{GREEDYDATA:sha256}\\t%{GREEDYDATA:extracted}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.878000+0000", :message=>"Adding pattern", "HAPROXYTIME"=>"(?!<[0-9])%{HOUR:haproxy_hour}:%{MINUTE:haproxy_minute}(?::%{SECOND:haproxy_second})(?![0-9])", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.878000+0000", :message=>"Adding pattern", "HAPROXYDATE"=>"%{MONTHDAY:haproxy_monthday}/%{MONTH:haproxy_month}/%{YEAR:haproxy_year}:%{HAPROXYTIME:haproxy_time}.%{INT:haproxy_milliseconds}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.879000+0000", :message=>"Adding pattern", "HAPROXYCAPTUREDREQUESTHEADERS"=>"%{DATA:captured_request_headers}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.879000+0000", :message=>"Adding pattern", "HAPROXYCAPTUREDRESPONSEHEADERS"=>"%{DATA:captured_response_headers}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.880000+0000", :message=>"Adding pattern", "HAPROXYHTTPBASE"=>"%{IP:client_ip}:%{INT:client_port} \\[%{HAPROXYDATE:accept_date}\\] %{NOTSPACE:frontend_name} %{NOTSPACE:backend_name}/%{NOTSPACE:server_name} %{INT:time_request}/%{INT:time_queue}/%{INT:time_backend_connect}/%{INT:time_backend_response}/%{NOTSPACE:time_duration} %{INT:http_status_code} %{NOTSPACE:bytes_read} %{DATA:captured_request_cookie} %{DATA:captured_response_cookie} %{NOTSPACE:termination_state} %{INT:actconn}/%{INT:feconn}/%{INT:beconn}/%{INT:srvconn}/%{NOTSPACE:retries} %{INT:srv_queue}/%{INT:backend_queue} (\\{%{HAPROXYCAPTUREDREQUESTHEADERS}\\})?( )?(\\{%{HAPROXYCAPTUREDRESPONSEHEADERS}\\})?( )?\"(<BADREQ>|(%{WORD:http_verb} (%{URIPROTO:http_proto}://)?(?:%{USER:http_user}(?::[^@]*)?@)?(?:%{URIHOST:http_host})?(?:%{URIPATHPARAM:http_request})?( HTTP/%{NUMBER:http_version})?))?\"", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.881000+0000", :message=>"Adding pattern", "HAPROXYHTTP"=>"(?:%{SYSLOGTIMESTAMP:syslog_timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) %{IPORHOST:syslog_server} %{SYSLOGPROG}: %{HAPROXYHTTPBASE}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.881000+0000", :message=>"Adding pattern", "HAPROXYTCP"=>"(?:%{SYSLOGTIMESTAMP:syslog_timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) %{IPORHOST:syslog_server} %{SYSLOGPROG}: %{IP:client_ip}:%{INT:client_port} \\[%{HAPROXYDATE:accept_date}\\] %{NOTSPACE:frontend_name} %{NOTSPACE:backend_name}/%{NOTSPACE:server_name} %{INT:time_queue}/%{INT:time_backend_connect}/%{NOTSPACE:time_duration} %{NOTSPACE:bytes_read} %{NOTSPACE:termination_state} %{INT:actconn}/%{INT:feconn}/%{INT:beconn}/%{INT:srvconn}/%{NOTSPACE:retries} %{INT:srv_queue}/%{INT:backend_queue}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.882000+0000", :message=>"Adding pattern", "BACULA_TIMESTAMP"=>"%{MONTHDAY}-%{MONTH} %{HOUR}:%{MINUTE}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.882000+0000", :message=>"Adding pattern", "BACULA_HOST"=>"[a-zA-Z0-9-]+", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.883000+0000", :message=>"Adding pattern", "BACULA_VOLUME"=>"%{USER}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.883000+0000", :message=>"Adding pattern", "BACULA_DEVICE"=>"%{USER}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.884000+0000", :message=>"Adding pattern", "BACULA_DEVICEPATH"=>"%{UNIXPATH}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.885000+0000", :message=>"Adding pattern", "BACULA_CAPACITY"=>"%{INT}{1,3}(,%{INT}{3})*", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.885000+0000", :message=>"Adding pattern", "BACULA_VERSION"=>"%{USER}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.886000+0000", :message=>"Adding pattern", "BACULA_JOB"=>"%{USER}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.886000+0000", :message=>"Adding pattern", "BACULA_LOG_MAX_CAPACITY"=>"User defined maximum volume capacity %{BACULA_CAPACITY} exceeded on device \\\"%{BACULA_DEVICE:device}\\\" \\(%{BACULA_DEVICEPATH}\\)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.886000+0000", :message=>"Adding pattern", "BACULA_LOG_END_VOLUME"=>"End of medium on Volume \\\"%{BACULA_VOLUME:volume}\\\" Bytes=%{BACULA_CAPACITY} Blocks=%{BACULA_CAPACITY} at %{MONTHDAY}-%{MONTH}-%{YEAR} %{HOUR}:%{MINUTE}.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.887000+0000", :message=>"Adding pattern", "BACULA_LOG_NEW_VOLUME"=>"Created new Volume \\\"%{BACULA_VOLUME:volume}\\\" in catalog.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.887000+0000", :message=>"Adding pattern", "BACULA_LOG_NEW_LABEL"=>"Labeled new Volume \\\"%{BACULA_VOLUME:volume}\\\" on device \\\"%{BACULA_DEVICE:device}\\\" \\(%{BACULA_DEVICEPATH}\\).", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.888000+0000", :message=>"Adding pattern", "BACULA_LOG_WROTE_LABEL"=>"Wrote label to prelabeled Volume \\\"%{BACULA_VOLUME:volume}\\\" on device \\\"%{BACULA_DEVICE}\\\" \\(%{BACULA_DEVICEPATH}\\)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.888000+0000", :message=>"Adding pattern", "BACULA_LOG_NEW_MOUNT"=>"New volume \\\"%{BACULA_VOLUME:volume}\\\" mounted on device \\\"%{BACULA_DEVICE:device}\\\" \\(%{BACULA_DEVICEPATH}\\) at %{MONTHDAY}-%{MONTH}-%{YEAR} %{HOUR}:%{MINUTE}.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.889000+0000", :message=>"Adding pattern", "BACULA_LOG_NOOPEN"=>"\\s+Cannot open %{DATA}: ERR=%{GREEDYDATA:berror}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.889000+0000", :message=>"Adding pattern", "BACULA_LOG_NOOPENDIR"=>"\\s+Could not open directory %{DATA}: ERR=%{GREEDYDATA:berror}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.889000+0000", :message=>"Adding pattern", "BACULA_LOG_NOSTAT"=>"\\s+Could not stat %{DATA}: ERR=%{GREEDYDATA:berror}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.890000+0000", :message=>"Adding pattern", "BACULA_LOG_NOJOBS"=>"There are no more Jobs associated with Volume \\\"%{BACULA_VOLUME:volume}\\\". Marking it purged.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.890000+0000", :message=>"Adding pattern", "BACULA_LOG_ALL_RECORDS_PRUNED"=>"All records pruned from Volume \\\"%{BACULA_VOLUME:volume}\\\"; marking it \\\"Purged\\\"", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.890000+0000", :message=>"Adding pattern", "BACULA_LOG_BEGIN_PRUNE_JOBS"=>"Begin pruning Jobs older than %{INT} month %{INT} days .", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.891000+0000", :message=>"Adding pattern", "BACULA_LOG_BEGIN_PRUNE_FILES"=>"Begin pruning Files.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.891000+0000", :message=>"Adding pattern", "BACULA_LOG_PRUNED_JOBS"=>"Pruned %{INT} Jobs* for client %{BACULA_HOST:client} from catalog.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.891000+0000", :message=>"Adding pattern", "BACULA_LOG_PRUNED_FILES"=>"Pruned Files from %{INT} Jobs* for client %{BACULA_HOST:client} from catalog.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.892000+0000", :message=>"Adding pattern", "BACULA_LOG_ENDPRUNE"=>"End auto prune.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.892000+0000", :message=>"Adding pattern", "BACULA_LOG_STARTJOB"=>"Start Backup JobId %{INT}, Job=%{BACULA_JOB:job}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.893000+0000", :message=>"Adding pattern", "BACULA_LOG_STARTRESTORE"=>"Start Restore Job %{BACULA_JOB:job}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.893000+0000", :message=>"Adding pattern", "BACULA_LOG_USEDEVICE"=>"Using Device \\\"%{BACULA_DEVICE:device}\\\"", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.893000+0000", :message=>"Adding pattern", "BACULA_LOG_DIFF_FS"=>"\\s+%{UNIXPATH} is a different filesystem. Will not descend from %{UNIXPATH} into it.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.894000+0000", :message=>"Adding pattern", "BACULA_LOG_JOBEND"=>"Job write elapsed time = %{DATA:elapsed}, Transfer rate = %{NUMBER} (K|M|G)? Bytes/second", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.894000+0000", :message=>"Adding pattern", "BACULA_LOG_NOPRUNE_JOBS"=>"No Jobs found to prune.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.895000+0000", :message=>"Adding pattern", "BACULA_LOG_NOPRUNE_FILES"=>"No Files found to prune.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.895000+0000", :message=>"Adding pattern", "BACULA_LOG_VOLUME_PREVWRITTEN"=>"Volume \\\"%{BACULA_VOLUME:volume}\\\" previously written, moving to end of data.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.895000+0000", :message=>"Adding pattern", "BACULA_LOG_READYAPPEND"=>"Ready to append to end of Volume \\\"%{BACULA_VOLUME:volume}\\\" size=%{INT}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.896000+0000", :message=>"Adding pattern", "BACULA_LOG_CANCELLING"=>"Cancelling duplicate JobId=%{INT}.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.896000+0000", :message=>"Adding pattern", "BACULA_LOG_MARKCANCEL"=>"JobId %{INT}, Job %{BACULA_JOB:job} marked to be canceled.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.897000+0000", :message=>"Adding pattern", "BACULA_LOG_CLIENT_RBJ"=>"shell command: run ClientRunBeforeJob \\\"%{GREEDYDATA:runjob}\\\"", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.897000+0000", :message=>"Adding pattern", "BACULA_LOG_VSS"=>"(Generate )?VSS (Writer)?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.897000+0000", :message=>"Adding pattern", "BACULA_LOG_MAXSTART"=>"Fatal error: Job canceled because max start delay time exceeded.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.898000+0000", :message=>"Adding pattern", "BACULA_LOG_DUPLICATE"=>"Fatal error: JobId %{INT:duplicate} already running. Duplicate job not allowed.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.898000+0000", :message=>"Adding pattern", "BACULA_LOG_NOJOBSTAT"=>"Fatal error: No Job status returned from FD.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.898000+0000", :message=>"Adding pattern", "BACULA_LOG_FATAL_CONN"=>"Fatal error: bsock.c:133 Unable to connect to (Client: %{BACULA_HOST:client}|Storage daemon) on %{HOSTNAME}:%{POSINT}. ERR=(?<berror>%{GREEDYDATA})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.899000+0000", :message=>"Adding pattern", "BACULA_LOG_NO_CONNECT"=>"Warning: bsock.c:127 Could not connect to (Client: %{BACULA_HOST:client}|Storage daemon) on %{HOSTNAME}:%{POSINT}. ERR=(?<berror>%{GREEDYDATA})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.899000+0000", :message=>"Adding pattern", "BACULA_LOG_NO_AUTH"=>"Fatal error: Unable to authenticate with File daemon at %{HOSTNAME}. Possible causes:", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.900000+0000", :message=>"Adding pattern", "BACULA_LOG_NOSUIT"=>"No prior or suitable Full backup found in catalog. Doing FULL backup.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.900000+0000", :message=>"Adding pattern", "BACULA_LOG_NOPRIOR"=>"No prior Full backup Job record found.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.900000+0000", :message=>"Adding pattern", "BACULA_LOG_JOB"=>"(Error: )?Bacula %{BACULA_HOST} %{BACULA_VERSION} \\(%{BACULA_VERSION}\\):", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.901000+0000", :message=>"Adding pattern", "BACULA_LOGLINE"=>"%{BACULA_TIMESTAMP:bts} %{BACULA_HOST:hostname} JobId %{INT:jobid}: (%{BACULA_LOG_MAX_CAPACITY}|%{BACULA_LOG_END_VOLUME}|%{BACULA_LOG_NEW_VOLUME}|%{BACULA_LOG_NEW_LABEL}|%{BACULA_LOG_WROTE_LABEL}|%{BACULA_LOG_NEW_MOUNT}|%{BACULA_LOG_NOOPEN}|%{BACULA_LOG_NOOPENDIR}|%{BACULA_LOG_NOSTAT}|%{BACULA_LOG_NOJOBS}|%{BACULA_LOG_ALL_RECORDS_PRUNED}|%{BACULA_LOG_BEGIN_PRUNE_JOBS}|%{BACULA_LOG_BEGIN_PRUNE_FILES}|%{BACULA_LOG_PRUNED_JOBS}|%{BACULA_LOG_PRUNED_FILES}|%{BACULA_LOG_ENDPRUNE}|%{BACULA_LOG_STARTJOB}|%{BACULA_LOG_STARTRESTORE}|%{BACULA_LOG_USEDEVICE}|%{BACULA_LOG_DIFF_FS}|%{BACULA_LOG_JOBEND}|%{BACULA_LOG_NOPRUNE_JOBS}|%{BACULA_LOG_NOPRUNE_FILES}|%{BACULA_LOG_VOLUME_PREVWRITTEN}|%{BACULA_LOG_READYAPPEND}|%{BACULA_LOG_CANCELLING}|%{BACULA_LOG_MARKCANCEL}|%{BACULA_LOG_CLIENT_RBJ}|%{BACULA_LOG_VSS}|%{BACULA_LOG_MAXSTART}|%{BACULA_LOG_DUPLICATE}|%{BACULA_LOG_NOJOBSTAT}|%{BACULA_LOG_FATAL_CONN}|%{BACULA_LOG_NO_CONNECT}|%{BACULA_LOG_NO_AUTH}|%{BACULA_LOG_NOSUIT}|%{BACULA_LOG_JOB}|%{BACULA_LOG_NOPRIOR})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.902000+0000", :message=>"Adding pattern", "POSTGRESQL"=>"%{DATESTAMP:timestamp} %{TZ} %{DATA:user_id} %{GREEDYDATA:connection_id} %{POSINT:pid}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.903000+0000", :message=>"Adding pattern", "MONGO_LOG"=>"%{SYSLOGTIMESTAMP:timestamp} \\[%{WORD:component}\\] %{GREEDYDATA:message}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.903000+0000", :message=>"Adding pattern", "MONGO_QUERY"=>"\\{ (?<={ ).*(?= } ntoreturn:) \\}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.903000+0000", :message=>"Adding pattern", "MONGO_SLOWQUERY"=>"%{WORD} %{MONGO_WORDDASH:database}\\.%{MONGO_WORDDASH:collection} %{WORD}: %{MONGO_QUERY:query} %{WORD}:%{NONNEGINT:ntoreturn} %{WORD}:%{NONNEGINT:ntoskip} %{WORD}:%{NONNEGINT:nscanned}.*nreturned:%{NONNEGINT:nreturned}..+ (?<duration>[0-9]+)ms", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.904000+0000", :message=>"Adding pattern", "MONGO_WORDDASH"=>"\\b[\\w-]+\\b", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.904000+0000", :message=>"Adding pattern", "MONGO3_SEVERITY"=>"\\w", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.905000+0000", :message=>"Adding pattern", "MONGO3_COMPONENT"=>"%{WORD}|-", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.905000+0000", :message=>"Adding pattern", "MONGO3_LOG"=>"%{TIMESTAMP_ISO8601:timestamp} %{MONGO3_SEVERITY:severity} %{MONGO3_COMPONENT:component}%{SPACE}(?:\\[%{DATA:context}\\])? %{GREEDYDATA:message}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.906000+0000", :message=>"Adding pattern", "MCOLLECTIVE"=>"., \\[%{TIMESTAMP_ISO8601:timestamp} #%{POSINT:pid}\\]%{SPACE}%{LOGLEVEL:event_level}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.908000+0000", :message=>"Adding pattern", "MCOLLECTIVEAUDIT"=>"%{TIMESTAMP_ISO8601:timestamp}:", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.909000+0000", :message=>"Adding pattern", "RT_FLOW_EVENT"=>"(RT_FLOW_SESSION_CREATE|RT_FLOW_SESSION_CLOSE|RT_FLOW_SESSION_DENY)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.910000+0000", :message=>"Adding pattern", "RT_FLOW1"=>"%{RT_FLOW_EVENT:event}: %{GREEDYDATA:close-reason}: %{IP:src-ip}/%{INT:src-port}->%{IP:dst-ip}/%{INT:dst-port} %{DATA:service} %{IP:nat-src-ip}/%{INT:nat-src-port}->%{IP:nat-dst-ip}/%{INT:nat-dst-port} %{DATA:src-nat-rule-name} %{DATA:dst-nat-rule-name} %{INT:protocol-id} %{DATA:policy-name} %{DATA:from-zone} %{DATA:to-zone} %{INT:session-id} \\d+\\(%{DATA:sent}\\) \\d+\\(%{DATA:received}\\) %{INT:elapsed-time} .*", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.911000+0000", :message=>"Adding pattern", "RT_FLOW2"=>"%{RT_FLOW_EVENT:event}: session created %{IP:src-ip}/%{INT:src-port}->%{IP:dst-ip}/%{INT:dst-port} %{DATA:service} %{IP:nat-src-ip}/%{INT:nat-src-port}->%{IP:nat-dst-ip}/%{INT:nat-dst-port} %{DATA:src-nat-rule-name} %{DATA:dst-nat-rule-name} %{INT:protocol-id} %{DATA:policy-name} %{DATA:from-zone} %{DATA:to-zone} %{INT:session-id} .*", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.911000+0000", :message=>"Adding pattern", "RT_FLOW3"=>"%{RT_FLOW_EVENT:event}: session denied %{IP:src-ip}/%{INT:src-port}->%{IP:dst-ip}/%{INT:dst-port} %{DATA:service} %{INT:protocol-id}\\(\\d\\) %{DATA:policy-name} %{DATA:from-zone} %{DATA:to-zone} .*", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.912000+0000", :message=>"Adding pattern", "RUUID"=>"\\h{32}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.913000+0000", :message=>"Adding pattern", "RCONTROLLER"=>"(?<controller>[^#]+)#(?<action>\\w+)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.914000+0000", :message=>"Adding pattern", "RAILS3HEAD"=>"(?m)Started %{WORD:verb} \"%{URIPATHPARAM:request}\" for %{IPORHOST:clientip} at (?<timestamp>%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{HOUR}:%{MINUTE}:%{SECOND} %{ISO8601_TIMEZONE})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.914000+0000", :message=>"Adding pattern", "RPROCESSING"=>"\\W*Processing by %{RCONTROLLER} as (?<format>\\S+)(?:\\W*Parameters: {%{DATA:params}}\\W*)?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.915000+0000", :message=>"Adding pattern", "RAILS3FOOT"=>"Completed %{NUMBER:response}%{DATA} in %{NUMBER:totalms}ms %{RAILS3PROFILE}%{GREEDYDATA}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.915000+0000", :message=>"Adding pattern", "RAILS3PROFILE"=>"(?:\\(Views: %{NUMBER:viewms}ms \\| ActiveRecord: %{NUMBER:activerecordms}ms|\\(ActiveRecord: %{NUMBER:activerecordms}ms)?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.916000+0000", :message=>"Adding pattern", "RAILS3"=>"%{RAILS3HEAD}(?:%{RPROCESSING})?(?<context>(?:%{DATA}\\n)*)(?:%{RAILS3FOOT})?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.916000+0000", :message=>"Adding pattern", "EXIM_MSGID"=>"[0-9A-Za-z]{6}-[0-9A-Za-z]{6}-[0-9A-Za-z]{2}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.917000+0000", :message=>"Adding pattern", "EXIM_FLAGS"=>"(<=|[-=>*]>|[*]{2}|==)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.917000+0000", :message=>"Adding pattern", "EXIM_DATE"=>"%{YEAR:exim_year}-%{MONTHNUM:exim_month}-%{MONTHDAY:exim_day} %{TIME:exim_time}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.918000+0000", :message=>"Adding pattern", "EXIM_PID"=>"\\[%{POSINT}\\]", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.918000+0000", :message=>"Adding pattern", "EXIM_QT"=>"((\\d+y)?(\\d+w)?(\\d+d)?(\\d+h)?(\\d+m)?(\\d+s)?)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.919000+0000", :message=>"Adding pattern", "EXIM_EXCLUDE_TERMS"=>"(Message is frozen|(Start|End) queue run| Warning: | retry time not reached | no (IP address|host name) found for (IP address|host) | unexpected disconnection while reading SMTP command | no immediate delivery: |another process is handling this message)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.919000+0000", :message=>"Adding pattern", "EXIM_REMOTE_HOST"=>"(H=(%{NOTSPACE:remote_hostname} )?(\\(%{NOTSPACE:remote_heloname}\\) )?\\[%{IP:remote_host}\\])", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.920000+0000", :message=>"Adding pattern", "EXIM_INTERFACE"=>"(I=\\[%{IP:exim_interface}\\](:%{NUMBER:exim_interface_port}))", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.920000+0000", :message=>"Adding pattern", "EXIM_PROTOCOL"=>"(P=%{NOTSPACE:protocol})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.921000+0000", :message=>"Adding pattern", "EXIM_MSG_SIZE"=>"(S=%{NUMBER:exim_msg_size})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.921000+0000", :message=>"Adding pattern", "EXIM_HEADER_ID"=>"(id=%{NOTSPACE:exim_header_id})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.922000+0000", :message=>"Adding pattern", "EXIM_SUBJECT"=>"(T=%{QS:exim_subject})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.922000+0000", :message=>"Adding pattern", "JAVACLASS"=>"(?:[a-zA-Z$_][a-zA-Z$_0-9]*\\.)*[a-zA-Z$_][a-zA-Z$_0-9]*", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.923000+0000", :message=>"Adding pattern", "JAVAFILE"=>"(?:[A-Za-z0-9_. -]+)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.924000+0000", :message=>"Adding pattern", "JAVAMETHOD"=>"(?:(<init>)|[a-zA-Z$_][a-zA-Z$_0-9]*)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.924000+0000", :message=>"Adding pattern", "JAVASTACKTRACEPART"=>"%{SPACE}at %{JAVACLASS:class}\\.%{JAVAMETHOD:method}\\(%{JAVAFILE:file}(?::%{NUMBER:line})?\\)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.925000+0000", :message=>"Adding pattern", "JAVATHREAD"=>"(?:[A-Z]{2}-Processor[\\d]+)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.925000+0000", :message=>"Adding pattern", "JAVACLASS"=>"(?:[a-zA-Z0-9-]+\\.)+[A-Za-z0-9$]+", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.926000+0000", :message=>"Adding pattern", "JAVAFILE"=>"(?:[A-Za-z0-9_.-]+)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.926000+0000", :message=>"Adding pattern", "JAVASTACKTRACEPART"=>"at %{JAVACLASS:class}\\.%{WORD:method}\\(%{JAVAFILE:file}:%{NUMBER:line}\\)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.927000+0000", :message=>"Adding pattern", "JAVALOGMESSAGE"=>"(.*)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.927000+0000", :message=>"Adding pattern", "CATALINA_DATESTAMP"=>"%{MONTH} %{MONTHDAY}, 20%{YEAR} %{HOUR}:?%{MINUTE}(?::?%{SECOND}) (?:AM|PM)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.928000+0000", :message=>"Adding pattern", "TOMCAT_DATESTAMP"=>"20%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{HOUR}:?%{MINUTE}(?::?%{SECOND}) %{ISO8601_TIMEZONE}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.929000+0000", :message=>"Adding pattern", "CATALINALOG"=>"%{CATALINA_DATESTAMP:timestamp} %{JAVACLASS:class} %{JAVALOGMESSAGE:logmessage}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.929000+0000", :message=>"Adding pattern", "TOMCATLOG"=>"%{TOMCAT_DATESTAMP:timestamp} \\| %{LOGLEVEL:level} \\| %{JAVACLASS:class} - %{JAVALOGMESSAGE:logmessage}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.930000+0000", :message=>"Adding pattern", "REDISTIMESTAMP"=>"%{MONTHDAY} %{MONTH} %{TIME}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.931000+0000", :message=>"Adding pattern", "REDISLOG"=>"\\[%{POSINT:pid}\\] %{REDISTIMESTAMP:timestamp} \\* ", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.932000+0000", :message=>"Adding pattern", "S3_REQUEST_LINE"=>"(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.933000+0000", :message=>"Adding pattern", "S3_ACCESS_LOG"=>"%{WORD:owner} %{NOTSPACE:bucket} \\[%{HTTPDATE:timestamp}\\] %{IP:clientip} %{NOTSPACE:requester} %{NOTSPACE:request_id} %{NOTSPACE:operation} %{NOTSPACE:key} (?:\"%{S3_REQUEST_LINE}\"|-) (?:%{INT:response:int}|-) (?:-|%{NOTSPACE:error_code}) (?:%{INT:bytes:int}|-) (?:%{INT:object_size:int}|-) (?:%{INT:request_time_ms:int}|-) (?:%{INT:turnaround_time_ms:int}|-) (?:%{QS:referrer}|-) (?:\"?%{QS:agent}\"?|-) (?:-|%{NOTSPACE:version_id})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.934000+0000", :message=>"Adding pattern", "ELB_URIPATHPARAM"=>"%{URIPATH:path}(?:%{URIPARAM:params})?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.936000+0000", :message=>"Adding pattern", "ELB_URI"=>"%{URIPROTO:proto}://(?:%{USER}(?::[^@]*)?@)?(?:%{URIHOST:urihost})?(?:%{ELB_URIPATHPARAM})?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.937000+0000", :message=>"Adding pattern", "ELB_REQUEST_LINE"=>"(?:%{WORD:verb} %{ELB_URI:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.938000+0000", :message=>"Adding pattern", "ELB_ACCESS_LOG"=>"%{TIMESTAMP_ISO8601:timestamp} %{NOTSPACE:elb} %{IP:clientip}:%{INT:clientport:int} (?:(%{IP:backendip}:?:%{INT:backendport:int})|-) %{NUMBER:request_processing_time:float} %{NUMBER:backend_processing_time:float} %{NUMBER:response_processing_time:float} %{INT:response:int} %{INT:backend_response:int} %{INT:received_bytes:int} %{INT:bytes:int} \"%{ELB_REQUEST_LINE}\"", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.939000+0000", :message=>"Adding pattern", "RUBY_LOGLEVEL"=>"(?:DEBUG|FATAL|ERROR|WARN|INFO)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.941000+0000", :message=>"Adding pattern", "RUBY_LOGGER"=>"[DFEWI], \\[%{TIMESTAMP_ISO8601:timestamp} #%{POSINT:pid}\\] *%{RUBY_LOGLEVEL:loglevel} -- +%{DATA:progname}: %{GREEDYDATA:message}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.942000+0000", :message=>"Adding pattern", "USERNAME"=>"[a-zA-Z0-9._-]+", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.943000+0000", :message=>"Adding pattern", "USER"=>"%{USERNAME}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.944000+0000", :message=>"Adding pattern", "EMAILLOCALPART"=>"[a-zA-Z][a-zA-Z0-9_.+-=:]+", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.945000+0000", :message=>"Adding pattern", "EMAILADDRESS"=>"%{EMAILLOCALPART}@%{HOSTNAME}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.945000+0000", :message=>"Adding pattern", "HTTPDUSER"=>"%{EMAILADDRESS}|%{USER}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.946000+0000", :message=>"Adding pattern", "INT"=>"(?:[+-]?(?:[0-9]+))", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.947000+0000", :message=>"Adding pattern", "BASE10NUM"=>"(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\\.[0-9]+)?)|(?:\\.[0-9]+)))", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.947000+0000", :message=>"Adding pattern", "NUMBER"=>"(?:%{BASE10NUM})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.948000+0000", :message=>"Adding pattern", "BASE16NUM"=>"(?<![0-9A-Fa-f])(?:[+-]?(?:0x)?(?:[0-9A-Fa-f]+))", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.949000+0000", :message=>"Adding pattern", "BASE16FLOAT"=>"\\b(?<![0-9A-Fa-f.])(?:[+-]?(?:0x)?(?:(?:[0-9A-Fa-f]+(?:\\.[0-9A-Fa-f]*)?)|(?:\\.[0-9A-Fa-f]+)))\\b", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.950000+0000", :message=>"Adding pattern", "POSINT"=>"\\b(?:[1-9][0-9]*)\\b", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.950000+0000", :message=>"Adding pattern", "NONNEGINT"=>"\\b(?:[0-9]+)\\b", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.951000+0000", :message=>"Adding pattern", "WORD"=>"\\b\\w+\\b", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.951000+0000", :message=>"Adding pattern", "NOTSPACE"=>"\\S+", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.952000+0000", :message=>"Adding pattern", "SPACE"=>"\\s*", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.953000+0000", :message=>"Adding pattern", "DATA"=>".*?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.953000+0000", :message=>"Adding pattern", "GREEDYDATA"=>".*", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.954000+0000", :message=>"Adding pattern", "QUOTEDSTRING"=>"(?>(?<!\\\\)(?>\"(?>\\\\.|[^\\\\\"]+)+\"|\"\"|(?>'(?>\\\\.|[^\\\\']+)+')|''|(?>`(?>\\\\.|[^\\\\`]+)+`)|``))", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.954000+0000", :message=>"Adding pattern", "UUID"=>"[A-Fa-f0-9]{8}-(?:[A-Fa-f0-9]{4}-){3}[A-Fa-f0-9]{12}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.955000+0000", :message=>"Adding pattern", "MAC"=>"(?:%{CISCOMAC}|%{WINDOWSMAC}|%{COMMONMAC})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.955000+0000", :message=>"Adding pattern", "CISCOMAC"=>"(?:(?:[A-Fa-f0-9]{4}\\.){2}[A-Fa-f0-9]{4})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.956000+0000", :message=>"Adding pattern", "WINDOWSMAC"=>"(?:(?:[A-Fa-f0-9]{2}-){5}[A-Fa-f0-9]{2})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.956000+0000", :message=>"Adding pattern", "COMMONMAC"=>"(?:(?:[A-Fa-f0-9]{2}:){5}[A-Fa-f0-9]{2})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.957000+0000", :message=>"Adding pattern", "IPV6"=>"((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:)))(%.+)?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.957000+0000", :message=>"Adding pattern", "IPV4"=>"(?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]))(?![0-9])", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.957000+0000", :message=>"Adding pattern", "IP"=>"(?:%{IPV6}|%{IPV4})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.958000+0000", :message=>"Adding pattern", "HOSTNAME"=>"\\b(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\\b)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.958000+0000", :message=>"Adding pattern", "IPORHOST"=>"(?:%{IP}|%{HOSTNAME})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.958000+0000", :message=>"Adding pattern", "HOSTPORT"=>"%{IPORHOST}:%{POSINT}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.959000+0000", :message=>"Adding pattern", "PATH"=>"(?:%{UNIXPATH}|%{WINPATH})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.959000+0000", :message=>"Adding pattern", "UNIXPATH"=>"(/([\\w_%!$@:.,~-]+|\\\\.)*)+", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.959000+0000", :message=>"Adding pattern", "TTY"=>"(?:/dev/(pts|tty([pq])?)(\\w+)?/?(?:[0-9]+))", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.959000+0000", :message=>"Adding pattern", "WINPATH"=>"(?>[A-Za-z]+:|\\\\)(?:\\\\[^\\\\?*]*)+", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.960000+0000", :message=>"Adding pattern", "URIPROTO"=>"[A-Za-z]+(\\+[A-Za-z+]+)?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.960000+0000", :message=>"Adding pattern", "URIHOST"=>"%{IPORHOST}(?::%{POSINT:port})?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.960000+0000", :message=>"Adding pattern", "URIPATH"=>"(?:/[A-Za-z0-9$.+!*'(){},~:;=@#%_\\-]*)+", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.961000+0000", :message=>"Adding pattern", "URIPARAM"=>"\\?[A-Za-z0-9$.+!*'|(){},~@#%&/=:;_?\\-\\[\\]<>]*", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.961000+0000", :message=>"Adding pattern", "URIPATHPARAM"=>"%{URIPATH}(?:%{URIPARAM})?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.961000+0000", :message=>"Adding pattern", "URI"=>"%{URIPROTO}://(?:%{USER}(?::[^@]*)?@)?(?:%{URIHOST})?(?:%{URIPATHPARAM})?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.962000+0000", :message=>"Adding pattern", "MONTH"=>"\\b(?:Jan(?:uary|uar)?|Feb(?:ruary|ruar)?|M(?:a|ä)?r(?:ch|z)?|Apr(?:il)?|Ma(?:y|i)?|Jun(?:e|i)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|O(?:c|k)?t(?:ober)?|Nov(?:ember)?|De(?:c|z)(?:ember)?)\\b", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.962000+0000", :message=>"Adding pattern", "MONTHNUM"=>"(?:0?[1-9]|1[0-2])", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.963000+0000", :message=>"Adding pattern", "MONTHNUM2"=>"(?:0[1-9]|1[0-2])", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.963000+0000", :message=>"Adding pattern", "MONTHDAY"=>"(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9])", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.963000+0000", :message=>"Adding pattern", "DAY"=>"(?:Mon(?:day)?|Tue(?:sday)?|Wed(?:nesday)?|Thu(?:rsday)?|Fri(?:day)?|Sat(?:urday)?|Sun(?:day)?)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.968000+0000", :message=>"Adding pattern", "YEAR"=>"(?>\\d\\d){1,2}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.968000+0000", :message=>"Adding pattern", "HOUR"=>"(?:2[0123]|[01]?[0-9])", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.969000+0000", :message=>"Adding pattern", "MINUTE"=>"(?:[0-5][0-9])", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.969000+0000", :message=>"Adding pattern", "SECOND"=>"(?:(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.970000+0000", :message=>"Adding pattern", "TIME"=>"(?!<[0-9])%{HOUR}:%{MINUTE}(?::%{SECOND})(?![0-9])", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.970000+0000", :message=>"Adding pattern", "DATE_US"=>"%{MONTHNUM}[/-]%{MONTHDAY}[/-]%{YEAR}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.970000+0000", :message=>"Adding pattern", "DATE_EU"=>"%{MONTHDAY}[./-]%{MONTHNUM}[./-]%{YEAR}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.971000+0000", :message=>"Adding pattern", "ISO8601_TIMEZONE"=>"(?:Z|[+-]%{HOUR}(?::?%{MINUTE}))", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.971000+0000", :message=>"Adding pattern", "ISO8601_SECOND"=>"(?:%{SECOND}|60)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.971000+0000", :message=>"Adding pattern", "TIMESTAMP_ISO8601"=>"%{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?%{ISO8601_TIMEZONE}?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.972000+0000", :message=>"Adding pattern", "DATE"=>"%{DATE_US}|%{DATE_EU}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.973000+0000", :message=>"Adding pattern", "DATESTAMP"=>"%{DATE}[- ]%{TIME}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.973000+0000", :message=>"Adding pattern", "TZ"=>"(?:[PMCE][SD]T|UTC)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.974000+0000", :message=>"Adding pattern", "DATESTAMP_RFC822"=>"%{DAY} %{MONTH} %{MONTHDAY} %{YEAR} %{TIME} %{TZ}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.974000+0000", :message=>"Adding pattern", "DATESTAMP_RFC2822"=>"%{DAY}, %{MONTHDAY} %{MONTH} %{YEAR} %{TIME} %{ISO8601_TIMEZONE}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.974000+0000", :message=>"Adding pattern", "DATESTAMP_OTHER"=>"%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{TZ} %{YEAR}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.975000+0000", :message=>"Adding pattern", "DATESTAMP_EVENTLOG"=>"%{YEAR}%{MONTHNUM2}%{MONTHDAY}%{HOUR}%{MINUTE}%{SECOND}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.975000+0000", :message=>"Adding pattern", "HTTPDERROR_DATE"=>"%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.976000+0000", :message=>"Adding pattern", "SYSLOGTIMESTAMP"=>"%{MONTH} +%{MONTHDAY} %{TIME}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.976000+0000", :message=>"Adding pattern", "PROG"=>"[\\x21-\\x5a\\x5c\\x5e-\\x7e]+", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.976000+0000", :message=>"Adding pattern", "SYSLOGPROG"=>"%{PROG:program}(?:\\[%{POSINT:pid}\\])?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.977000+0000", :message=>"Adding pattern", "SYSLOGHOST"=>"%{IPORHOST}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.977000+0000", :message=>"Adding pattern", "SYSLOGFACILITY"=>"<%{NONNEGINT:facility}.%{NONNEGINT:priority}>", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.978000+0000", :message=>"Adding pattern", "HTTPDATE"=>"%{MONTHDAY}/%{MONTH}/%{YEAR}:%{TIME} %{INT}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.978000+0000", :message=>"Adding pattern", "QS"=>"%{QUOTEDSTRING}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.978000+0000", :message=>"Adding pattern", "SYSLOGBASE"=>"%{SYSLOGTIMESTAMP:timestamp} (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource} %{SYSLOGPROG}:", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.979000+0000", :message=>"Adding pattern", "COMMONAPACHELOG"=>"%{IPORHOST:clientip} %{HTTPDUSER:ident} %{USER:auth} \\[%{HTTPDATE:timestamp}\\] \"(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})\" %{NUMBER:response} (?:%{NUMBER:bytes}|-)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.979000+0000", :message=>"Adding pattern", "COMBINEDAPACHELOG"=>"%{COMMONAPACHELOG} %{QS:referrer} %{QS:agent}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.980000+0000", :message=>"Adding pattern", "HTTPD20_ERRORLOG"=>"\\[%{HTTPDERROR_DATE:timestamp}\\] \\[%{LOGLEVEL:loglevel}\\] (?:\\[client %{IPORHOST:clientip}\\] ){0,1}%{GREEDYDATA:errormsg}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.980000+0000", :message=>"Adding pattern", "HTTPD24_ERRORLOG"=>"\\[%{HTTPDERROR_DATE:timestamp}\\] \\[%{WORD:module}:%{LOGLEVEL:loglevel}\\] \\[pid %{POSINT:pid}:tid %{NUMBER:tid}\\]( \\(%{POSINT:proxy_errorcode}\\)%{DATA:proxy_errormessage}:)?( \\[client %{IPORHOST:client}:%{POSINT:clientport}\\])? %{DATA:errorcode}: %{GREEDYDATA:message}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.981000+0000", :message=>"Adding pattern", "HTTPD_ERRORLOG"=>"%{HTTPD20_ERRORLOG}|%{HTTPD24_ERRORLOG}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.981000+0000", :message=>"Adding pattern", "LOGLEVEL"=>"([Aa]lert|ALERT|[Tt]race|TRACE|[Dd]ebug|DEBUG|[Nn]otice|NOTICE|[Ii]nfo|INFO|[Ww]arn?(?:ing)?|WARN?(?:ING)?|[Ee]rr?(?:or)?|ERR?(?:OR)?|[Cc]rit?(?:ical)?|CRIT?(?:ICAL)?|[Ff]atal|FATAL|[Ss]evere|SEVERE|EMERG(?:ENCY)?|[Ee]merg(?:ency)?)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.983000+0000", :message=>"Grok compile", :field=>"overwrite", :patterns=>["message"], :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.985000+0000", :message=>"Adding pattern", "NETSCREENSESSIONLOG"=>"%{SYSLOGTIMESTAMP:date} %{IPORHOST:device} %{IPORHOST}: NetScreen device_id=%{WORD:device_id}%{DATA}: start_time=%{QUOTEDSTRING:start_time} duration=%{INT:duration} policy_id=%{INT:policy_id} service=%{DATA:service} proto=%{INT:proto} src zone=%{WORD:src_zone} dst zone=%{WORD:dst_zone} action=%{WORD:action} sent=%{INT:sent} rcvd=%{INT:rcvd} src=%{IPORHOST:src_ip} dst=%{IPORHOST:dst_ip} src_port=%{INT:src_port} dst_port=%{INT:dst_port} src-xlated ip=%{IPORHOST:src_xlated_ip} port=%{INT:src_xlated_port} dst-xlated ip=%{IPORHOST:dst_xlated_ip} port=%{INT:dst_xlated_port} session_id=%{INT:session_id} reason=%{GREEDYDATA:reason}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.986000+0000", :message=>"Adding pattern", "CISCO_TAGGED_SYSLOG"=>"^<%{POSINT:syslog_pri}>%{CISCOTIMESTAMP:timestamp}( %{SYSLOGHOST:sysloghost})? ?: %%{CISCOTAG:ciscotag}:", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.986000+0000", :message=>"Adding pattern", "CISCOTIMESTAMP"=>"%{MONTH} +%{MONTHDAY}(?: %{YEAR})? %{TIME}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.987000+0000", :message=>"Adding pattern", "CISCOTAG"=>"[A-Z0-9]+-%{INT}-(?:[A-Z0-9_]+)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.987000+0000", :message=>"Adding pattern", "CISCO_ACTION"=>"Built|Teardown|Deny|Denied|denied|requested|permitted|denied by ACL|discarded|est-allowed|Dropping|created|deleted", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.988000+0000", :message=>"Adding pattern", "CISCO_REASON"=>"Duplicate TCP SYN|Failed to locate egress interface|Invalid transport field|No matching connection|DNS Response|DNS Query|(?:%{WORD}\\s*)*", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.989000+0000", :message=>"Adding pattern", "CISCO_DIRECTION"=>"Inbound|inbound|Outbound|outbound", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.990000+0000", :message=>"Adding pattern", "CISCO_INTERVAL"=>"first hit|%{INT}-second interval", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.990000+0000", :message=>"Adding pattern", "CISCO_XLATE_TYPE"=>"static|dynamic", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.991000+0000", :message=>"Adding pattern", "CISCOFW104001"=>"\\((?:Primary|Secondary)\\) Switching to ACTIVE - %{GREEDYDATA:switch_reason}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.991000+0000", :message=>"Adding pattern", "CISCOFW104002"=>"\\((?:Primary|Secondary)\\) Switching to STANDBY - %{GREEDYDATA:switch_reason}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.992000+0000", :message=>"Adding pattern", "CISCOFW104003"=>"\\((?:Primary|Secondary)\\) Switching to FAILED\\.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.993000+0000", :message=>"Adding pattern", "CISCOFW104004"=>"\\((?:Primary|Secondary)\\) Switching to OK\\.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.993000+0000", :message=>"Adding pattern", "CISCOFW105003"=>"\\((?:Primary|Secondary)\\) Monitoring on [Ii]nterface %{GREEDYDATA:interface_name} waiting", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.994000+0000", :message=>"Adding pattern", "CISCOFW105004"=>"\\((?:Primary|Secondary)\\) Monitoring on [Ii]nterface %{GREEDYDATA:interface_name} normal", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.994000+0000", :message=>"Adding pattern", "CISCOFW105005"=>"\\((?:Primary|Secondary)\\) Lost Failover communications with mate on [Ii]nterface %{GREEDYDATA:interface_name}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.995000+0000", :message=>"Adding pattern", "CISCOFW105008"=>"\\((?:Primary|Secondary)\\) Testing [Ii]nterface %{GREEDYDATA:interface_name}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.995000+0000", :message=>"Adding pattern", "CISCOFW105009"=>"\\((?:Primary|Secondary)\\) Testing on [Ii]nterface %{GREEDYDATA:interface_name} (?:Passed|Failed)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.996000+0000", :message=>"Adding pattern", "CISCOFW106001"=>"%{CISCO_DIRECTION:direction} %{WORD:protocol} connection %{CISCO_ACTION:action} from %{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port} flags %{GREEDYDATA:tcp_flags} on interface %{GREEDYDATA:interface}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.997000+0000", :message=>"Adding pattern", "CISCOFW106006_106007_106010"=>"%{CISCO_ACTION:action} %{CISCO_DIRECTION:direction} %{WORD:protocol} (?:from|src) %{IP:src_ip}/%{INT:src_port}(\\(%{DATA:src_fwuser}\\))? (?:to|dst) %{IP:dst_ip}/%{INT:dst_port}(\\(%{DATA:dst_fwuser}\\))? (?:on interface %{DATA:interface}|due to %{CISCO_REASON:reason})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.998000+0000", :message=>"Adding pattern", "CISCOFW106014"=>"%{CISCO_ACTION:action} %{CISCO_DIRECTION:direction} %{WORD:protocol} src %{DATA:src_interface}:%{IP:src_ip}(\\(%{DATA:src_fwuser}\\))? dst %{DATA:dst_interface}:%{IP:dst_ip}(\\(%{DATA:dst_fwuser}\\))? \\(type %{INT:icmp_type}, code %{INT:icmp_code}\\)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:26.999000+0000", :message=>"Adding pattern", "CISCOFW106015"=>"%{CISCO_ACTION:action} %{WORD:protocol} \\(%{DATA:policy_id}\\) from %{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port} flags %{DATA:tcp_flags} on interface %{GREEDYDATA:interface}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.000000+0000", :message=>"Adding pattern", "CISCOFW106021"=>"%{CISCO_ACTION:action} %{WORD:protocol} reverse path check from %{IP:src_ip} to %{IP:dst_ip} on interface %{GREEDYDATA:interface}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.000000+0000", :message=>"Adding pattern", "CISCOFW106023"=>"%{CISCO_ACTION:action}( protocol)? %{WORD:protocol} src %{DATA:src_interface}:%{DATA:src_ip}(/%{INT:src_port})?(\\(%{DATA:src_fwuser}\\))? dst %{DATA:dst_interface}:%{DATA:dst_ip}(/%{INT:dst_port})?(\\(%{DATA:dst_fwuser}\\))?( \\(type %{INT:icmp_type}, code %{INT:icmp_code}\\))? by access-group \"?%{DATA:policy_id}\"? \\[%{DATA:hashcode1}, %{DATA:hashcode2}\\]", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.001000+0000", :message=>"Adding pattern", "CISCOFW106100_2_3"=>"access-list %{NOTSPACE:policy_id} %{CISCO_ACTION:action} %{WORD:protocol} for user '%{DATA:src_fwuser}' %{DATA:src_interface}/%{IP:src_ip}\\(%{INT:src_port}\\) -> %{DATA:dst_interface}/%{IP:dst_ip}\\(%{INT:dst_port}\\) hit-cnt %{INT:hit_count} %{CISCO_INTERVAL:interval} \\[%{DATA:hashcode1}, %{DATA:hashcode2}\\]", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.002000+0000", :message=>"Adding pattern", "CISCOFW106100"=>"access-list %{NOTSPACE:policy_id} %{CISCO_ACTION:action} %{WORD:protocol} %{DATA:src_interface}/%{IP:src_ip}\\(%{INT:src_port}\\)(\\(%{DATA:src_fwuser}\\))? -> %{DATA:dst_interface}/%{IP:dst_ip}\\(%{INT:dst_port}\\)(\\(%{DATA:src_fwuser}\\))? hit-cnt %{INT:hit_count} %{CISCO_INTERVAL:interval} \\[%{DATA:hashcode1}, %{DATA:hashcode2}\\]", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.003000+0000", :message=>"Adding pattern", "CISCOFW110002"=>"%{CISCO_REASON:reason} for %{WORD:protocol} from %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.003000+0000", :message=>"Adding pattern", "CISCOFW302010"=>"%{INT:connection_count} in use, %{INT:connection_count_max} most used", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.004000+0000", :message=>"Adding pattern", "CISCOFW302013_302014_302015_302016"=>"%{CISCO_ACTION:action}(?: %{CISCO_DIRECTION:direction})? %{WORD:protocol} connection %{INT:connection_id} for %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port}( \\(%{IP:src_mapped_ip}/%{INT:src_mapped_port}\\))?(\\(%{DATA:src_fwuser}\\))? to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port}( \\(%{IP:dst_mapped_ip}/%{INT:dst_mapped_port}\\))?(\\(%{DATA:dst_fwuser}\\))?( duration %{TIME:duration} bytes %{INT:bytes})?(?: %{CISCO_REASON:reason})?( \\(%{DATA:user}\\))?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.005000+0000", :message=>"Adding pattern", "CISCOFW302020_302021"=>"%{CISCO_ACTION:action}(?: %{CISCO_DIRECTION:direction})? %{WORD:protocol} connection for faddr %{IP:dst_ip}/%{INT:icmp_seq_num}(?:\\(%{DATA:fwuser}\\))? gaddr %{IP:src_xlated_ip}/%{INT:icmp_code_xlated} laddr %{IP:src_ip}/%{INT:icmp_code}( \\(%{DATA:user}\\))?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.006000+0000", :message=>"Adding pattern", "CISCOFW305011"=>"%{CISCO_ACTION:action} %{CISCO_XLATE_TYPE:xlate_type} %{WORD:protocol} translation from %{DATA:src_interface}:%{IP:src_ip}(/%{INT:src_port})?(\\(%{DATA:src_fwuser}\\))? to %{DATA:src_xlated_interface}:%{IP:src_xlated_ip}/%{DATA:src_xlated_port}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.006000+0000", :message=>"Adding pattern", "CISCOFW313001_313004_313008"=>"%{CISCO_ACTION:action} %{WORD:protocol} type=%{INT:icmp_type}, code=%{INT:icmp_code} from %{IP:src_ip} on interface %{DATA:interface}( to %{IP:dst_ip})?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.007000+0000", :message=>"Adding pattern", "CISCOFW313005"=>"%{CISCO_REASON:reason} for %{WORD:protocol} error message: %{WORD:err_protocol} src %{DATA:err_src_interface}:%{IP:err_src_ip}(\\(%{DATA:err_src_fwuser}\\))? dst %{DATA:err_dst_interface}:%{IP:err_dst_ip}(\\(%{DATA:err_dst_fwuser}\\))? \\(type %{INT:err_icmp_type}, code %{INT:err_icmp_code}\\) on %{DATA:interface} interface\\. Original IP payload: %{WORD:protocol} src %{IP:orig_src_ip}/%{INT:orig_src_port}(\\(%{DATA:orig_src_fwuser}\\))? dst %{IP:orig_dst_ip}/%{INT:orig_dst_port}(\\(%{DATA:orig_dst_fwuser}\\))?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.007000+0000", :message=>"Adding pattern", "CISCOFW321001"=>"Resource '%{WORD:resource_name}' limit of %{POSINT:resource_limit} reached for system", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.008000+0000", :message=>"Adding pattern", "CISCOFW402117"=>"%{WORD:protocol}: Received a non-IPSec packet \\(protocol= %{WORD:orig_protocol}\\) from %{IP:src_ip} to %{IP:dst_ip}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.008000+0000", :message=>"Adding pattern", "CISCOFW402119"=>"%{WORD:protocol}: Received an %{WORD:orig_protocol} packet \\(SPI= %{DATA:spi}, sequence number= %{DATA:seq_num}\\) from %{IP:src_ip} \\(user= %{DATA:user}\\) to %{IP:dst_ip} that failed anti-replay checking", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.009000+0000", :message=>"Adding pattern", "CISCOFW419001"=>"%{CISCO_ACTION:action} %{WORD:protocol} packet from %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port}, reason: %{GREEDYDATA:reason}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.009000+0000", :message=>"Adding pattern", "CISCOFW419002"=>"%{CISCO_REASON:reason} from %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port} with different initial sequence number", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.010000+0000", :message=>"Adding pattern", "CISCOFW500004"=>"%{CISCO_REASON:reason} for protocol=%{WORD:protocol}, from %{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.010000+0000", :message=>"Adding pattern", "CISCOFW602303_602304"=>"%{WORD:protocol}: An %{CISCO_DIRECTION:direction} %{GREEDYDATA:tunnel_type} SA \\(SPI= %{DATA:spi}\\) between %{IP:src_ip} and %{IP:dst_ip} \\(user= %{DATA:user}\\) has been %{CISCO_ACTION:action}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.011000+0000", :message=>"Adding pattern", "CISCOFW710001_710002_710003_710005_710006"=>"%{WORD:protocol} (?:request|access) %{CISCO_ACTION:action} from %{IP:src_ip}/%{INT:src_port} to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.011000+0000", :message=>"Adding pattern", "CISCOFW713172"=>"Group = %{GREEDYDATA:group}, IP = %{IP:src_ip}, Automatic NAT Detection Status:\\s+Remote end\\s*%{DATA:is_remote_natted}\\s*behind a NAT device\\s+This\\s+end\\s*%{DATA:is_local_natted}\\s*behind a NAT device", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.012000+0000", :message=>"Adding pattern", "CISCOFW733100"=>"\\[\\s*%{DATA:drop_type}\\s*\\] drop %{DATA:drop_rate_id} exceeded. Current burst rate is %{INT:drop_rate_current_burst} per second, max configured rate is %{INT:drop_rate_max_burst}; Current average rate is %{INT:drop_rate_current_avg} per second, max configured rate is %{INT:drop_rate_max_avg}; Cumulative total count is %{INT:drop_total_count}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.012000+0000", :message=>"Adding pattern", "SHOREWALL"=>"(%{SYSLOGTIMESTAMP:timestamp}) (%{WORD:nf_host}) kernel:.*Shorewall:(%{WORD:nf_action1})?:(%{WORD:nf_action2})?.*IN=(%{USERNAME:nf_in_interface})?.*(OUT= *MAC=(%{COMMONMAC:nf_dst_mac}):(%{COMMONMAC:nf_src_mac})?|OUT=%{USERNAME:nf_out_interface}).*SRC=(%{IPV4:nf_src_ip}).*DST=(%{IPV4:nf_dst_ip}).*LEN=(%{WORD:nf_len}).?*TOS=(%{WORD:nf_tos}).?*PREC=(%{WORD:nf_prec}).?*TTL=(%{INT:nf_ttl}).?*ID=(%{INT:nf_id}).?*PROTO=(%{WORD:nf_protocol}).?*SPT=(%{INT:nf_src_port}?.*DPT=%{INT:nf_dst_port}?.*)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.013000+0000", :message=>"Adding pattern", "SYSLOG5424PRINTASCII"=>"[!-~]+", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.014000+0000", :message=>"Adding pattern", "SYSLOGBASE2"=>"(?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource}+(?: %{SYSLOGPROG}:|)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.014000+0000", :message=>"Adding pattern", "SYSLOGPAMSESSION"=>"%{SYSLOGBASE} (?=%{GREEDYDATA:message})%{WORD:pam_module}\\(%{DATA:pam_caller}\\): session %{WORD:pam_session_state} for user %{USERNAME:username}(?: by %{GREEDYDATA:pam_by})?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.015000+0000", :message=>"Adding pattern", "CRON_ACTION"=>"[A-Z ]+", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.015000+0000", :message=>"Adding pattern", "CRONLOG"=>"%{SYSLOGBASE} \\(%{USER:user}\\) %{CRON_ACTION:action} \\(%{DATA:message}\\)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.016000+0000", :message=>"Adding pattern", "SYSLOGLINE"=>"%{SYSLOGBASE2} %{GREEDYDATA:message}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.016000+0000", :message=>"Adding pattern", "SYSLOG5424PRI"=>"<%{NONNEGINT:syslog5424_pri}>", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.017000+0000", :message=>"Adding pattern", "SYSLOG5424SD"=>"\\[%{DATA}\\]+", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.017000+0000", :message=>"Adding pattern", "SYSLOG5424BASE"=>"%{SYSLOG5424PRI}%{NONNEGINT:syslog5424_ver} +(?:%{TIMESTAMP_ISO8601:syslog5424_ts}|-) +(?:%{HOSTNAME:syslog5424_host}|-) +(-|%{SYSLOG5424PRINTASCII:syslog5424_app}) +(-|%{SYSLOG5424PRINTASCII:syslog5424_proc}) +(-|%{SYSLOG5424PRINTASCII:syslog5424_msgid}) +(?:%{SYSLOG5424SD:syslog5424_sd}|-|)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.018000+0000", :message=>"Adding pattern", "SYSLOG5424LINE"=>"%{SYSLOG5424BASE} +%{GREEDYDATA:syslog5424_msg}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.018000+0000", :message=>"Adding pattern", "NAGIOSTIME"=>"\\[%{NUMBER:nagios_epoch}\\]", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.019000+0000", :message=>"Adding pattern", "NAGIOS_TYPE_CURRENT_SERVICE_STATE"=>"CURRENT SERVICE STATE", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.020000+0000", :message=>"Adding pattern", "NAGIOS_TYPE_CURRENT_HOST_STATE"=>"CURRENT HOST STATE", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.020000+0000", :message=>"Adding pattern", "NAGIOS_TYPE_SERVICE_NOTIFICATION"=>"SERVICE NOTIFICATION", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.021000+0000", :message=>"Adding pattern", "NAGIOS_TYPE_HOST_NOTIFICATION"=>"HOST NOTIFICATION", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.021000+0000", :message=>"Adding pattern", "NAGIOS_TYPE_SERVICE_ALERT"=>"SERVICE ALERT", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.022000+0000", :message=>"Adding pattern", "NAGIOS_TYPE_HOST_ALERT"=>"HOST ALERT", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.022000+0000", :message=>"Adding pattern", "NAGIOS_TYPE_SERVICE_FLAPPING_ALERT"=>"SERVICE FLAPPING ALERT", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.023000+0000", :message=>"Adding pattern", "NAGIOS_TYPE_HOST_FLAPPING_ALERT"=>"HOST FLAPPING ALERT", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.023000+0000", :message=>"Adding pattern", "NAGIOS_TYPE_SERVICE_DOWNTIME_ALERT"=>"SERVICE DOWNTIME ALERT", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.024000+0000", :message=>"Adding pattern", "NAGIOS_TYPE_HOST_DOWNTIME_ALERT"=>"HOST DOWNTIME ALERT", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.024000+0000", :message=>"Adding pattern", "NAGIOS_TYPE_PASSIVE_SERVICE_CHECK"=>"PASSIVE SERVICE CHECK", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.024000+0000", :message=>"Adding pattern", "NAGIOS_TYPE_PASSIVE_HOST_CHECK"=>"PASSIVE HOST CHECK", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.025000+0000", :message=>"Adding pattern", "NAGIOS_TYPE_SERVICE_EVENT_HANDLER"=>"SERVICE EVENT HANDLER", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.025000+0000", :message=>"Adding pattern", "NAGIOS_TYPE_HOST_EVENT_HANDLER"=>"HOST EVENT HANDLER", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.026000+0000", :message=>"Adding pattern", "NAGIOS_TYPE_EXTERNAL_COMMAND"=>"EXTERNAL COMMAND", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.026000+0000", :message=>"Adding pattern", "NAGIOS_TYPE_TIMEPERIOD_TRANSITION"=>"TIMEPERIOD TRANSITION", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.027000+0000", :message=>"Adding pattern", "NAGIOS_EC_DISABLE_SVC_CHECK"=>"DISABLE_SVC_CHECK", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.027000+0000", :message=>"Adding pattern", "NAGIOS_EC_ENABLE_SVC_CHECK"=>"ENABLE_SVC_CHECK", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.028000+0000", :message=>"Adding pattern", "NAGIOS_EC_DISABLE_HOST_CHECK"=>"DISABLE_HOST_CHECK", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.028000+0000", :message=>"Adding pattern", "NAGIOS_EC_ENABLE_HOST_CHECK"=>"ENABLE_HOST_CHECK", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.029000+0000", :message=>"Adding pattern", "NAGIOS_EC_PROCESS_SERVICE_CHECK_RESULT"=>"PROCESS_SERVICE_CHECK_RESULT", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.029000+0000", :message=>"Adding pattern", "NAGIOS_EC_PROCESS_HOST_CHECK_RESULT"=>"PROCESS_HOST_CHECK_RESULT", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.030000+0000", :message=>"Adding pattern", "NAGIOS_EC_SCHEDULE_SERVICE_DOWNTIME"=>"SCHEDULE_SERVICE_DOWNTIME", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.030000+0000", :message=>"Adding pattern", "NAGIOS_EC_SCHEDULE_HOST_DOWNTIME"=>"SCHEDULE_HOST_DOWNTIME", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.031000+0000", :message=>"Adding pattern", "NAGIOS_EC_DISABLE_HOST_SVC_NOTIFICATIONS"=>"DISABLE_HOST_SVC_NOTIFICATIONS", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.031000+0000", :message=>"Adding pattern", "NAGIOS_EC_ENABLE_HOST_SVC_NOTIFICATIONS"=>"ENABLE_HOST_SVC_NOTIFICATIONS", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.032000+0000", :message=>"Adding pattern", "NAGIOS_EC_DISABLE_HOST_NOTIFICATIONS"=>"DISABLE_HOST_NOTIFICATIONS", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.032000+0000", :message=>"Adding pattern", "NAGIOS_EC_ENABLE_HOST_NOTIFICATIONS"=>"ENABLE_HOST_NOTIFICATIONS", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.032000+0000", :message=>"Adding pattern", "NAGIOS_EC_DISABLE_SVC_NOTIFICATIONS"=>"DISABLE_SVC_NOTIFICATIONS", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.033000+0000", :message=>"Adding pattern", "NAGIOS_EC_ENABLE_SVC_NOTIFICATIONS"=>"ENABLE_SVC_NOTIFICATIONS", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.033000+0000", :message=>"Adding pattern", "NAGIOS_WARNING"=>"Warning:%{SPACE}%{GREEDYDATA:nagios_message}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.034000+0000", :message=>"Adding pattern", "NAGIOS_CURRENT_SERVICE_STATE"=>"%{NAGIOS_TYPE_CURRENT_SERVICE_STATE:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{DATA:nagios_statetype};%{DATA:nagios_statecode};%{GREEDYDATA:nagios_message}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.034000+0000", :message=>"Adding pattern", "NAGIOS_CURRENT_HOST_STATE"=>"%{NAGIOS_TYPE_CURRENT_HOST_STATE:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{DATA:nagios_statetype};%{DATA:nagios_statecode};%{GREEDYDATA:nagios_message}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.035000+0000", :message=>"Adding pattern", "NAGIOS_SERVICE_NOTIFICATION"=>"%{NAGIOS_TYPE_SERVICE_NOTIFICATION:nagios_type}: %{DATA:nagios_notifyname};%{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{DATA:nagios_contact};%{GREEDYDATA:nagios_message}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.035000+0000", :message=>"Adding pattern", "NAGIOS_HOST_NOTIFICATION"=>"%{NAGIOS_TYPE_HOST_NOTIFICATION:nagios_type}: %{DATA:nagios_notifyname};%{DATA:nagios_hostname};%{DATA:nagios_state};%{DATA:nagios_contact};%{GREEDYDATA:nagios_message}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.036000+0000", :message=>"Adding pattern", "NAGIOS_SERVICE_ALERT"=>"%{NAGIOS_TYPE_SERVICE_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{DATA:nagios_statelevel};%{NUMBER:nagios_attempt};%{GREEDYDATA:nagios_message}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.036000+0000", :message=>"Adding pattern", "NAGIOS_HOST_ALERT"=>"%{NAGIOS_TYPE_HOST_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{DATA:nagios_statelevel};%{NUMBER:nagios_attempt};%{GREEDYDATA:nagios_message}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.037000+0000", :message=>"Adding pattern", "NAGIOS_SERVICE_FLAPPING_ALERT"=>"%{NAGIOS_TYPE_SERVICE_FLAPPING_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{GREEDYDATA:nagios_message}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.037000+0000", :message=>"Adding pattern", "NAGIOS_HOST_FLAPPING_ALERT"=>"%{NAGIOS_TYPE_HOST_FLAPPING_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{GREEDYDATA:nagios_message}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.038000+0000", :message=>"Adding pattern", "NAGIOS_SERVICE_DOWNTIME_ALERT"=>"%{NAGIOS_TYPE_SERVICE_DOWNTIME_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{GREEDYDATA:nagios_comment}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.038000+0000", :message=>"Adding pattern", "NAGIOS_HOST_DOWNTIME_ALERT"=>"%{NAGIOS_TYPE_HOST_DOWNTIME_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{GREEDYDATA:nagios_comment}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.039000+0000", :message=>"Adding pattern", "NAGIOS_PASSIVE_SERVICE_CHECK"=>"%{NAGIOS_TYPE_PASSIVE_SERVICE_CHECK:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{GREEDYDATA:nagios_comment}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.039000+0000", :message=>"Adding pattern", "NAGIOS_PASSIVE_HOST_CHECK"=>"%{NAGIOS_TYPE_PASSIVE_HOST_CHECK:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{GREEDYDATA:nagios_comment}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.040000+0000", :message=>"Adding pattern", "NAGIOS_SERVICE_EVENT_HANDLER"=>"%{NAGIOS_TYPE_SERVICE_EVENT_HANDLER:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{DATA:nagios_statelevel};%{DATA:nagios_event_handler_name}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.040000+0000", :message=>"Adding pattern", "NAGIOS_HOST_EVENT_HANDLER"=>"%{NAGIOS_TYPE_HOST_EVENT_HANDLER:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{DATA:nagios_statelevel};%{DATA:nagios_event_handler_name}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.041000+0000", :message=>"Adding pattern", "NAGIOS_TIMEPERIOD_TRANSITION"=>"%{NAGIOS_TYPE_TIMEPERIOD_TRANSITION:nagios_type}: %{DATA:nagios_service};%{DATA:nagios_unknown1};%{DATA:nagios_unknown2}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.042000+0000", :message=>"Adding pattern", "NAGIOS_EC_LINE_DISABLE_SVC_CHECK"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_DISABLE_SVC_CHECK:nagios_command};%{DATA:nagios_hostname};%{DATA:nagios_service}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.042000+0000", :message=>"Adding pattern", "NAGIOS_EC_LINE_DISABLE_HOST_CHECK"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_DISABLE_HOST_CHECK:nagios_command};%{DATA:nagios_hostname}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.043000+0000", :message=>"Adding pattern", "NAGIOS_EC_LINE_ENABLE_SVC_CHECK"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_ENABLE_SVC_CHECK:nagios_command};%{DATA:nagios_hostname};%{DATA:nagios_service}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.043000+0000", :message=>"Adding pattern", "NAGIOS_EC_LINE_ENABLE_HOST_CHECK"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_ENABLE_HOST_CHECK:nagios_command};%{DATA:nagios_hostname}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.044000+0000", :message=>"Adding pattern", "NAGIOS_EC_LINE_PROCESS_SERVICE_CHECK_RESULT"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_PROCESS_SERVICE_CHECK_RESULT:nagios_command};%{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{GREEDYDATA:nagios_check_result}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.044000+0000", :message=>"Adding pattern", "NAGIOS_EC_LINE_PROCESS_HOST_CHECK_RESULT"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_PROCESS_HOST_CHECK_RESULT:nagios_command};%{DATA:nagios_hostname};%{DATA:nagios_state};%{GREEDYDATA:nagios_check_result}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.045000+0000", :message=>"Adding pattern", "NAGIOS_EC_LINE_DISABLE_HOST_SVC_NOTIFICATIONS"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_DISABLE_HOST_SVC_NOTIFICATIONS:nagios_command};%{GREEDYDATA:nagios_hostname}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.045000+0000", :message=>"Adding pattern", "NAGIOS_EC_LINE_DISABLE_HOST_NOTIFICATIONS"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_DISABLE_HOST_NOTIFICATIONS:nagios_command};%{GREEDYDATA:nagios_hostname}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.046000+0000", :message=>"Adding pattern", "NAGIOS_EC_LINE_DISABLE_SVC_NOTIFICATIONS"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_DISABLE_SVC_NOTIFICATIONS:nagios_command};%{DATA:nagios_hostname};%{GREEDYDATA:nagios_service}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.047000+0000", :message=>"Adding pattern", "NAGIOS_EC_LINE_ENABLE_HOST_SVC_NOTIFICATIONS"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_ENABLE_HOST_SVC_NOTIFICATIONS:nagios_command};%{GREEDYDATA:nagios_hostname}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.047000+0000", :message=>"Adding pattern", "NAGIOS_EC_LINE_ENABLE_HOST_NOTIFICATIONS"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_ENABLE_HOST_NOTIFICATIONS:nagios_command};%{GREEDYDATA:nagios_hostname}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.048000+0000", :message=>"Adding pattern", "NAGIOS_EC_LINE_ENABLE_SVC_NOTIFICATIONS"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_ENABLE_SVC_NOTIFICATIONS:nagios_command};%{DATA:nagios_hostname};%{GREEDYDATA:nagios_service}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.049000+0000", :message=>"Adding pattern", "NAGIOS_EC_LINE_SCHEDULE_HOST_DOWNTIME"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_SCHEDULE_HOST_DOWNTIME:nagios_command};%{DATA:nagios_hostname};%{NUMBER:nagios_start_time};%{NUMBER:nagios_end_time};%{NUMBER:nagios_fixed};%{NUMBER:nagios_trigger_id};%{NUMBER:nagios_duration};%{DATA:author};%{DATA:comment}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.049000+0000", :message=>"Adding pattern", "NAGIOSLOGLINE"=>"%{NAGIOSTIME} (?:%{NAGIOS_WARNING}|%{NAGIOS_CURRENT_SERVICE_STATE}|%{NAGIOS_CURRENT_HOST_STATE}|%{NAGIOS_SERVICE_NOTIFICATION}|%{NAGIOS_HOST_NOTIFICATION}|%{NAGIOS_SERVICE_ALERT}|%{NAGIOS_HOST_ALERT}|%{NAGIOS_SERVICE_FLAPPING_ALERT}|%{NAGIOS_HOST_FLAPPING_ALERT}|%{NAGIOS_SERVICE_DOWNTIME_ALERT}|%{NAGIOS_HOST_DOWNTIME_ALERT}|%{NAGIOS_PASSIVE_SERVICE_CHECK}|%{NAGIOS_PASSIVE_HOST_CHECK}|%{NAGIOS_SERVICE_EVENT_HANDLER}|%{NAGIOS_HOST_EVENT_HANDLER}|%{NAGIOS_TIMEPERIOD_TRANSITION}|%{NAGIOS_EC_LINE_DISABLE_SVC_CHECK}|%{NAGIOS_EC_LINE_ENABLE_SVC_CHECK}|%{NAGIOS_EC_LINE_DISABLE_HOST_CHECK}|%{NAGIOS_EC_LINE_ENABLE_HOST_CHECK}|%{NAGIOS_EC_LINE_PROCESS_HOST_CHECK_RESULT}|%{NAGIOS_EC_LINE_PROCESS_SERVICE_CHECK_RESULT}|%{NAGIOS_EC_LINE_SCHEDULE_HOST_DOWNTIME}|%{NAGIOS_EC_LINE_DISABLE_HOST_SVC_NOTIFICATIONS}|%{NAGIOS_EC_LINE_ENABLE_HOST_SVC_NOTIFICATIONS}|%{NAGIOS_EC_LINE_DISABLE_HOST_NOTIFICATIONS}|%{NAGIOS_EC_LINE_ENABLE_HOST_NOTIFICATIONS}|%{NAGIOS_EC_LINE_DISABLE_SVC_NOTIFICATIONS}|%{NAGIOS_EC_LINE_ENABLE_SVC_NOTIFICATIONS})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.050000+0000", :message=>"Adding pattern", "MCOLLECTIVEAUDIT"=>"%{TIMESTAMP_ISO8601:timestamp}:", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.051000+0000", :message=>"Adding pattern", "BRO_HTTP"=>"%{NUMBER:ts}\\t%{NOTSPACE:uid}\\t%{IP:orig_h}\\t%{INT:orig_p}\\t%{IP:resp_h}\\t%{INT:resp_p}\\t%{INT:trans_depth}\\t%{GREEDYDATA:method}\\t%{GREEDYDATA:domain}\\t%{GREEDYDATA:uri}\\t%{GREEDYDATA:referrer}\\t%{GREEDYDATA:user_agent}\\t%{NUMBER:request_body_len}\\t%{NUMBER:response_body_len}\\t%{GREEDYDATA:status_code}\\t%{GREEDYDATA:status_msg}\\t%{GREEDYDATA:info_code}\\t%{GREEDYDATA:info_msg}\\t%{GREEDYDATA:filename}\\t%{GREEDYDATA:bro_tags}\\t%{GREEDYDATA:username}\\t%{GREEDYDATA:password}\\t%{GREEDYDATA:proxied}\\t%{GREEDYDATA:orig_fuids}\\t%{GREEDYDATA:orig_mime_types}\\t%{GREEDYDATA:resp_fuids}\\t%{GREEDYDATA:resp_mime_types}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.052000+0000", :message=>"Adding pattern", "BRO_DNS"=>"%{NUMBER:ts}\\t%{NOTSPACE:uid}\\t%{IP:orig_h}\\t%{INT:orig_p}\\t%{IP:resp_h}\\t%{INT:resp_p}\\t%{WORD:proto}\\t%{INT:trans_id}\\t%{GREEDYDATA:query}\\t%{GREEDYDATA:qclass}\\t%{GREEDYDATA:qclass_name}\\t%{GREEDYDATA:qtype}\\t%{GREEDYDATA:qtype_name}\\t%{GREEDYDATA:rcode}\\t%{GREEDYDATA:rcode_name}\\t%{GREEDYDATA:AA}\\t%{GREEDYDATA:TC}\\t%{GREEDYDATA:RD}\\t%{GREEDYDATA:RA}\\t%{GREEDYDATA:Z}\\t%{GREEDYDATA:answers}\\t%{GREEDYDATA:TTLs}\\t%{GREEDYDATA:rejected}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.053000+0000", :message=>"Adding pattern", "BRO_CONN"=>"%{NUMBER:ts}\\t%{NOTSPACE:uid}\\t%{IP:orig_h}\\t%{INT:orig_p}\\t%{IP:resp_h}\\t%{INT:resp_p}\\t%{WORD:proto}\\t%{GREEDYDATA:service}\\t%{NUMBER:duration}\\t%{NUMBER:orig_bytes}\\t%{NUMBER:resp_bytes}\\t%{GREEDYDATA:conn_state}\\t%{GREEDYDATA:local_orig}\\t%{GREEDYDATA:missed_bytes}\\t%{GREEDYDATA:history}\\t%{GREEDYDATA:orig_pkts}\\t%{GREEDYDATA:orig_ip_bytes}\\t%{GREEDYDATA:resp_pkts}\\t%{GREEDYDATA:resp_ip_bytes}\\t%{GREEDYDATA:tunnel_parents}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.053000+0000", :message=>"Adding pattern", "BRO_FILES"=>"%{NUMBER:ts}\\t%{NOTSPACE:fuid}\\t%{IP:tx_hosts}\\t%{IP:rx_hosts}\\t%{NOTSPACE:conn_uids}\\t%{GREEDYDATA:source}\\t%{GREEDYDATA:depth}\\t%{GREEDYDATA:analyzers}\\t%{GREEDYDATA:mime_type}\\t%{GREEDYDATA:filename}\\t%{GREEDYDATA:duration}\\t%{GREEDYDATA:local_orig}\\t%{GREEDYDATA:is_orig}\\t%{GREEDYDATA:seen_bytes}\\t%{GREEDYDATA:total_bytes}\\t%{GREEDYDATA:missing_bytes}\\t%{GREEDYDATA:overflow_bytes}\\t%{GREEDYDATA:timedout}\\t%{GREEDYDATA:parent_fuid}\\t%{GREEDYDATA:md5}\\t%{GREEDYDATA:sha1}\\t%{GREEDYDATA:sha256}\\t%{GREEDYDATA:extracted}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.054000+0000", :message=>"Adding pattern", "HAPROXYTIME"=>"(?!<[0-9])%{HOUR:haproxy_hour}:%{MINUTE:haproxy_minute}(?::%{SECOND:haproxy_second})(?![0-9])", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.055000+0000", :message=>"Adding pattern", "HAPROXYDATE"=>"%{MONTHDAY:haproxy_monthday}/%{MONTH:haproxy_month}/%{YEAR:haproxy_year}:%{HAPROXYTIME:haproxy_time}.%{INT:haproxy_milliseconds}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.055000+0000", :message=>"Adding pattern", "HAPROXYCAPTUREDREQUESTHEADERS"=>"%{DATA:captured_request_headers}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.056000+0000", :message=>"Adding pattern", "HAPROXYCAPTUREDRESPONSEHEADERS"=>"%{DATA:captured_response_headers}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.057000+0000", :message=>"Adding pattern", "HAPROXYHTTPBASE"=>"%{IP:client_ip}:%{INT:client_port} \\[%{HAPROXYDATE:accept_date}\\] %{NOTSPACE:frontend_name} %{NOTSPACE:backend_name}/%{NOTSPACE:server_name} %{INT:time_request}/%{INT:time_queue}/%{INT:time_backend_connect}/%{INT:time_backend_response}/%{NOTSPACE:time_duration} %{INT:http_status_code} %{NOTSPACE:bytes_read} %{DATA:captured_request_cookie} %{DATA:captured_response_cookie} %{NOTSPACE:termination_state} %{INT:actconn}/%{INT:feconn}/%{INT:beconn}/%{INT:srvconn}/%{NOTSPACE:retries} %{INT:srv_queue}/%{INT:backend_queue} (\\{%{HAPROXYCAPTUREDREQUESTHEADERS}\\})?( )?(\\{%{HAPROXYCAPTUREDRESPONSEHEADERS}\\})?( )?\"(<BADREQ>|(%{WORD:http_verb} (%{URIPROTO:http_proto}://)?(?:%{USER:http_user}(?::[^@]*)?@)?(?:%{URIHOST:http_host})?(?:%{URIPATHPARAM:http_request})?( HTTP/%{NUMBER:http_version})?))?\"", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.057000+0000", :message=>"Adding pattern", "HAPROXYHTTP"=>"(?:%{SYSLOGTIMESTAMP:syslog_timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) %{IPORHOST:syslog_server} %{SYSLOGPROG}: %{HAPROXYHTTPBASE}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.058000+0000", :message=>"Adding pattern", "HAPROXYTCP"=>"(?:%{SYSLOGTIMESTAMP:syslog_timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) %{IPORHOST:syslog_server} %{SYSLOGPROG}: %{IP:client_ip}:%{INT:client_port} \\[%{HAPROXYDATE:accept_date}\\] %{NOTSPACE:frontend_name} %{NOTSPACE:backend_name}/%{NOTSPACE:server_name} %{INT:time_queue}/%{INT:time_backend_connect}/%{NOTSPACE:time_duration} %{NOTSPACE:bytes_read} %{NOTSPACE:termination_state} %{INT:actconn}/%{INT:feconn}/%{INT:beconn}/%{INT:srvconn}/%{NOTSPACE:retries} %{INT:srv_queue}/%{INT:backend_queue}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.059000+0000", :message=>"Adding pattern", "BACULA_TIMESTAMP"=>"%{MONTHDAY}-%{MONTH} %{HOUR}:%{MINUTE}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.060000+0000", :message=>"Adding pattern", "BACULA_HOST"=>"[a-zA-Z0-9-]+", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.060000+0000", :message=>"Adding pattern", "BACULA_VOLUME"=>"%{USER}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.061000+0000", :message=>"Adding pattern", "BACULA_DEVICE"=>"%{USER}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.061000+0000", :message=>"Adding pattern", "BACULA_DEVICEPATH"=>"%{UNIXPATH}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.062000+0000", :message=>"Adding pattern", "BACULA_CAPACITY"=>"%{INT}{1,3}(,%{INT}{3})*", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.062000+0000", :message=>"Adding pattern", "BACULA_VERSION"=>"%{USER}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.062000+0000", :message=>"Adding pattern", "BACULA_JOB"=>"%{USER}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.063000+0000", :message=>"Adding pattern", "BACULA_LOG_MAX_CAPACITY"=>"User defined maximum volume capacity %{BACULA_CAPACITY} exceeded on device \\\"%{BACULA_DEVICE:device}\\\" \\(%{BACULA_DEVICEPATH}\\)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.063000+0000", :message=>"Adding pattern", "BACULA_LOG_END_VOLUME"=>"End of medium on Volume \\\"%{BACULA_VOLUME:volume}\\\" Bytes=%{BACULA_CAPACITY} Blocks=%{BACULA_CAPACITY} at %{MONTHDAY}-%{MONTH}-%{YEAR} %{HOUR}:%{MINUTE}.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.064000+0000", :message=>"Adding pattern", "BACULA_LOG_NEW_VOLUME"=>"Created new Volume \\\"%{BACULA_VOLUME:volume}\\\" in catalog.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.064000+0000", :message=>"Adding pattern", "BACULA_LOG_NEW_LABEL"=>"Labeled new Volume \\\"%{BACULA_VOLUME:volume}\\\" on device \\\"%{BACULA_DEVICE:device}\\\" \\(%{BACULA_DEVICEPATH}\\).", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.065000+0000", :message=>"Adding pattern", "BACULA_LOG_WROTE_LABEL"=>"Wrote label to prelabeled Volume \\\"%{BACULA_VOLUME:volume}\\\" on device \\\"%{BACULA_DEVICE}\\\" \\(%{BACULA_DEVICEPATH}\\)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.065000+0000", :message=>"Adding pattern", "BACULA_LOG_NEW_MOUNT"=>"New volume \\\"%{BACULA_VOLUME:volume}\\\" mounted on device \\\"%{BACULA_DEVICE:device}\\\" \\(%{BACULA_DEVICEPATH}\\) at %{MONTHDAY}-%{MONTH}-%{YEAR} %{HOUR}:%{MINUTE}.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.066000+0000", :message=>"Adding pattern", "BACULA_LOG_NOOPEN"=>"\\s+Cannot open %{DATA}: ERR=%{GREEDYDATA:berror}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.066000+0000", :message=>"Adding pattern", "BACULA_LOG_NOOPENDIR"=>"\\s+Could not open directory %{DATA}: ERR=%{GREEDYDATA:berror}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.067000+0000", :message=>"Adding pattern", "BACULA_LOG_NOSTAT"=>"\\s+Could not stat %{DATA}: ERR=%{GREEDYDATA:berror}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.067000+0000", :message=>"Adding pattern", "BACULA_LOG_NOJOBS"=>"There are no more Jobs associated with Volume \\\"%{BACULA_VOLUME:volume}\\\". Marking it purged.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.068000+0000", :message=>"Adding pattern", "BACULA_LOG_ALL_RECORDS_PRUNED"=>"All records pruned from Volume \\\"%{BACULA_VOLUME:volume}\\\"; marking it \\\"Purged\\\"", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.068000+0000", :message=>"Adding pattern", "BACULA_LOG_BEGIN_PRUNE_JOBS"=>"Begin pruning Jobs older than %{INT} month %{INT} days .", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.069000+0000", :message=>"Adding pattern", "BACULA_LOG_BEGIN_PRUNE_FILES"=>"Begin pruning Files.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.069000+0000", :message=>"Adding pattern", "BACULA_LOG_PRUNED_JOBS"=>"Pruned %{INT} Jobs* for client %{BACULA_HOST:client} from catalog.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.069000+0000", :message=>"Adding pattern", "BACULA_LOG_PRUNED_FILES"=>"Pruned Files from %{INT} Jobs* for client %{BACULA_HOST:client} from catalog.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.070000+0000", :message=>"Adding pattern", "BACULA_LOG_ENDPRUNE"=>"End auto prune.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.070000+0000", :message=>"Adding pattern", "BACULA_LOG_STARTJOB"=>"Start Backup JobId %{INT}, Job=%{BACULA_JOB:job}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.071000+0000", :message=>"Adding pattern", "BACULA_LOG_STARTRESTORE"=>"Start Restore Job %{BACULA_JOB:job}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.071000+0000", :message=>"Adding pattern", "BACULA_LOG_USEDEVICE"=>"Using Device \\\"%{BACULA_DEVICE:device}\\\"", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.072000+0000", :message=>"Adding pattern", "BACULA_LOG_DIFF_FS"=>"\\s+%{UNIXPATH} is a different filesystem. Will not descend from %{UNIXPATH} into it.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.072000+0000", :message=>"Adding pattern", "BACULA_LOG_JOBEND"=>"Job write elapsed time = %{DATA:elapsed}, Transfer rate = %{NUMBER} (K|M|G)? Bytes/second", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.072000+0000", :message=>"Adding pattern", "BACULA_LOG_NOPRUNE_JOBS"=>"No Jobs found to prune.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.073000+0000", :message=>"Adding pattern", "BACULA_LOG_NOPRUNE_FILES"=>"No Files found to prune.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.073000+0000", :message=>"Adding pattern", "BACULA_LOG_VOLUME_PREVWRITTEN"=>"Volume \\\"%{BACULA_VOLUME:volume}\\\" previously written, moving to end of data.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.074000+0000", :message=>"Adding pattern", "BACULA_LOG_READYAPPEND"=>"Ready to append to end of Volume \\\"%{BACULA_VOLUME:volume}\\\" size=%{INT}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.074000+0000", :message=>"Adding pattern", "BACULA_LOG_CANCELLING"=>"Cancelling duplicate JobId=%{INT}.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.074000+0000", :message=>"Adding pattern", "BACULA_LOG_MARKCANCEL"=>"JobId %{INT}, Job %{BACULA_JOB:job} marked to be canceled.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.075000+0000", :message=>"Adding pattern", "BACULA_LOG_CLIENT_RBJ"=>"shell command: run ClientRunBeforeJob \\\"%{GREEDYDATA:runjob}\\\"", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.075000+0000", :message=>"Adding pattern", "BACULA_LOG_VSS"=>"(Generate )?VSS (Writer)?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.076000+0000", :message=>"Adding pattern", "BACULA_LOG_MAXSTART"=>"Fatal error: Job canceled because max start delay time exceeded.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.076000+0000", :message=>"Adding pattern", "BACULA_LOG_DUPLICATE"=>"Fatal error: JobId %{INT:duplicate} already running. Duplicate job not allowed.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.077000+0000", :message=>"Adding pattern", "BACULA_LOG_NOJOBSTAT"=>"Fatal error: No Job status returned from FD.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.077000+0000", :message=>"Adding pattern", "BACULA_LOG_FATAL_CONN"=>"Fatal error: bsock.c:133 Unable to connect to (Client: %{BACULA_HOST:client}|Storage daemon) on %{HOSTNAME}:%{POSINT}. ERR=(?<berror>%{GREEDYDATA})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.077000+0000", :message=>"Adding pattern", "BACULA_LOG_NO_CONNECT"=>"Warning: bsock.c:127 Could not connect to (Client: %{BACULA_HOST:client}|Storage daemon) on %{HOSTNAME}:%{POSINT}. ERR=(?<berror>%{GREEDYDATA})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.078000+0000", :message=>"Adding pattern", "BACULA_LOG_NO_AUTH"=>"Fatal error: Unable to authenticate with File daemon at %{HOSTNAME}. Possible causes:", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.078000+0000", :message=>"Adding pattern", "BACULA_LOG_NOSUIT"=>"No prior or suitable Full backup found in catalog. Doing FULL backup.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.079000+0000", :message=>"Adding pattern", "BACULA_LOG_NOPRIOR"=>"No prior Full backup Job record found.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.079000+0000", :message=>"Adding pattern", "BACULA_LOG_JOB"=>"(Error: )?Bacula %{BACULA_HOST} %{BACULA_VERSION} \\(%{BACULA_VERSION}\\):", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.080000+0000", :message=>"Adding pattern", "BACULA_LOGLINE"=>"%{BACULA_TIMESTAMP:bts} %{BACULA_HOST:hostname} JobId %{INT:jobid}: (%{BACULA_LOG_MAX_CAPACITY}|%{BACULA_LOG_END_VOLUME}|%{BACULA_LOG_NEW_VOLUME}|%{BACULA_LOG_NEW_LABEL}|%{BACULA_LOG_WROTE_LABEL}|%{BACULA_LOG_NEW_MOUNT}|%{BACULA_LOG_NOOPEN}|%{BACULA_LOG_NOOPENDIR}|%{BACULA_LOG_NOSTAT}|%{BACULA_LOG_NOJOBS}|%{BACULA_LOG_ALL_RECORDS_PRUNED}|%{BACULA_LOG_BEGIN_PRUNE_JOBS}|%{BACULA_LOG_BEGIN_PRUNE_FILES}|%{BACULA_LOG_PRUNED_JOBS}|%{BACULA_LOG_PRUNED_FILES}|%{BACULA_LOG_ENDPRUNE}|%{BACULA_LOG_STARTJOB}|%{BACULA_LOG_STARTRESTORE}|%{BACULA_LOG_USEDEVICE}|%{BACULA_LOG_DIFF_FS}|%{BACULA_LOG_JOBEND}|%{BACULA_LOG_NOPRUNE_JOBS}|%{BACULA_LOG_NOPRUNE_FILES}|%{BACULA_LOG_VOLUME_PREVWRITTEN}|%{BACULA_LOG_READYAPPEND}|%{BACULA_LOG_CANCELLING}|%{BACULA_LOG_MARKCANCEL}|%{BACULA_LOG_CLIENT_RBJ}|%{BACULA_LOG_VSS}|%{BACULA_LOG_MAXSTART}|%{BACULA_LOG_DUPLICATE}|%{BACULA_LOG_NOJOBSTAT}|%{BACULA_LOG_FATAL_CONN}|%{BACULA_LOG_NO_CONNECT}|%{BACULA_LOG_NO_AUTH}|%{BACULA_LOG_NOSUIT}|%{BACULA_LOG_JOB}|%{BACULA_LOG_NOPRIOR})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.081000+0000", :message=>"Adding pattern", "POSTGRESQL"=>"%{DATESTAMP:timestamp} %{TZ} %{DATA:user_id} %{GREEDYDATA:connection_id} %{POSINT:pid}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.081000+0000", :message=>"Adding pattern", "MONGO_LOG"=>"%{SYSLOGTIMESTAMP:timestamp} \\[%{WORD:component}\\] %{GREEDYDATA:message}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.082000+0000", :message=>"Adding pattern", "MONGO_QUERY"=>"\\{ (?<={ ).*(?= } ntoreturn:) \\}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.083000+0000", :message=>"Adding pattern", "MONGO_SLOWQUERY"=>"%{WORD} %{MONGO_WORDDASH:database}\\.%{MONGO_WORDDASH:collection} %{WORD}: %{MONGO_QUERY:query} %{WORD}:%{NONNEGINT:ntoreturn} %{WORD}:%{NONNEGINT:ntoskip} %{WORD}:%{NONNEGINT:nscanned}.*nreturned:%{NONNEGINT:nreturned}..+ (?<duration>[0-9]+)ms", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.083000+0000", :message=>"Adding pattern", "MONGO_WORDDASH"=>"\\b[\\w-]+\\b", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.083000+0000", :message=>"Adding pattern", "MONGO3_SEVERITY"=>"\\w", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.084000+0000", :message=>"Adding pattern", "MONGO3_COMPONENT"=>"%{WORD}|-", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.084000+0000", :message=>"Adding pattern", "MONGO3_LOG"=>"%{TIMESTAMP_ISO8601:timestamp} %{MONGO3_SEVERITY:severity} %{MONGO3_COMPONENT:component}%{SPACE}(?:\\[%{DATA:context}\\])? %{GREEDYDATA:message}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.085000+0000", :message=>"Adding pattern", "MCOLLECTIVE"=>"., \\[%{TIMESTAMP_ISO8601:timestamp} #%{POSINT:pid}\\]%{SPACE}%{LOGLEVEL:event_level}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.086000+0000", :message=>"Adding pattern", "MCOLLECTIVEAUDIT"=>"%{TIMESTAMP_ISO8601:timestamp}:", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.087000+0000", :message=>"Adding pattern", "RT_FLOW_EVENT"=>"(RT_FLOW_SESSION_CREATE|RT_FLOW_SESSION_CLOSE|RT_FLOW_SESSION_DENY)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.087000+0000", :message=>"Adding pattern", "RT_FLOW1"=>"%{RT_FLOW_EVENT:event}: %{GREEDYDATA:close-reason}: %{IP:src-ip}/%{INT:src-port}->%{IP:dst-ip}/%{INT:dst-port} %{DATA:service} %{IP:nat-src-ip}/%{INT:nat-src-port}->%{IP:nat-dst-ip}/%{INT:nat-dst-port} %{DATA:src-nat-rule-name} %{DATA:dst-nat-rule-name} %{INT:protocol-id} %{DATA:policy-name} %{DATA:from-zone} %{DATA:to-zone} %{INT:session-id} \\d+\\(%{DATA:sent}\\) \\d+\\(%{DATA:received}\\) %{INT:elapsed-time} .*", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.088000+0000", :message=>"Adding pattern", "RT_FLOW2"=>"%{RT_FLOW_EVENT:event}: session created %{IP:src-ip}/%{INT:src-port}->%{IP:dst-ip}/%{INT:dst-port} %{DATA:service} %{IP:nat-src-ip}/%{INT:nat-src-port}->%{IP:nat-dst-ip}/%{INT:nat-dst-port} %{DATA:src-nat-rule-name} %{DATA:dst-nat-rule-name} %{INT:protocol-id} %{DATA:policy-name} %{DATA:from-zone} %{DATA:to-zone} %{INT:session-id} .*", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.088000+0000", :message=>"Adding pattern", "RT_FLOW3"=>"%{RT_FLOW_EVENT:event}: session denied %{IP:src-ip}/%{INT:src-port}->%{IP:dst-ip}/%{INT:dst-port} %{DATA:service} %{INT:protocol-id}\\(\\d\\) %{DATA:policy-name} %{DATA:from-zone} %{DATA:to-zone} .*", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.089000+0000", :message=>"Adding pattern", "RUUID"=>"\\h{32}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.090000+0000", :message=>"Adding pattern", "RCONTROLLER"=>"(?<controller>[^#]+)#(?<action>\\w+)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.091000+0000", :message=>"Adding pattern", "RAILS3HEAD"=>"(?m)Started %{WORD:verb} \"%{URIPATHPARAM:request}\" for %{IPORHOST:clientip} at (?<timestamp>%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{HOUR}:%{MINUTE}:%{SECOND} %{ISO8601_TIMEZONE})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.091000+0000", :message=>"Adding pattern", "RPROCESSING"=>"\\W*Processing by %{RCONTROLLER} as (?<format>\\S+)(?:\\W*Parameters: {%{DATA:params}}\\W*)?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.092000+0000", :message=>"Adding pattern", "RAILS3FOOT"=>"Completed %{NUMBER:response}%{DATA} in %{NUMBER:totalms}ms %{RAILS3PROFILE}%{GREEDYDATA}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.092000+0000", :message=>"Adding pattern", "RAILS3PROFILE"=>"(?:\\(Views: %{NUMBER:viewms}ms \\| ActiveRecord: %{NUMBER:activerecordms}ms|\\(ActiveRecord: %{NUMBER:activerecordms}ms)?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.093000+0000", :message=>"Adding pattern", "RAILS3"=>"%{RAILS3HEAD}(?:%{RPROCESSING})?(?<context>(?:%{DATA}\\n)*)(?:%{RAILS3FOOT})?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.094000+0000", :message=>"Adding pattern", "EXIM_MSGID"=>"[0-9A-Za-z]{6}-[0-9A-Za-z]{6}-[0-9A-Za-z]{2}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.094000+0000", :message=>"Adding pattern", "EXIM_FLAGS"=>"(<=|[-=>*]>|[*]{2}|==)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.095000+0000", :message=>"Adding pattern", "EXIM_DATE"=>"%{YEAR:exim_year}-%{MONTHNUM:exim_month}-%{MONTHDAY:exim_day} %{TIME:exim_time}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.095000+0000", :message=>"Adding pattern", "EXIM_PID"=>"\\[%{POSINT}\\]", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.096000+0000", :message=>"Adding pattern", "EXIM_QT"=>"((\\d+y)?(\\d+w)?(\\d+d)?(\\d+h)?(\\d+m)?(\\d+s)?)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.096000+0000", :message=>"Adding pattern", "EXIM_EXCLUDE_TERMS"=>"(Message is frozen|(Start|End) queue run| Warning: | retry time not reached | no (IP address|host name) found for (IP address|host) | unexpected disconnection while reading SMTP command | no immediate delivery: |another process is handling this message)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.096000+0000", :message=>"Adding pattern", "EXIM_REMOTE_HOST"=>"(H=(%{NOTSPACE:remote_hostname} )?(\\(%{NOTSPACE:remote_heloname}\\) )?\\[%{IP:remote_host}\\])", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.097000+0000", :message=>"Adding pattern", "EXIM_INTERFACE"=>"(I=\\[%{IP:exim_interface}\\](:%{NUMBER:exim_interface_port}))", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.097000+0000", :message=>"Adding pattern", "EXIM_PROTOCOL"=>"(P=%{NOTSPACE:protocol})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.098000+0000", :message=>"Adding pattern", "EXIM_MSG_SIZE"=>"(S=%{NUMBER:exim_msg_size})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.098000+0000", :message=>"Adding pattern", "EXIM_HEADER_ID"=>"(id=%{NOTSPACE:exim_header_id})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.099000+0000", :message=>"Adding pattern", "EXIM_SUBJECT"=>"(T=%{QS:exim_subject})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.106000+0000", :message=>"Adding pattern", "JAVACLASS"=>"(?:[a-zA-Z$_][a-zA-Z$_0-9]*\\.)*[a-zA-Z$_][a-zA-Z$_0-9]*", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.107000+0000", :message=>"Adding pattern", "JAVAFILE"=>"(?:[A-Za-z0-9_. -]+)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.107000+0000", :message=>"Adding pattern", "JAVAMETHOD"=>"(?:(<init>)|[a-zA-Z$_][a-zA-Z$_0-9]*)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.108000+0000", :message=>"Adding pattern", "JAVASTACKTRACEPART"=>"%{SPACE}at %{JAVACLASS:class}\\.%{JAVAMETHOD:method}\\(%{JAVAFILE:file}(?::%{NUMBER:line})?\\)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.108000+0000", :message=>"Adding pattern", "JAVATHREAD"=>"(?:[A-Z]{2}-Processor[\\d]+)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.109000+0000", :message=>"Adding pattern", "JAVACLASS"=>"(?:[a-zA-Z0-9-]+\\.)+[A-Za-z0-9$]+", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.110000+0000", :message=>"Adding pattern", "JAVAFILE"=>"(?:[A-Za-z0-9_.-]+)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.110000+0000", :message=>"Adding pattern", "JAVASTACKTRACEPART"=>"at %{JAVACLASS:class}\\.%{WORD:method}\\(%{JAVAFILE:file}:%{NUMBER:line}\\)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.111000+0000", :message=>"Adding pattern", "JAVALOGMESSAGE"=>"(.*)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.111000+0000", :message=>"Adding pattern", "CATALINA_DATESTAMP"=>"%{MONTH} %{MONTHDAY}, 20%{YEAR} %{HOUR}:?%{MINUTE}(?::?%{SECOND}) (?:AM|PM)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.112000+0000", :message=>"Adding pattern", "TOMCAT_DATESTAMP"=>"20%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{HOUR}:?%{MINUTE}(?::?%{SECOND}) %{ISO8601_TIMEZONE}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.113000+0000", :message=>"Adding pattern", "CATALINALOG"=>"%{CATALINA_DATESTAMP:timestamp} %{JAVACLASS:class} %{JAVALOGMESSAGE:logmessage}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.113000+0000", :message=>"Adding pattern", "TOMCATLOG"=>"%{TOMCAT_DATESTAMP:timestamp} \\| %{LOGLEVEL:level} \\| %{JAVACLASS:class} - %{JAVALOGMESSAGE:logmessage}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.114000+0000", :message=>"Adding pattern", "REDISTIMESTAMP"=>"%{MONTHDAY} %{MONTH} %{TIME}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.115000+0000", :message=>"Adding pattern", "REDISLOG"=>"\\[%{POSINT:pid}\\] %{REDISTIMESTAMP:timestamp} \\* ", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.116000+0000", :message=>"Adding pattern", "S3_REQUEST_LINE"=>"(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.116000+0000", :message=>"Adding pattern", "S3_ACCESS_LOG"=>"%{WORD:owner} %{NOTSPACE:bucket} \\[%{HTTPDATE:timestamp}\\] %{IP:clientip} %{NOTSPACE:requester} %{NOTSPACE:request_id} %{NOTSPACE:operation} %{NOTSPACE:key} (?:\"%{S3_REQUEST_LINE}\"|-) (?:%{INT:response:int}|-) (?:-|%{NOTSPACE:error_code}) (?:%{INT:bytes:int}|-) (?:%{INT:object_size:int}|-) (?:%{INT:request_time_ms:int}|-) (?:%{INT:turnaround_time_ms:int}|-) (?:%{QS:referrer}|-) (?:\"?%{QS:agent}\"?|-) (?:-|%{NOTSPACE:version_id})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.117000+0000", :message=>"Adding pattern", "ELB_URIPATHPARAM"=>"%{URIPATH:path}(?:%{URIPARAM:params})?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.117000+0000", :message=>"Adding pattern", "ELB_URI"=>"%{URIPROTO:proto}://(?:%{USER}(?::[^@]*)?@)?(?:%{URIHOST:urihost})?(?:%{ELB_URIPATHPARAM})?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.118000+0000", :message=>"Adding pattern", "ELB_REQUEST_LINE"=>"(?:%{WORD:verb} %{ELB_URI:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.118000+0000", :message=>"Adding pattern", "ELB_ACCESS_LOG"=>"%{TIMESTAMP_ISO8601:timestamp} %{NOTSPACE:elb} %{IP:clientip}:%{INT:clientport:int} (?:(%{IP:backendip}:?:%{INT:backendport:int})|-) %{NUMBER:request_processing_time:float} %{NUMBER:backend_processing_time:float} %{NUMBER:response_processing_time:float} %{INT:response:int} %{INT:backend_response:int} %{INT:received_bytes:int} %{INT:bytes:int} \"%{ELB_REQUEST_LINE}\"", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.119000+0000", :message=>"Adding pattern", "RUBY_LOGLEVEL"=>"(?:DEBUG|FATAL|ERROR|WARN|INFO)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.120000+0000", :message=>"Adding pattern", "RUBY_LOGGER"=>"[DFEWI], \\[%{TIMESTAMP_ISO8601:timestamp} #%{POSINT:pid}\\] *%{RUBY_LOGLEVEL:loglevel} -- +%{DATA:progname}: %{GREEDYDATA:message}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.121000+0000", :message=>"Adding pattern", "USERNAME"=>"[a-zA-Z0-9._-]+", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.121000+0000", :message=>"Adding pattern", "USER"=>"%{USERNAME}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.122000+0000", :message=>"Adding pattern", "EMAILLOCALPART"=>"[a-zA-Z][a-zA-Z0-9_.+-=:]+", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.122000+0000", :message=>"Adding pattern", "EMAILADDRESS"=>"%{EMAILLOCALPART}@%{HOSTNAME}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.123000+0000", :message=>"Adding pattern", "HTTPDUSER"=>"%{EMAILADDRESS}|%{USER}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.123000+0000", :message=>"Adding pattern", "INT"=>"(?:[+-]?(?:[0-9]+))", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.123000+0000", :message=>"Adding pattern", "BASE10NUM"=>"(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\\.[0-9]+)?)|(?:\\.[0-9]+)))", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.124000+0000", :message=>"Adding pattern", "NUMBER"=>"(?:%{BASE10NUM})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.124000+0000", :message=>"Adding pattern", "BASE16NUM"=>"(?<![0-9A-Fa-f])(?:[+-]?(?:0x)?(?:[0-9A-Fa-f]+))", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.125000+0000", :message=>"Adding pattern", "BASE16FLOAT"=>"\\b(?<![0-9A-Fa-f.])(?:[+-]?(?:0x)?(?:(?:[0-9A-Fa-f]+(?:\\.[0-9A-Fa-f]*)?)|(?:\\.[0-9A-Fa-f]+)))\\b", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.125000+0000", :message=>"Adding pattern", "POSINT"=>"\\b(?:[1-9][0-9]*)\\b", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.126000+0000", :message=>"Adding pattern", "NONNEGINT"=>"\\b(?:[0-9]+)\\b", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.126000+0000", :message=>"Adding pattern", "WORD"=>"\\b\\w+\\b", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.126000+0000", :message=>"Adding pattern", "NOTSPACE"=>"\\S+", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.127000+0000", :message=>"Adding pattern", "SPACE"=>"\\s*", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.127000+0000", :message=>"Adding pattern", "DATA"=>".*?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.128000+0000", :message=>"Adding pattern", "GREEDYDATA"=>".*", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.128000+0000", :message=>"Adding pattern", "QUOTEDSTRING"=>"(?>(?<!\\\\)(?>\"(?>\\\\.|[^\\\\\"]+)+\"|\"\"|(?>'(?>\\\\.|[^\\\\']+)+')|''|(?>`(?>\\\\.|[^\\\\`]+)+`)|``))", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.129000+0000", :message=>"Adding pattern", "UUID"=>"[A-Fa-f0-9]{8}-(?:[A-Fa-f0-9]{4}-){3}[A-Fa-f0-9]{12}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.129000+0000", :message=>"Adding pattern", "MAC"=>"(?:%{CISCOMAC}|%{WINDOWSMAC}|%{COMMONMAC})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.130000+0000", :message=>"Adding pattern", "CISCOMAC"=>"(?:(?:[A-Fa-f0-9]{4}\\.){2}[A-Fa-f0-9]{4})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.130000+0000", :message=>"Adding pattern", "WINDOWSMAC"=>"(?:(?:[A-Fa-f0-9]{2}-){5}[A-Fa-f0-9]{2})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.130000+0000", :message=>"Adding pattern", "COMMONMAC"=>"(?:(?:[A-Fa-f0-9]{2}:){5}[A-Fa-f0-9]{2})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.131000+0000", :message=>"Adding pattern", "IPV6"=>"((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:)))(%.+)?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.132000+0000", :message=>"Adding pattern", "IPV4"=>"(?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]))(?![0-9])", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.132000+0000", :message=>"Adding pattern", "IP"=>"(?:%{IPV6}|%{IPV4})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.132000+0000", :message=>"Adding pattern", "HOSTNAME"=>"\\b(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\\b)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.133000+0000", :message=>"Adding pattern", "IPORHOST"=>"(?:%{IP}|%{HOSTNAME})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.133000+0000", :message=>"Adding pattern", "HOSTPORT"=>"%{IPORHOST}:%{POSINT}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.134000+0000", :message=>"Adding pattern", "PATH"=>"(?:%{UNIXPATH}|%{WINPATH})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.134000+0000", :message=>"Adding pattern", "UNIXPATH"=>"(/([\\w_%!$@:.,~-]+|\\\\.)*)+", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.135000+0000", :message=>"Adding pattern", "TTY"=>"(?:/dev/(pts|tty([pq])?)(\\w+)?/?(?:[0-9]+))", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.135000+0000", :message=>"Adding pattern", "WINPATH"=>"(?>[A-Za-z]+:|\\\\)(?:\\\\[^\\\\?*]*)+", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.135000+0000", :message=>"Adding pattern", "URIPROTO"=>"[A-Za-z]+(\\+[A-Za-z+]+)?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.136000+0000", :message=>"Adding pattern", "URIHOST"=>"%{IPORHOST}(?::%{POSINT:port})?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.136000+0000", :message=>"Adding pattern", "URIPATH"=>"(?:/[A-Za-z0-9$.+!*'(){},~:;=@#%_\\-]*)+", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.137000+0000", :message=>"Adding pattern", "URIPARAM"=>"\\?[A-Za-z0-9$.+!*'|(){},~@#%&/=:;_?\\-\\[\\]<>]*", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.137000+0000", :message=>"Adding pattern", "URIPATHPARAM"=>"%{URIPATH}(?:%{URIPARAM})?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.138000+0000", :message=>"Adding pattern", "URI"=>"%{URIPROTO}://(?:%{USER}(?::[^@]*)?@)?(?:%{URIHOST})?(?:%{URIPATHPARAM})?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.138000+0000", :message=>"Adding pattern", "MONTH"=>"\\b(?:Jan(?:uary|uar)?|Feb(?:ruary|ruar)?|M(?:a|ä)?r(?:ch|z)?|Apr(?:il)?|Ma(?:y|i)?|Jun(?:e|i)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|O(?:c|k)?t(?:ober)?|Nov(?:ember)?|De(?:c|z)(?:ember)?)\\b", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.139000+0000", :message=>"Adding pattern", "MONTHNUM"=>"(?:0?[1-9]|1[0-2])", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.139000+0000", :message=>"Adding pattern", "MONTHNUM2"=>"(?:0[1-9]|1[0-2])", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.140000+0000", :message=>"Adding pattern", "MONTHDAY"=>"(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9])", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.140000+0000", :message=>"Adding pattern", "DAY"=>"(?:Mon(?:day)?|Tue(?:sday)?|Wed(?:nesday)?|Thu(?:rsday)?|Fri(?:day)?|Sat(?:urday)?|Sun(?:day)?)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.141000+0000", :message=>"Adding pattern", "YEAR"=>"(?>\\d\\d){1,2}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.141000+0000", :message=>"Adding pattern", "HOUR"=>"(?:2[0123]|[01]?[0-9])", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.141000+0000", :message=>"Adding pattern", "MINUTE"=>"(?:[0-5][0-9])", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.142000+0000", :message=>"Adding pattern", "SECOND"=>"(?:(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.142000+0000", :message=>"Adding pattern", "TIME"=>"(?!<[0-9])%{HOUR}:%{MINUTE}(?::%{SECOND})(?![0-9])", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.143000+0000", :message=>"Adding pattern", "DATE_US"=>"%{MONTHNUM}[/-]%{MONTHDAY}[/-]%{YEAR}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.143000+0000", :message=>"Adding pattern", "DATE_EU"=>"%{MONTHDAY}[./-]%{MONTHNUM}[./-]%{YEAR}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.144000+0000", :message=>"Adding pattern", "ISO8601_TIMEZONE"=>"(?:Z|[+-]%{HOUR}(?::?%{MINUTE}))", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.144000+0000", :message=>"Adding pattern", "ISO8601_SECOND"=>"(?:%{SECOND}|60)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.144000+0000", :message=>"Adding pattern", "TIMESTAMP_ISO8601"=>"%{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?%{ISO8601_TIMEZONE}?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.145000+0000", :message=>"Adding pattern", "DATE"=>"%{DATE_US}|%{DATE_EU}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.145000+0000", :message=>"Adding pattern", "DATESTAMP"=>"%{DATE}[- ]%{TIME}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.146000+0000", :message=>"Adding pattern", "TZ"=>"(?:[PMCE][SD]T|UTC)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.146000+0000", :message=>"Adding pattern", "DATESTAMP_RFC822"=>"%{DAY} %{MONTH} %{MONTHDAY} %{YEAR} %{TIME} %{TZ}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.147000+0000", :message=>"Adding pattern", "DATESTAMP_RFC2822"=>"%{DAY}, %{MONTHDAY} %{MONTH} %{YEAR} %{TIME} %{ISO8601_TIMEZONE}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.147000+0000", :message=>"Adding pattern", "DATESTAMP_OTHER"=>"%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{TZ} %{YEAR}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.148000+0000", :message=>"Adding pattern", "DATESTAMP_EVENTLOG"=>"%{YEAR}%{MONTHNUM2}%{MONTHDAY}%{HOUR}%{MINUTE}%{SECOND}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.148000+0000", :message=>"Adding pattern", "HTTPDERROR_DATE"=>"%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.149000+0000", :message=>"Adding pattern", "SYSLOGTIMESTAMP"=>"%{MONTH} +%{MONTHDAY} %{TIME}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.149000+0000", :message=>"Adding pattern", "PROG"=>"[\\x21-\\x5a\\x5c\\x5e-\\x7e]+", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.150000+0000", :message=>"Adding pattern", "SYSLOGPROG"=>"%{PROG:program}(?:\\[%{POSINT:pid}\\])?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.150000+0000", :message=>"Adding pattern", "SYSLOGHOST"=>"%{IPORHOST}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.150000+0000", :message=>"Adding pattern", "SYSLOGFACILITY"=>"<%{NONNEGINT:facility}.%{NONNEGINT:priority}>", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.151000+0000", :message=>"Adding pattern", "HTTPDATE"=>"%{MONTHDAY}/%{MONTH}/%{YEAR}:%{TIME} %{INT}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.151000+0000", :message=>"Adding pattern", "QS"=>"%{QUOTEDSTRING}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.152000+0000", :message=>"Adding pattern", "SYSLOGBASE"=>"%{SYSLOGTIMESTAMP:timestamp} (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource} %{SYSLOGPROG}:", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.152000+0000", :message=>"Adding pattern", "COMMONAPACHELOG"=>"%{IPORHOST:clientip} %{HTTPDUSER:ident} %{USER:auth} \\[%{HTTPDATE:timestamp}\\] \"(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})\" %{NUMBER:response} (?:%{NUMBER:bytes}|-)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.153000+0000", :message=>"Adding pattern", "COMBINEDAPACHELOG"=>"%{COMMONAPACHELOG} %{QS:referrer} %{QS:agent}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.153000+0000", :message=>"Adding pattern", "HTTPD20_ERRORLOG"=>"\\[%{HTTPDERROR_DATE:timestamp}\\] \\[%{LOGLEVEL:loglevel}\\] (?:\\[client %{IPORHOST:clientip}\\] ){0,1}%{GREEDYDATA:errormsg}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.154000+0000", :message=>"Adding pattern", "HTTPD24_ERRORLOG"=>"\\[%{HTTPDERROR_DATE:timestamp}\\] \\[%{WORD:module}:%{LOGLEVEL:loglevel}\\] \\[pid %{POSINT:pid}:tid %{NUMBER:tid}\\]( \\(%{POSINT:proxy_errorcode}\\)%{DATA:proxy_errormessage}:)?( \\[client %{IPORHOST:client}:%{POSINT:clientport}\\])? %{DATA:errorcode}: %{GREEDYDATA:message}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.154000+0000", :message=>"Adding pattern", "HTTPD_ERRORLOG"=>"%{HTTPD20_ERRORLOG}|%{HTTPD24_ERRORLOG}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.155000+0000", :message=>"Adding pattern", "LOGLEVEL"=>"([Aa]lert|ALERT|[Tt]race|TRACE|[Dd]ebug|DEBUG|[Nn]otice|NOTICE|[Ii]nfo|INFO|[Ww]arn?(?:ing)?|WARN?(?:ING)?|[Ee]rr?(?:or)?|ERR?(?:OR)?|[Cc]rit?(?:ical)?|CRIT?(?:ICAL)?|[Ff]atal|FATAL|[Ss]evere|SEVERE|EMERG(?:ENCY)?|[Ee]merg(?:ency)?)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.156000+0000", :message=>"Grok compile", :field=>"add_field", :patterns=>{"levelname"=>"%{levelname}", "orig_levelname"=>"%{levelname}"}, :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.157000+0000", :message=>"Adding pattern", "NETSCREENSESSIONLOG"=>"%{SYSLOGTIMESTAMP:date} %{IPORHOST:device} %{IPORHOST}: NetScreen device_id=%{WORD:device_id}%{DATA}: start_time=%{QUOTEDSTRING:start_time} duration=%{INT:duration} policy_id=%{INT:policy_id} service=%{DATA:service} proto=%{INT:proto} src zone=%{WORD:src_zone} dst zone=%{WORD:dst_zone} action=%{WORD:action} sent=%{INT:sent} rcvd=%{INT:rcvd} src=%{IPORHOST:src_ip} dst=%{IPORHOST:dst_ip} src_port=%{INT:src_port} dst_port=%{INT:dst_port} src-xlated ip=%{IPORHOST:src_xlated_ip} port=%{INT:src_xlated_port} dst-xlated ip=%{IPORHOST:dst_xlated_ip} port=%{INT:dst_xlated_port} session_id=%{INT:session_id} reason=%{GREEDYDATA:reason}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.159000+0000", :message=>"Adding pattern", "CISCO_TAGGED_SYSLOG"=>"^<%{POSINT:syslog_pri}>%{CISCOTIMESTAMP:timestamp}( %{SYSLOGHOST:sysloghost})? ?: %%{CISCOTAG:ciscotag}:", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.159000+0000", :message=>"Adding pattern", "CISCOTIMESTAMP"=>"%{MONTH} +%{MONTHDAY}(?: %{YEAR})? %{TIME}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.160000+0000", :message=>"Adding pattern", "CISCOTAG"=>"[A-Z0-9]+-%{INT}-(?:[A-Z0-9_]+)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.160000+0000", :message=>"Adding pattern", "CISCO_ACTION"=>"Built|Teardown|Deny|Denied|denied|requested|permitted|denied by ACL|discarded|est-allowed|Dropping|created|deleted", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.161000+0000", :message=>"Adding pattern", "CISCO_REASON"=>"Duplicate TCP SYN|Failed to locate egress interface|Invalid transport field|No matching connection|DNS Response|DNS Query|(?:%{WORD}\\s*)*", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.161000+0000", :message=>"Adding pattern", "CISCO_DIRECTION"=>"Inbound|inbound|Outbound|outbound", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.161000+0000", :message=>"Adding pattern", "CISCO_INTERVAL"=>"first hit|%{INT}-second interval", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.162000+0000", :message=>"Adding pattern", "CISCO_XLATE_TYPE"=>"static|dynamic", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.162000+0000", :message=>"Adding pattern", "CISCOFW104001"=>"\\((?:Primary|Secondary)\\) Switching to ACTIVE - %{GREEDYDATA:switch_reason}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.163000+0000", :message=>"Adding pattern", "CISCOFW104002"=>"\\((?:Primary|Secondary)\\) Switching to STANDBY - %{GREEDYDATA:switch_reason}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.164000+0000", :message=>"Adding pattern", "CISCOFW104003"=>"\\((?:Primary|Secondary)\\) Switching to FAILED\\.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.164000+0000", :message=>"Adding pattern", "CISCOFW104004"=>"\\((?:Primary|Secondary)\\) Switching to OK\\.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.165000+0000", :message=>"Adding pattern", "CISCOFW105003"=>"\\((?:Primary|Secondary)\\) Monitoring on [Ii]nterface %{GREEDYDATA:interface_name} waiting", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.165000+0000", :message=>"Adding pattern", "CISCOFW105004"=>"\\((?:Primary|Secondary)\\) Monitoring on [Ii]nterface %{GREEDYDATA:interface_name} normal", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.166000+0000", :message=>"Adding pattern", "CISCOFW105005"=>"\\((?:Primary|Secondary)\\) Lost Failover communications with mate on [Ii]nterface %{GREEDYDATA:interface_name}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.166000+0000", :message=>"Adding pattern", "CISCOFW105008"=>"\\((?:Primary|Secondary)\\) Testing [Ii]nterface %{GREEDYDATA:interface_name}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.167000+0000", :message=>"Adding pattern", "CISCOFW105009"=>"\\((?:Primary|Secondary)\\) Testing on [Ii]nterface %{GREEDYDATA:interface_name} (?:Passed|Failed)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.167000+0000", :message=>"Adding pattern", "CISCOFW106001"=>"%{CISCO_DIRECTION:direction} %{WORD:protocol} connection %{CISCO_ACTION:action} from %{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port} flags %{GREEDYDATA:tcp_flags} on interface %{GREEDYDATA:interface}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.168000+0000", :message=>"Adding pattern", "CISCOFW106006_106007_106010"=>"%{CISCO_ACTION:action} %{CISCO_DIRECTION:direction} %{WORD:protocol} (?:from|src) %{IP:src_ip}/%{INT:src_port}(\\(%{DATA:src_fwuser}\\))? (?:to|dst) %{IP:dst_ip}/%{INT:dst_port}(\\(%{DATA:dst_fwuser}\\))? (?:on interface %{DATA:interface}|due to %{CISCO_REASON:reason})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.168000+0000", :message=>"Adding pattern", "CISCOFW106014"=>"%{CISCO_ACTION:action} %{CISCO_DIRECTION:direction} %{WORD:protocol} src %{DATA:src_interface}:%{IP:src_ip}(\\(%{DATA:src_fwuser}\\))? dst %{DATA:dst_interface}:%{IP:dst_ip}(\\(%{DATA:dst_fwuser}\\))? \\(type %{INT:icmp_type}, code %{INT:icmp_code}\\)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.169000+0000", :message=>"Adding pattern", "CISCOFW106015"=>"%{CISCO_ACTION:action} %{WORD:protocol} \\(%{DATA:policy_id}\\) from %{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port} flags %{DATA:tcp_flags} on interface %{GREEDYDATA:interface}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.169000+0000", :message=>"Adding pattern", "CISCOFW106021"=>"%{CISCO_ACTION:action} %{WORD:protocol} reverse path check from %{IP:src_ip} to %{IP:dst_ip} on interface %{GREEDYDATA:interface}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.170000+0000", :message=>"Adding pattern", "CISCOFW106023"=>"%{CISCO_ACTION:action}( protocol)? %{WORD:protocol} src %{DATA:src_interface}:%{DATA:src_ip}(/%{INT:src_port})?(\\(%{DATA:src_fwuser}\\))? dst %{DATA:dst_interface}:%{DATA:dst_ip}(/%{INT:dst_port})?(\\(%{DATA:dst_fwuser}\\))?( \\(type %{INT:icmp_type}, code %{INT:icmp_code}\\))? by access-group \"?%{DATA:policy_id}\"? \\[%{DATA:hashcode1}, %{DATA:hashcode2}\\]", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.170000+0000", :message=>"Adding pattern", "CISCOFW106100_2_3"=>"access-list %{NOTSPACE:policy_id} %{CISCO_ACTION:action} %{WORD:protocol} for user '%{DATA:src_fwuser}' %{DATA:src_interface}/%{IP:src_ip}\\(%{INT:src_port}\\) -> %{DATA:dst_interface}/%{IP:dst_ip}\\(%{INT:dst_port}\\) hit-cnt %{INT:hit_count} %{CISCO_INTERVAL:interval} \\[%{DATA:hashcode1}, %{DATA:hashcode2}\\]", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.171000+0000", :message=>"Adding pattern", "CISCOFW106100"=>"access-list %{NOTSPACE:policy_id} %{CISCO_ACTION:action} %{WORD:protocol} %{DATA:src_interface}/%{IP:src_ip}\\(%{INT:src_port}\\)(\\(%{DATA:src_fwuser}\\))? -> %{DATA:dst_interface}/%{IP:dst_ip}\\(%{INT:dst_port}\\)(\\(%{DATA:src_fwuser}\\))? hit-cnt %{INT:hit_count} %{CISCO_INTERVAL:interval} \\[%{DATA:hashcode1}, %{DATA:hashcode2}\\]", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.171000+0000", :message=>"Adding pattern", "CISCOFW110002"=>"%{CISCO_REASON:reason} for %{WORD:protocol} from %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.172000+0000", :message=>"Adding pattern", "CISCOFW302010"=>"%{INT:connection_count} in use, %{INT:connection_count_max} most used", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.172000+0000", :message=>"Adding pattern", "CISCOFW302013_302014_302015_302016"=>"%{CISCO_ACTION:action}(?: %{CISCO_DIRECTION:direction})? %{WORD:protocol} connection %{INT:connection_id} for %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port}( \\(%{IP:src_mapped_ip}/%{INT:src_mapped_port}\\))?(\\(%{DATA:src_fwuser}\\))? to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port}( \\(%{IP:dst_mapped_ip}/%{INT:dst_mapped_port}\\))?(\\(%{DATA:dst_fwuser}\\))?( duration %{TIME:duration} bytes %{INT:bytes})?(?: %{CISCO_REASON:reason})?( \\(%{DATA:user}\\))?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.173000+0000", :message=>"Adding pattern", "CISCOFW302020_302021"=>"%{CISCO_ACTION:action}(?: %{CISCO_DIRECTION:direction})? %{WORD:protocol} connection for faddr %{IP:dst_ip}/%{INT:icmp_seq_num}(?:\\(%{DATA:fwuser}\\))? gaddr %{IP:src_xlated_ip}/%{INT:icmp_code_xlated} laddr %{IP:src_ip}/%{INT:icmp_code}( \\(%{DATA:user}\\))?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.173000+0000", :message=>"Adding pattern", "CISCOFW305011"=>"%{CISCO_ACTION:action} %{CISCO_XLATE_TYPE:xlate_type} %{WORD:protocol} translation from %{DATA:src_interface}:%{IP:src_ip}(/%{INT:src_port})?(\\(%{DATA:src_fwuser}\\))? to %{DATA:src_xlated_interface}:%{IP:src_xlated_ip}/%{DATA:src_xlated_port}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.174000+0000", :message=>"Adding pattern", "CISCOFW313001_313004_313008"=>"%{CISCO_ACTION:action} %{WORD:protocol} type=%{INT:icmp_type}, code=%{INT:icmp_code} from %{IP:src_ip} on interface %{DATA:interface}( to %{IP:dst_ip})?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.174000+0000", :message=>"Adding pattern", "CISCOFW313005"=>"%{CISCO_REASON:reason} for %{WORD:protocol} error message: %{WORD:err_protocol} src %{DATA:err_src_interface}:%{IP:err_src_ip}(\\(%{DATA:err_src_fwuser}\\))? dst %{DATA:err_dst_interface}:%{IP:err_dst_ip}(\\(%{DATA:err_dst_fwuser}\\))? \\(type %{INT:err_icmp_type}, code %{INT:err_icmp_code}\\) on %{DATA:interface} interface\\. Original IP payload: %{WORD:protocol} src %{IP:orig_src_ip}/%{INT:orig_src_port}(\\(%{DATA:orig_src_fwuser}\\))? dst %{IP:orig_dst_ip}/%{INT:orig_dst_port}(\\(%{DATA:orig_dst_fwuser}\\))?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.175000+0000", :message=>"Adding pattern", "CISCOFW321001"=>"Resource '%{WORD:resource_name}' limit of %{POSINT:resource_limit} reached for system", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.175000+0000", :message=>"Adding pattern", "CISCOFW402117"=>"%{WORD:protocol}: Received a non-IPSec packet \\(protocol= %{WORD:orig_protocol}\\) from %{IP:src_ip} to %{IP:dst_ip}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.176000+0000", :message=>"Adding pattern", "CISCOFW402119"=>"%{WORD:protocol}: Received an %{WORD:orig_protocol} packet \\(SPI= %{DATA:spi}, sequence number= %{DATA:seq_num}\\) from %{IP:src_ip} \\(user= %{DATA:user}\\) to %{IP:dst_ip} that failed anti-replay checking", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.176000+0000", :message=>"Adding pattern", "CISCOFW419001"=>"%{CISCO_ACTION:action} %{WORD:protocol} packet from %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port}, reason: %{GREEDYDATA:reason}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.177000+0000", :message=>"Adding pattern", "CISCOFW419002"=>"%{CISCO_REASON:reason} from %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port} with different initial sequence number", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.177000+0000", :message=>"Adding pattern", "CISCOFW500004"=>"%{CISCO_REASON:reason} for protocol=%{WORD:protocol}, from %{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.177000+0000", :message=>"Adding pattern", "CISCOFW602303_602304"=>"%{WORD:protocol}: An %{CISCO_DIRECTION:direction} %{GREEDYDATA:tunnel_type} SA \\(SPI= %{DATA:spi}\\) between %{IP:src_ip} and %{IP:dst_ip} \\(user= %{DATA:user}\\) has been %{CISCO_ACTION:action}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.178000+0000", :message=>"Adding pattern", "CISCOFW710001_710002_710003_710005_710006"=>"%{WORD:protocol} (?:request|access) %{CISCO_ACTION:action} from %{IP:src_ip}/%{INT:src_port} to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.178000+0000", :message=>"Adding pattern", "CISCOFW713172"=>"Group = %{GREEDYDATA:group}, IP = %{IP:src_ip}, Automatic NAT Detection Status:\\s+Remote end\\s*%{DATA:is_remote_natted}\\s*behind a NAT device\\s+This\\s+end\\s*%{DATA:is_local_natted}\\s*behind a NAT device", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.179000+0000", :message=>"Adding pattern", "CISCOFW733100"=>"\\[\\s*%{DATA:drop_type}\\s*\\] drop %{DATA:drop_rate_id} exceeded. Current burst rate is %{INT:drop_rate_current_burst} per second, max configured rate is %{INT:drop_rate_max_burst}; Current average rate is %{INT:drop_rate_current_avg} per second, max configured rate is %{INT:drop_rate_max_avg}; Cumulative total count is %{INT:drop_total_count}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.180000+0000", :message=>"Adding pattern", "SHOREWALL"=>"(%{SYSLOGTIMESTAMP:timestamp}) (%{WORD:nf_host}) kernel:.*Shorewall:(%{WORD:nf_action1})?:(%{WORD:nf_action2})?.*IN=(%{USERNAME:nf_in_interface})?.*(OUT= *MAC=(%{COMMONMAC:nf_dst_mac}):(%{COMMONMAC:nf_src_mac})?|OUT=%{USERNAME:nf_out_interface}).*SRC=(%{IPV4:nf_src_ip}).*DST=(%{IPV4:nf_dst_ip}).*LEN=(%{WORD:nf_len}).?*TOS=(%{WORD:nf_tos}).?*PREC=(%{WORD:nf_prec}).?*TTL=(%{INT:nf_ttl}).?*ID=(%{INT:nf_id}).?*PROTO=(%{WORD:nf_protocol}).?*SPT=(%{INT:nf_src_port}?.*DPT=%{INT:nf_dst_port}?.*)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.181000+0000", :message=>"Adding pattern", "SYSLOG5424PRINTASCII"=>"[!-~]+", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.181000+0000", :message=>"Adding pattern", "SYSLOGBASE2"=>"(?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource}+(?: %{SYSLOGPROG}:|)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.182000+0000", :message=>"Adding pattern", "SYSLOGPAMSESSION"=>"%{SYSLOGBASE} (?=%{GREEDYDATA:message})%{WORD:pam_module}\\(%{DATA:pam_caller}\\): session %{WORD:pam_session_state} for user %{USERNAME:username}(?: by %{GREEDYDATA:pam_by})?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.182000+0000", :message=>"Adding pattern", "CRON_ACTION"=>"[A-Z ]+", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.183000+0000", :message=>"Adding pattern", "CRONLOG"=>"%{SYSLOGBASE} \\(%{USER:user}\\) %{CRON_ACTION:action} \\(%{DATA:message}\\)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.183000+0000", :message=>"Adding pattern", "SYSLOGLINE"=>"%{SYSLOGBASE2} %{GREEDYDATA:message}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.186000+0000", :message=>"Adding pattern", "SYSLOG5424PRI"=>"<%{NONNEGINT:syslog5424_pri}>", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.186000+0000", :message=>"Adding pattern", "SYSLOG5424SD"=>"\\[%{DATA}\\]+", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.187000+0000", :message=>"Adding pattern", "SYSLOG5424BASE"=>"%{SYSLOG5424PRI}%{NONNEGINT:syslog5424_ver} +(?:%{TIMESTAMP_ISO8601:syslog5424_ts}|-) +(?:%{HOSTNAME:syslog5424_host}|-) +(-|%{SYSLOG5424PRINTASCII:syslog5424_app}) +(-|%{SYSLOG5424PRINTASCII:syslog5424_proc}) +(-|%{SYSLOG5424PRINTASCII:syslog5424_msgid}) +(?:%{SYSLOG5424SD:syslog5424_sd}|-|)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.187000+0000", :message=>"Adding pattern", "SYSLOG5424LINE"=>"%{SYSLOG5424BASE} +%{GREEDYDATA:syslog5424_msg}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.189000+0000", :message=>"Adding pattern", "NAGIOSTIME"=>"\\[%{NUMBER:nagios_epoch}\\]", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.190000+0000", :message=>"Adding pattern", "NAGIOS_TYPE_CURRENT_SERVICE_STATE"=>"CURRENT SERVICE STATE", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.191000+0000", :message=>"Adding pattern", "NAGIOS_TYPE_CURRENT_HOST_STATE"=>"CURRENT HOST STATE", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.191000+0000", :message=>"Adding pattern", "NAGIOS_TYPE_SERVICE_NOTIFICATION"=>"SERVICE NOTIFICATION", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.192000+0000", :message=>"Adding pattern", "NAGIOS_TYPE_HOST_NOTIFICATION"=>"HOST NOTIFICATION", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.192000+0000", :message=>"Adding pattern", "NAGIOS_TYPE_SERVICE_ALERT"=>"SERVICE ALERT", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.192000+0000", :message=>"Adding pattern", "NAGIOS_TYPE_HOST_ALERT"=>"HOST ALERT", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.193000+0000", :message=>"Adding pattern", "NAGIOS_TYPE_SERVICE_FLAPPING_ALERT"=>"SERVICE FLAPPING ALERT", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.193000+0000", :message=>"Adding pattern", "NAGIOS_TYPE_HOST_FLAPPING_ALERT"=>"HOST FLAPPING ALERT", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.194000+0000", :message=>"Adding pattern", "NAGIOS_TYPE_SERVICE_DOWNTIME_ALERT"=>"SERVICE DOWNTIME ALERT", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.194000+0000", :message=>"Adding pattern", "NAGIOS_TYPE_HOST_DOWNTIME_ALERT"=>"HOST DOWNTIME ALERT", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.195000+0000", :message=>"Adding pattern", "NAGIOS_TYPE_PASSIVE_SERVICE_CHECK"=>"PASSIVE SERVICE CHECK", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.195000+0000", :message=>"Adding pattern", "NAGIOS_TYPE_PASSIVE_HOST_CHECK"=>"PASSIVE HOST CHECK", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.195000+0000", :message=>"Adding pattern", "NAGIOS_TYPE_SERVICE_EVENT_HANDLER"=>"SERVICE EVENT HANDLER", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.196000+0000", :message=>"Adding pattern", "NAGIOS_TYPE_HOST_EVENT_HANDLER"=>"HOST EVENT HANDLER", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.196000+0000", :message=>"Adding pattern", "NAGIOS_TYPE_EXTERNAL_COMMAND"=>"EXTERNAL COMMAND", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.197000+0000", :message=>"Adding pattern", "NAGIOS_TYPE_TIMEPERIOD_TRANSITION"=>"TIMEPERIOD TRANSITION", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.197000+0000", :message=>"Adding pattern", "NAGIOS_EC_DISABLE_SVC_CHECK"=>"DISABLE_SVC_CHECK", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.198000+0000", :message=>"Adding pattern", "NAGIOS_EC_ENABLE_SVC_CHECK"=>"ENABLE_SVC_CHECK", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.198000+0000", :message=>"Adding pattern", "NAGIOS_EC_DISABLE_HOST_CHECK"=>"DISABLE_HOST_CHECK", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.198000+0000", :message=>"Adding pattern", "NAGIOS_EC_ENABLE_HOST_CHECK"=>"ENABLE_HOST_CHECK", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.199000+0000", :message=>"Adding pattern", "NAGIOS_EC_PROCESS_SERVICE_CHECK_RESULT"=>"PROCESS_SERVICE_CHECK_RESULT", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.199000+0000", :message=>"Adding pattern", "NAGIOS_EC_PROCESS_HOST_CHECK_RESULT"=>"PROCESS_HOST_CHECK_RESULT", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.200000+0000", :message=>"Adding pattern", "NAGIOS_EC_SCHEDULE_SERVICE_DOWNTIME"=>"SCHEDULE_SERVICE_DOWNTIME", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.200000+0000", :message=>"Adding pattern", "NAGIOS_EC_SCHEDULE_HOST_DOWNTIME"=>"SCHEDULE_HOST_DOWNTIME", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.200000+0000", :message=>"Adding pattern", "NAGIOS_EC_DISABLE_HOST_SVC_NOTIFICATIONS"=>"DISABLE_HOST_SVC_NOTIFICATIONS", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.201000+0000", :message=>"Adding pattern", "NAGIOS_EC_ENABLE_HOST_SVC_NOTIFICATIONS"=>"ENABLE_HOST_SVC_NOTIFICATIONS", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.201000+0000", :message=>"Adding pattern", "NAGIOS_EC_DISABLE_HOST_NOTIFICATIONS"=>"DISABLE_HOST_NOTIFICATIONS", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.202000+0000", :message=>"Adding pattern", "NAGIOS_EC_ENABLE_HOST_NOTIFICATIONS"=>"ENABLE_HOST_NOTIFICATIONS", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.202000+0000", :message=>"Adding pattern", "NAGIOS_EC_DISABLE_SVC_NOTIFICATIONS"=>"DISABLE_SVC_NOTIFICATIONS", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.202000+0000", :message=>"Adding pattern", "NAGIOS_EC_ENABLE_SVC_NOTIFICATIONS"=>"ENABLE_SVC_NOTIFICATIONS", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.203000+0000", :message=>"Adding pattern", "NAGIOS_WARNING"=>"Warning:%{SPACE}%{GREEDYDATA:nagios_message}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.203000+0000", :message=>"Adding pattern", "NAGIOS_CURRENT_SERVICE_STATE"=>"%{NAGIOS_TYPE_CURRENT_SERVICE_STATE:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{DATA:nagios_statetype};%{DATA:nagios_statecode};%{GREEDYDATA:nagios_message}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.204000+0000", :message=>"Adding pattern", "NAGIOS_CURRENT_HOST_STATE"=>"%{NAGIOS_TYPE_CURRENT_HOST_STATE:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{DATA:nagios_statetype};%{DATA:nagios_statecode};%{GREEDYDATA:nagios_message}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.204000+0000", :message=>"Adding pattern", "NAGIOS_SERVICE_NOTIFICATION"=>"%{NAGIOS_TYPE_SERVICE_NOTIFICATION:nagios_type}: %{DATA:nagios_notifyname};%{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{DATA:nagios_contact};%{GREEDYDATA:nagios_message}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.205000+0000", :message=>"Adding pattern", "NAGIOS_HOST_NOTIFICATION"=>"%{NAGIOS_TYPE_HOST_NOTIFICATION:nagios_type}: %{DATA:nagios_notifyname};%{DATA:nagios_hostname};%{DATA:nagios_state};%{DATA:nagios_contact};%{GREEDYDATA:nagios_message}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.205000+0000", :message=>"Adding pattern", "NAGIOS_SERVICE_ALERT"=>"%{NAGIOS_TYPE_SERVICE_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{DATA:nagios_statelevel};%{NUMBER:nagios_attempt};%{GREEDYDATA:nagios_message}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.206000+0000", :message=>"Adding pattern", "NAGIOS_HOST_ALERT"=>"%{NAGIOS_TYPE_HOST_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{DATA:nagios_statelevel};%{NUMBER:nagios_attempt};%{GREEDYDATA:nagios_message}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.206000+0000", :message=>"Adding pattern", "NAGIOS_SERVICE_FLAPPING_ALERT"=>"%{NAGIOS_TYPE_SERVICE_FLAPPING_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{GREEDYDATA:nagios_message}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.207000+0000", :message=>"Adding pattern", "NAGIOS_HOST_FLAPPING_ALERT"=>"%{NAGIOS_TYPE_HOST_FLAPPING_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{GREEDYDATA:nagios_message}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.207000+0000", :message=>"Adding pattern", "NAGIOS_SERVICE_DOWNTIME_ALERT"=>"%{NAGIOS_TYPE_SERVICE_DOWNTIME_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{GREEDYDATA:nagios_comment}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.208000+0000", :message=>"Adding pattern", "NAGIOS_HOST_DOWNTIME_ALERT"=>"%{NAGIOS_TYPE_HOST_DOWNTIME_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{GREEDYDATA:nagios_comment}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.208000+0000", :message=>"Adding pattern", "NAGIOS_PASSIVE_SERVICE_CHECK"=>"%{NAGIOS_TYPE_PASSIVE_SERVICE_CHECK:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{GREEDYDATA:nagios_comment}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.209000+0000", :message=>"Adding pattern", "NAGIOS_PASSIVE_HOST_CHECK"=>"%{NAGIOS_TYPE_PASSIVE_HOST_CHECK:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{GREEDYDATA:nagios_comment}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.209000+0000", :message=>"Adding pattern", "NAGIOS_SERVICE_EVENT_HANDLER"=>"%{NAGIOS_TYPE_SERVICE_EVENT_HANDLER:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{DATA:nagios_statelevel};%{DATA:nagios_event_handler_name}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.210000+0000", :message=>"Adding pattern", "NAGIOS_HOST_EVENT_HANDLER"=>"%{NAGIOS_TYPE_HOST_EVENT_HANDLER:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{DATA:nagios_statelevel};%{DATA:nagios_event_handler_name}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.211000+0000", :message=>"Adding pattern", "NAGIOS_TIMEPERIOD_TRANSITION"=>"%{NAGIOS_TYPE_TIMEPERIOD_TRANSITION:nagios_type}: %{DATA:nagios_service};%{DATA:nagios_unknown1};%{DATA:nagios_unknown2}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.211000+0000", :message=>"Adding pattern", "NAGIOS_EC_LINE_DISABLE_SVC_CHECK"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_DISABLE_SVC_CHECK:nagios_command};%{DATA:nagios_hostname};%{DATA:nagios_service}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.212000+0000", :message=>"Adding pattern", "NAGIOS_EC_LINE_DISABLE_HOST_CHECK"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_DISABLE_HOST_CHECK:nagios_command};%{DATA:nagios_hostname}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.212000+0000", :message=>"Adding pattern", "NAGIOS_EC_LINE_ENABLE_SVC_CHECK"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_ENABLE_SVC_CHECK:nagios_command};%{DATA:nagios_hostname};%{DATA:nagios_service}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.213000+0000", :message=>"Adding pattern", "NAGIOS_EC_LINE_ENABLE_HOST_CHECK"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_ENABLE_HOST_CHECK:nagios_command};%{DATA:nagios_hostname}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.213000+0000", :message=>"Adding pattern", "NAGIOS_EC_LINE_PROCESS_SERVICE_CHECK_RESULT"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_PROCESS_SERVICE_CHECK_RESULT:nagios_command};%{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{GREEDYDATA:nagios_check_result}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.214000+0000", :message=>"Adding pattern", "NAGIOS_EC_LINE_PROCESS_HOST_CHECK_RESULT"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_PROCESS_HOST_CHECK_RESULT:nagios_command};%{DATA:nagios_hostname};%{DATA:nagios_state};%{GREEDYDATA:nagios_check_result}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.214000+0000", :message=>"Adding pattern", "NAGIOS_EC_LINE_DISABLE_HOST_SVC_NOTIFICATIONS"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_DISABLE_HOST_SVC_NOTIFICATIONS:nagios_command};%{GREEDYDATA:nagios_hostname}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.215000+0000", :message=>"Adding pattern", "NAGIOS_EC_LINE_DISABLE_HOST_NOTIFICATIONS"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_DISABLE_HOST_NOTIFICATIONS:nagios_command};%{GREEDYDATA:nagios_hostname}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.215000+0000", :message=>"Adding pattern", "NAGIOS_EC_LINE_DISABLE_SVC_NOTIFICATIONS"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_DISABLE_SVC_NOTIFICATIONS:nagios_command};%{DATA:nagios_hostname};%{GREEDYDATA:nagios_service}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.216000+0000", :message=>"Adding pattern", "NAGIOS_EC_LINE_ENABLE_HOST_SVC_NOTIFICATIONS"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_ENABLE_HOST_SVC_NOTIFICATIONS:nagios_command};%{GREEDYDATA:nagios_hostname}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.216000+0000", :message=>"Adding pattern", "NAGIOS_EC_LINE_ENABLE_HOST_NOTIFICATIONS"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_ENABLE_HOST_NOTIFICATIONS:nagios_command};%{GREEDYDATA:nagios_hostname}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.217000+0000", :message=>"Adding pattern", "NAGIOS_EC_LINE_ENABLE_SVC_NOTIFICATIONS"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_ENABLE_SVC_NOTIFICATIONS:nagios_command};%{DATA:nagios_hostname};%{GREEDYDATA:nagios_service}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.217000+0000", :message=>"Adding pattern", "NAGIOS_EC_LINE_SCHEDULE_HOST_DOWNTIME"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_SCHEDULE_HOST_DOWNTIME:nagios_command};%{DATA:nagios_hostname};%{NUMBER:nagios_start_time};%{NUMBER:nagios_end_time};%{NUMBER:nagios_fixed};%{NUMBER:nagios_trigger_id};%{NUMBER:nagios_duration};%{DATA:author};%{DATA:comment}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.218000+0000", :message=>"Adding pattern", "NAGIOSLOGLINE"=>"%{NAGIOSTIME} (?:%{NAGIOS_WARNING}|%{NAGIOS_CURRENT_SERVICE_STATE}|%{NAGIOS_CURRENT_HOST_STATE}|%{NAGIOS_SERVICE_NOTIFICATION}|%{NAGIOS_HOST_NOTIFICATION}|%{NAGIOS_SERVICE_ALERT}|%{NAGIOS_HOST_ALERT}|%{NAGIOS_SERVICE_FLAPPING_ALERT}|%{NAGIOS_HOST_FLAPPING_ALERT}|%{NAGIOS_SERVICE_DOWNTIME_ALERT}|%{NAGIOS_HOST_DOWNTIME_ALERT}|%{NAGIOS_PASSIVE_SERVICE_CHECK}|%{NAGIOS_PASSIVE_HOST_CHECK}|%{NAGIOS_SERVICE_EVENT_HANDLER}|%{NAGIOS_HOST_EVENT_HANDLER}|%{NAGIOS_TIMEPERIOD_TRANSITION}|%{NAGIOS_EC_LINE_DISABLE_SVC_CHECK}|%{NAGIOS_EC_LINE_ENABLE_SVC_CHECK}|%{NAGIOS_EC_LINE_DISABLE_HOST_CHECK}|%{NAGIOS_EC_LINE_ENABLE_HOST_CHECK}|%{NAGIOS_EC_LINE_PROCESS_HOST_CHECK_RESULT}|%{NAGIOS_EC_LINE_PROCESS_SERVICE_CHECK_RESULT}|%{NAGIOS_EC_LINE_SCHEDULE_HOST_DOWNTIME}|%{NAGIOS_EC_LINE_DISABLE_HOST_SVC_NOTIFICATIONS}|%{NAGIOS_EC_LINE_ENABLE_HOST_SVC_NOTIFICATIONS}|%{NAGIOS_EC_LINE_DISABLE_HOST_NOTIFICATIONS}|%{NAGIOS_EC_LINE_ENABLE_HOST_NOTIFICATIONS}|%{NAGIOS_EC_LINE_DISABLE_SVC_NOTIFICATIONS}|%{NAGIOS_EC_LINE_ENABLE_SVC_NOTIFICATIONS})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.219000+0000", :message=>"Adding pattern", "MCOLLECTIVEAUDIT"=>"%{TIMESTAMP_ISO8601:timestamp}:", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.220000+0000", :message=>"Adding pattern", "BRO_HTTP"=>"%{NUMBER:ts}\\t%{NOTSPACE:uid}\\t%{IP:orig_h}\\t%{INT:orig_p}\\t%{IP:resp_h}\\t%{INT:resp_p}\\t%{INT:trans_depth}\\t%{GREEDYDATA:method}\\t%{GREEDYDATA:domain}\\t%{GREEDYDATA:uri}\\t%{GREEDYDATA:referrer}\\t%{GREEDYDATA:user_agent}\\t%{NUMBER:request_body_len}\\t%{NUMBER:response_body_len}\\t%{GREEDYDATA:status_code}\\t%{GREEDYDATA:status_msg}\\t%{GREEDYDATA:info_code}\\t%{GREEDYDATA:info_msg}\\t%{GREEDYDATA:filename}\\t%{GREEDYDATA:bro_tags}\\t%{GREEDYDATA:username}\\t%{GREEDYDATA:password}\\t%{GREEDYDATA:proxied}\\t%{GREEDYDATA:orig_fuids}\\t%{GREEDYDATA:orig_mime_types}\\t%{GREEDYDATA:resp_fuids}\\t%{GREEDYDATA:resp_mime_types}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.221000+0000", :message=>"Adding pattern", "BRO_DNS"=>"%{NUMBER:ts}\\t%{NOTSPACE:uid}\\t%{IP:orig_h}\\t%{INT:orig_p}\\t%{IP:resp_h}\\t%{INT:resp_p}\\t%{WORD:proto}\\t%{INT:trans_id}\\t%{GREEDYDATA:query}\\t%{GREEDYDATA:qclass}\\t%{GREEDYDATA:qclass_name}\\t%{GREEDYDATA:qtype}\\t%{GREEDYDATA:qtype_name}\\t%{GREEDYDATA:rcode}\\t%{GREEDYDATA:rcode_name}\\t%{GREEDYDATA:AA}\\t%{GREEDYDATA:TC}\\t%{GREEDYDATA:RD}\\t%{GREEDYDATA:RA}\\t%{GREEDYDATA:Z}\\t%{GREEDYDATA:answers}\\t%{GREEDYDATA:TTLs}\\t%{GREEDYDATA:rejected}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.221000+0000", :message=>"Adding pattern", "BRO_CONN"=>"%{NUMBER:ts}\\t%{NOTSPACE:uid}\\t%{IP:orig_h}\\t%{INT:orig_p}\\t%{IP:resp_h}\\t%{INT:resp_p}\\t%{WORD:proto}\\t%{GREEDYDATA:service}\\t%{NUMBER:duration}\\t%{NUMBER:orig_bytes}\\t%{NUMBER:resp_bytes}\\t%{GREEDYDATA:conn_state}\\t%{GREEDYDATA:local_orig}\\t%{GREEDYDATA:missed_bytes}\\t%{GREEDYDATA:history}\\t%{GREEDYDATA:orig_pkts}\\t%{GREEDYDATA:orig_ip_bytes}\\t%{GREEDYDATA:resp_pkts}\\t%{GREEDYDATA:resp_ip_bytes}\\t%{GREEDYDATA:tunnel_parents}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.222000+0000", :message=>"Adding pattern", "BRO_FILES"=>"%{NUMBER:ts}\\t%{NOTSPACE:fuid}\\t%{IP:tx_hosts}\\t%{IP:rx_hosts}\\t%{NOTSPACE:conn_uids}\\t%{GREEDYDATA:source}\\t%{GREEDYDATA:depth}\\t%{GREEDYDATA:analyzers}\\t%{GREEDYDATA:mime_type}\\t%{GREEDYDATA:filename}\\t%{GREEDYDATA:duration}\\t%{GREEDYDATA:local_orig}\\t%{GREEDYDATA:is_orig}\\t%{GREEDYDATA:seen_bytes}\\t%{GREEDYDATA:total_bytes}\\t%{GREEDYDATA:missing_bytes}\\t%{GREEDYDATA:overflow_bytes}\\t%{GREEDYDATA:timedout}\\t%{GREEDYDATA:parent_fuid}\\t%{GREEDYDATA:md5}\\t%{GREEDYDATA:sha1}\\t%{GREEDYDATA:sha256}\\t%{GREEDYDATA:extracted}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.223000+0000", :message=>"Adding pattern", "HAPROXYTIME"=>"(?!<[0-9])%{HOUR:haproxy_hour}:%{MINUTE:haproxy_minute}(?::%{SECOND:haproxy_second})(?![0-9])", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.223000+0000", :message=>"Adding pattern", "HAPROXYDATE"=>"%{MONTHDAY:haproxy_monthday}/%{MONTH:haproxy_month}/%{YEAR:haproxy_year}:%{HAPROXYTIME:haproxy_time}.%{INT:haproxy_milliseconds}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.224000+0000", :message=>"Adding pattern", "HAPROXYCAPTUREDREQUESTHEADERS"=>"%{DATA:captured_request_headers}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.224000+0000", :message=>"Adding pattern", "HAPROXYCAPTUREDRESPONSEHEADERS"=>"%{DATA:captured_response_headers}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.225000+0000", :message=>"Adding pattern", "HAPROXYHTTPBASE"=>"%{IP:client_ip}:%{INT:client_port} \\[%{HAPROXYDATE:accept_date}\\] %{NOTSPACE:frontend_name} %{NOTSPACE:backend_name}/%{NOTSPACE:server_name} %{INT:time_request}/%{INT:time_queue}/%{INT:time_backend_connect}/%{INT:time_backend_response}/%{NOTSPACE:time_duration} %{INT:http_status_code} %{NOTSPACE:bytes_read} %{DATA:captured_request_cookie} %{DATA:captured_response_cookie} %{NOTSPACE:termination_state} %{INT:actconn}/%{INT:feconn}/%{INT:beconn}/%{INT:srvconn}/%{NOTSPACE:retries} %{INT:srv_queue}/%{INT:backend_queue} (\\{%{HAPROXYCAPTUREDREQUESTHEADERS}\\})?( )?(\\{%{HAPROXYCAPTUREDRESPONSEHEADERS}\\})?( )?\"(<BADREQ>|(%{WORD:http_verb} (%{URIPROTO:http_proto}://)?(?:%{USER:http_user}(?::[^@]*)?@)?(?:%{URIHOST:http_host})?(?:%{URIPATHPARAM:http_request})?( HTTP/%{NUMBER:http_version})?))?\"", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.226000+0000", :message=>"Adding pattern", "HAPROXYHTTP"=>"(?:%{SYSLOGTIMESTAMP:syslog_timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) %{IPORHOST:syslog_server} %{SYSLOGPROG}: %{HAPROXYHTTPBASE}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.226000+0000", :message=>"Adding pattern", "HAPROXYTCP"=>"(?:%{SYSLOGTIMESTAMP:syslog_timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) %{IPORHOST:syslog_server} %{SYSLOGPROG}: %{IP:client_ip}:%{INT:client_port} \\[%{HAPROXYDATE:accept_date}\\] %{NOTSPACE:frontend_name} %{NOTSPACE:backend_name}/%{NOTSPACE:server_name} %{INT:time_queue}/%{INT:time_backend_connect}/%{NOTSPACE:time_duration} %{NOTSPACE:bytes_read} %{NOTSPACE:termination_state} %{INT:actconn}/%{INT:feconn}/%{INT:beconn}/%{INT:srvconn}/%{NOTSPACE:retries} %{INT:srv_queue}/%{INT:backend_queue}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.227000+0000", :message=>"Adding pattern", "BACULA_TIMESTAMP"=>"%{MONTHDAY}-%{MONTH} %{HOUR}:%{MINUTE}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.228000+0000", :message=>"Adding pattern", "BACULA_HOST"=>"[a-zA-Z0-9-]+", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.228000+0000", :message=>"Adding pattern", "BACULA_VOLUME"=>"%{USER}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.229000+0000", :message=>"Adding pattern", "BACULA_DEVICE"=>"%{USER}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.229000+0000", :message=>"Adding pattern", "BACULA_DEVICEPATH"=>"%{UNIXPATH}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.230000+0000", :message=>"Adding pattern", "BACULA_CAPACITY"=>"%{INT}{1,3}(,%{INT}{3})*", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.230000+0000", :message=>"Adding pattern", "BACULA_VERSION"=>"%{USER}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.230000+0000", :message=>"Adding pattern", "BACULA_JOB"=>"%{USER}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.231000+0000", :message=>"Adding pattern", "BACULA_LOG_MAX_CAPACITY"=>"User defined maximum volume capacity %{BACULA_CAPACITY} exceeded on device \\\"%{BACULA_DEVICE:device}\\\" \\(%{BACULA_DEVICEPATH}\\)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.231000+0000", :message=>"Adding pattern", "BACULA_LOG_END_VOLUME"=>"End of medium on Volume \\\"%{BACULA_VOLUME:volume}\\\" Bytes=%{BACULA_CAPACITY} Blocks=%{BACULA_CAPACITY} at %{MONTHDAY}-%{MONTH}-%{YEAR} %{HOUR}:%{MINUTE}.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.232000+0000", :message=>"Adding pattern", "BACULA_LOG_NEW_VOLUME"=>"Created new Volume \\\"%{BACULA_VOLUME:volume}\\\" in catalog.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.232000+0000", :message=>"Adding pattern", "BACULA_LOG_NEW_LABEL"=>"Labeled new Volume \\\"%{BACULA_VOLUME:volume}\\\" on device \\\"%{BACULA_DEVICE:device}\\\" \\(%{BACULA_DEVICEPATH}\\).", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.233000+0000", :message=>"Adding pattern", "BACULA_LOG_WROTE_LABEL"=>"Wrote label to prelabeled Volume \\\"%{BACULA_VOLUME:volume}\\\" on device \\\"%{BACULA_DEVICE}\\\" \\(%{BACULA_DEVICEPATH}\\)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.233000+0000", :message=>"Adding pattern", "BACULA_LOG_NEW_MOUNT"=>"New volume \\\"%{BACULA_VOLUME:volume}\\\" mounted on device \\\"%{BACULA_DEVICE:device}\\\" \\(%{BACULA_DEVICEPATH}\\) at %{MONTHDAY}-%{MONTH}-%{YEAR} %{HOUR}:%{MINUTE}.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.233000+0000", :message=>"Adding pattern", "BACULA_LOG_NOOPEN"=>"\\s+Cannot open %{DATA}: ERR=%{GREEDYDATA:berror}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.234000+0000", :message=>"Adding pattern", "BACULA_LOG_NOOPENDIR"=>"\\s+Could not open directory %{DATA}: ERR=%{GREEDYDATA:berror}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.234000+0000", :message=>"Adding pattern", "BACULA_LOG_NOSTAT"=>"\\s+Could not stat %{DATA}: ERR=%{GREEDYDATA:berror}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.235000+0000", :message=>"Adding pattern", "BACULA_LOG_NOJOBS"=>"There are no more Jobs associated with Volume \\\"%{BACULA_VOLUME:volume}\\\". Marking it purged.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.235000+0000", :message=>"Adding pattern", "BACULA_LOG_ALL_RECORDS_PRUNED"=>"All records pruned from Volume \\\"%{BACULA_VOLUME:volume}\\\"; marking it \\\"Purged\\\"", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.235000+0000", :message=>"Adding pattern", "BACULA_LOG_BEGIN_PRUNE_JOBS"=>"Begin pruning Jobs older than %{INT} month %{INT} days .", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.236000+0000", :message=>"Adding pattern", "BACULA_LOG_BEGIN_PRUNE_FILES"=>"Begin pruning Files.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.236000+0000", :message=>"Adding pattern", "BACULA_LOG_PRUNED_JOBS"=>"Pruned %{INT} Jobs* for client %{BACULA_HOST:client} from catalog.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.237000+0000", :message=>"Adding pattern", "BACULA_LOG_PRUNED_FILES"=>"Pruned Files from %{INT} Jobs* for client %{BACULA_HOST:client} from catalog.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.237000+0000", :message=>"Adding pattern", "BACULA_LOG_ENDPRUNE"=>"End auto prune.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.237000+0000", :message=>"Adding pattern", "BACULA_LOG_STARTJOB"=>"Start Backup JobId %{INT}, Job=%{BACULA_JOB:job}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.238000+0000", :message=>"Adding pattern", "BACULA_LOG_STARTRESTORE"=>"Start Restore Job %{BACULA_JOB:job}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.238000+0000", :message=>"Adding pattern", "BACULA_LOG_USEDEVICE"=>"Using Device \\\"%{BACULA_DEVICE:device}\\\"", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.239000+0000", :message=>"Adding pattern", "BACULA_LOG_DIFF_FS"=>"\\s+%{UNIXPATH} is a different filesystem. Will not descend from %{UNIXPATH} into it.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.239000+0000", :message=>"Adding pattern", "BACULA_LOG_JOBEND"=>"Job write elapsed time = %{DATA:elapsed}, Transfer rate = %{NUMBER} (K|M|G)? Bytes/second", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.240000+0000", :message=>"Adding pattern", "BACULA_LOG_NOPRUNE_JOBS"=>"No Jobs found to prune.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.240000+0000", :message=>"Adding pattern", "BACULA_LOG_NOPRUNE_FILES"=>"No Files found to prune.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.241000+0000", :message=>"Adding pattern", "BACULA_LOG_VOLUME_PREVWRITTEN"=>"Volume \\\"%{BACULA_VOLUME:volume}\\\" previously written, moving to end of data.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.241000+0000", :message=>"Adding pattern", "BACULA_LOG_READYAPPEND"=>"Ready to append to end of Volume \\\"%{BACULA_VOLUME:volume}\\\" size=%{INT}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.241000+0000", :message=>"Adding pattern", "BACULA_LOG_CANCELLING"=>"Cancelling duplicate JobId=%{INT}.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.242000+0000", :message=>"Adding pattern", "BACULA_LOG_MARKCANCEL"=>"JobId %{INT}, Job %{BACULA_JOB:job} marked to be canceled.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.243000+0000", :message=>"Adding pattern", "BACULA_LOG_CLIENT_RBJ"=>"shell command: run ClientRunBeforeJob \\\"%{GREEDYDATA:runjob}\\\"", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.243000+0000", :message=>"Adding pattern", "BACULA_LOG_VSS"=>"(Generate )?VSS (Writer)?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.243000+0000", :message=>"Adding pattern", "BACULA_LOG_MAXSTART"=>"Fatal error: Job canceled because max start delay time exceeded.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.244000+0000", :message=>"Adding pattern", "BACULA_LOG_DUPLICATE"=>"Fatal error: JobId %{INT:duplicate} already running. Duplicate job not allowed.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.244000+0000", :message=>"Adding pattern", "BACULA_LOG_NOJOBSTAT"=>"Fatal error: No Job status returned from FD.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.245000+0000", :message=>"Adding pattern", "BACULA_LOG_FATAL_CONN"=>"Fatal error: bsock.c:133 Unable to connect to (Client: %{BACULA_HOST:client}|Storage daemon) on %{HOSTNAME}:%{POSINT}. ERR=(?<berror>%{GREEDYDATA})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.245000+0000", :message=>"Adding pattern", "BACULA_LOG_NO_CONNECT"=>"Warning: bsock.c:127 Could not connect to (Client: %{BACULA_HOST:client}|Storage daemon) on %{HOSTNAME}:%{POSINT}. ERR=(?<berror>%{GREEDYDATA})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.246000+0000", :message=>"Adding pattern", "BACULA_LOG_NO_AUTH"=>"Fatal error: Unable to authenticate with File daemon at %{HOSTNAME}. Possible causes:", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.246000+0000", :message=>"Adding pattern", "BACULA_LOG_NOSUIT"=>"No prior or suitable Full backup found in catalog. Doing FULL backup.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.246000+0000", :message=>"Adding pattern", "BACULA_LOG_NOPRIOR"=>"No prior Full backup Job record found.", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.247000+0000", :message=>"Adding pattern", "BACULA_LOG_JOB"=>"(Error: )?Bacula %{BACULA_HOST} %{BACULA_VERSION} \\(%{BACULA_VERSION}\\):", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.247000+0000", :message=>"Adding pattern", "BACULA_LOGLINE"=>"%{BACULA_TIMESTAMP:bts} %{BACULA_HOST:hostname} JobId %{INT:jobid}: (%{BACULA_LOG_MAX_CAPACITY}|%{BACULA_LOG_END_VOLUME}|%{BACULA_LOG_NEW_VOLUME}|%{BACULA_LOG_NEW_LABEL}|%{BACULA_LOG_WROTE_LABEL}|%{BACULA_LOG_NEW_MOUNT}|%{BACULA_LOG_NOOPEN}|%{BACULA_LOG_NOOPENDIR}|%{BACULA_LOG_NOSTAT}|%{BACULA_LOG_NOJOBS}|%{BACULA_LOG_ALL_RECORDS_PRUNED}|%{BACULA_LOG_BEGIN_PRUNE_JOBS}|%{BACULA_LOG_BEGIN_PRUNE_FILES}|%{BACULA_LOG_PRUNED_JOBS}|%{BACULA_LOG_PRUNED_FILES}|%{BACULA_LOG_ENDPRUNE}|%{BACULA_LOG_STARTJOB}|%{BACULA_LOG_STARTRESTORE}|%{BACULA_LOG_USEDEVICE}|%{BACULA_LOG_DIFF_FS}|%{BACULA_LOG_JOBEND}|%{BACULA_LOG_NOPRUNE_JOBS}|%{BACULA_LOG_NOPRUNE_FILES}|%{BACULA_LOG_VOLUME_PREVWRITTEN}|%{BACULA_LOG_READYAPPEND}|%{BACULA_LOG_CANCELLING}|%{BACULA_LOG_MARKCANCEL}|%{BACULA_LOG_CLIENT_RBJ}|%{BACULA_LOG_VSS}|%{BACULA_LOG_MAXSTART}|%{BACULA_LOG_DUPLICATE}|%{BACULA_LOG_NOJOBSTAT}|%{BACULA_LOG_FATAL_CONN}|%{BACULA_LOG_NO_CONNECT}|%{BACULA_LOG_NO_AUTH}|%{BACULA_LOG_NOSUIT}|%{BACULA_LOG_JOB}|%{BACULA_LOG_NOPRIOR})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.249000+0000", :message=>"Adding pattern", "POSTGRESQL"=>"%{DATESTAMP:timestamp} %{TZ} %{DATA:user_id} %{GREEDYDATA:connection_id} %{POSINT:pid}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.250000+0000", :message=>"Adding pattern", "MONGO_LOG"=>"%{SYSLOGTIMESTAMP:timestamp} \\[%{WORD:component}\\] %{GREEDYDATA:message}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.250000+0000", :message=>"Adding pattern", "MONGO_QUERY"=>"\\{ (?<={ ).*(?= } ntoreturn:) \\}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.251000+0000", :message=>"Adding pattern", "MONGO_SLOWQUERY"=>"%{WORD} %{MONGO_WORDDASH:database}\\.%{MONGO_WORDDASH:collection} %{WORD}: %{MONGO_QUERY:query} %{WORD}:%{NONNEGINT:ntoreturn} %{WORD}:%{NONNEGINT:ntoskip} %{WORD}:%{NONNEGINT:nscanned}.*nreturned:%{NONNEGINT:nreturned}..+ (?<duration>[0-9]+)ms", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.252000+0000", :message=>"Adding pattern", "MONGO_WORDDASH"=>"\\b[\\w-]+\\b", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.252000+0000", :message=>"Adding pattern", "MONGO3_SEVERITY"=>"\\w", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.253000+0000", :message=>"Adding pattern", "MONGO3_COMPONENT"=>"%{WORD}|-", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.253000+0000", :message=>"Adding pattern", "MONGO3_LOG"=>"%{TIMESTAMP_ISO8601:timestamp} %{MONGO3_SEVERITY:severity} %{MONGO3_COMPONENT:component}%{SPACE}(?:\\[%{DATA:context}\\])? %{GREEDYDATA:message}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.254000+0000", :message=>"Adding pattern", "MCOLLECTIVE"=>"., \\[%{TIMESTAMP_ISO8601:timestamp} #%{POSINT:pid}\\]%{SPACE}%{LOGLEVEL:event_level}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.254000+0000", :message=>"Adding pattern", "MCOLLECTIVEAUDIT"=>"%{TIMESTAMP_ISO8601:timestamp}:", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.255000+0000", :message=>"Adding pattern", "RT_FLOW_EVENT"=>"(RT_FLOW_SESSION_CREATE|RT_FLOW_SESSION_CLOSE|RT_FLOW_SESSION_DENY)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.256000+0000", :message=>"Adding pattern", "RT_FLOW1"=>"%{RT_FLOW_EVENT:event}: %{GREEDYDATA:close-reason}: %{IP:src-ip}/%{INT:src-port}->%{IP:dst-ip}/%{INT:dst-port} %{DATA:service} %{IP:nat-src-ip}/%{INT:nat-src-port}->%{IP:nat-dst-ip}/%{INT:nat-dst-port} %{DATA:src-nat-rule-name} %{DATA:dst-nat-rule-name} %{INT:protocol-id} %{DATA:policy-name} %{DATA:from-zone} %{DATA:to-zone} %{INT:session-id} \\d+\\(%{DATA:sent}\\) \\d+\\(%{DATA:received}\\) %{INT:elapsed-time} .*", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.257000+0000", :message=>"Adding pattern", "RT_FLOW2"=>"%{RT_FLOW_EVENT:event}: session created %{IP:src-ip}/%{INT:src-port}->%{IP:dst-ip}/%{INT:dst-port} %{DATA:service} %{IP:nat-src-ip}/%{INT:nat-src-port}->%{IP:nat-dst-ip}/%{INT:nat-dst-port} %{DATA:src-nat-rule-name} %{DATA:dst-nat-rule-name} %{INT:protocol-id} %{DATA:policy-name} %{DATA:from-zone} %{DATA:to-zone} %{INT:session-id} .*", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.257000+0000", :message=>"Adding pattern", "RT_FLOW3"=>"%{RT_FLOW_EVENT:event}: session denied %{IP:src-ip}/%{INT:src-port}->%{IP:dst-ip}/%{INT:dst-port} %{DATA:service} %{INT:protocol-id}\\(\\d\\) %{DATA:policy-name} %{DATA:from-zone} %{DATA:to-zone} .*", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.258000+0000", :message=>"Adding pattern", "RUUID"=>"\\h{32}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.259000+0000", :message=>"Adding pattern", "RCONTROLLER"=>"(?<controller>[^#]+)#(?<action>\\w+)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.260000+0000", :message=>"Adding pattern", "RAILS3HEAD"=>"(?m)Started %{WORD:verb} \"%{URIPATHPARAM:request}\" for %{IPORHOST:clientip} at (?<timestamp>%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{HOUR}:%{MINUTE}:%{SECOND} %{ISO8601_TIMEZONE})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.260000+0000", :message=>"Adding pattern", "RPROCESSING"=>"\\W*Processing by %{RCONTROLLER} as (?<format>\\S+)(?:\\W*Parameters: {%{DATA:params}}\\W*)?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.261000+0000", :message=>"Adding pattern", "RAILS3FOOT"=>"Completed %{NUMBER:response}%{DATA} in %{NUMBER:totalms}ms %{RAILS3PROFILE}%{GREEDYDATA}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.261000+0000", :message=>"Adding pattern", "RAILS3PROFILE"=>"(?:\\(Views: %{NUMBER:viewms}ms \\| ActiveRecord: %{NUMBER:activerecordms}ms|\\(ActiveRecord: %{NUMBER:activerecordms}ms)?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.262000+0000", :message=>"Adding pattern", "RAILS3"=>"%{RAILS3HEAD}(?:%{RPROCESSING})?(?<context>(?:%{DATA}\\n)*)(?:%{RAILS3FOOT})?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.263000+0000", :message=>"Adding pattern", "EXIM_MSGID"=>"[0-9A-Za-z]{6}-[0-9A-Za-z]{6}-[0-9A-Za-z]{2}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.263000+0000", :message=>"Adding pattern", "EXIM_FLAGS"=>"(<=|[-=>*]>|[*]{2}|==)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.264000+0000", :message=>"Adding pattern", "EXIM_DATE"=>"%{YEAR:exim_year}-%{MONTHNUM:exim_month}-%{MONTHDAY:exim_day} %{TIME:exim_time}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.264000+0000", :message=>"Adding pattern", "EXIM_PID"=>"\\[%{POSINT}\\]", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.265000+0000", :message=>"Adding pattern", "EXIM_QT"=>"((\\d+y)?(\\d+w)?(\\d+d)?(\\d+h)?(\\d+m)?(\\d+s)?)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.265000+0000", :message=>"Adding pattern", "EXIM_EXCLUDE_TERMS"=>"(Message is frozen|(Start|End) queue run| Warning: | retry time not reached | no (IP address|host name) found for (IP address|host) | unexpected disconnection while reading SMTP command | no immediate delivery: |another process is handling this message)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.266000+0000", :message=>"Adding pattern", "EXIM_REMOTE_HOST"=>"(H=(%{NOTSPACE:remote_hostname} )?(\\(%{NOTSPACE:remote_heloname}\\) )?\\[%{IP:remote_host}\\])", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.266000+0000", :message=>"Adding pattern", "EXIM_INTERFACE"=>"(I=\\[%{IP:exim_interface}\\](:%{NUMBER:exim_interface_port}))", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.266000+0000", :message=>"Adding pattern", "EXIM_PROTOCOL"=>"(P=%{NOTSPACE:protocol})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.267000+0000", :message=>"Adding pattern", "EXIM_MSG_SIZE"=>"(S=%{NUMBER:exim_msg_size})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.267000+0000", :message=>"Adding pattern", "EXIM_HEADER_ID"=>"(id=%{NOTSPACE:exim_header_id})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.268000+0000", :message=>"Adding pattern", "EXIM_SUBJECT"=>"(T=%{QS:exim_subject})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.269000+0000", :message=>"Adding pattern", "JAVACLASS"=>"(?:[a-zA-Z$_][a-zA-Z$_0-9]*\\.)*[a-zA-Z$_][a-zA-Z$_0-9]*", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.269000+0000", :message=>"Adding pattern", "JAVAFILE"=>"(?:[A-Za-z0-9_. -]+)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.270000+0000", :message=>"Adding pattern", "JAVAMETHOD"=>"(?:(<init>)|[a-zA-Z$_][a-zA-Z$_0-9]*)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.270000+0000", :message=>"Adding pattern", "JAVASTACKTRACEPART"=>"%{SPACE}at %{JAVACLASS:class}\\.%{JAVAMETHOD:method}\\(%{JAVAFILE:file}(?::%{NUMBER:line})?\\)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.271000+0000", :message=>"Adding pattern", "JAVATHREAD"=>"(?:[A-Z]{2}-Processor[\\d]+)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.271000+0000", :message=>"Adding pattern", "JAVACLASS"=>"(?:[a-zA-Z0-9-]+\\.)+[A-Za-z0-9$]+", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.272000+0000", :message=>"Adding pattern", "JAVAFILE"=>"(?:[A-Za-z0-9_.-]+)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.272000+0000", :message=>"Adding pattern", "JAVASTACKTRACEPART"=>"at %{JAVACLASS:class}\\.%{WORD:method}\\(%{JAVAFILE:file}:%{NUMBER:line}\\)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.272000+0000", :message=>"Adding pattern", "JAVALOGMESSAGE"=>"(.*)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.273000+0000", :message=>"Adding pattern", "CATALINA_DATESTAMP"=>"%{MONTH} %{MONTHDAY}, 20%{YEAR} %{HOUR}:?%{MINUTE}(?::?%{SECOND}) (?:AM|PM)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.273000+0000", :message=>"Adding pattern", "TOMCAT_DATESTAMP"=>"20%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{HOUR}:?%{MINUTE}(?::?%{SECOND}) %{ISO8601_TIMEZONE}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.274000+0000", :message=>"Adding pattern", "CATALINALOG"=>"%{CATALINA_DATESTAMP:timestamp} %{JAVACLASS:class} %{JAVALOGMESSAGE:logmessage}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.274000+0000", :message=>"Adding pattern", "TOMCATLOG"=>"%{TOMCAT_DATESTAMP:timestamp} \\| %{LOGLEVEL:level} \\| %{JAVACLASS:class} - %{JAVALOGMESSAGE:logmessage}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.275000+0000", :message=>"Adding pattern", "REDISTIMESTAMP"=>"%{MONTHDAY} %{MONTH} %{TIME}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.276000+0000", :message=>"Adding pattern", "REDISLOG"=>"\\[%{POSINT:pid}\\] %{REDISTIMESTAMP:timestamp} \\* ", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.277000+0000", :message=>"Adding pattern", "S3_REQUEST_LINE"=>"(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.277000+0000", :message=>"Adding pattern", "S3_ACCESS_LOG"=>"%{WORD:owner} %{NOTSPACE:bucket} \\[%{HTTPDATE:timestamp}\\] %{IP:clientip} %{NOTSPACE:requester} %{NOTSPACE:request_id} %{NOTSPACE:operation} %{NOTSPACE:key} (?:\"%{S3_REQUEST_LINE}\"|-) (?:%{INT:response:int}|-) (?:-|%{NOTSPACE:error_code}) (?:%{INT:bytes:int}|-) (?:%{INT:object_size:int}|-) (?:%{INT:request_time_ms:int}|-) (?:%{INT:turnaround_time_ms:int}|-) (?:%{QS:referrer}|-) (?:\"?%{QS:agent}\"?|-) (?:-|%{NOTSPACE:version_id})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.278000+0000", :message=>"Adding pattern", "ELB_URIPATHPARAM"=>"%{URIPATH:path}(?:%{URIPARAM:params})?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.279000+0000", :message=>"Adding pattern", "ELB_URI"=>"%{URIPROTO:proto}://(?:%{USER}(?::[^@]*)?@)?(?:%{URIHOST:urihost})?(?:%{ELB_URIPATHPARAM})?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.279000+0000", :message=>"Adding pattern", "ELB_REQUEST_LINE"=>"(?:%{WORD:verb} %{ELB_URI:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.280000+0000", :message=>"Adding pattern", "ELB_ACCESS_LOG"=>"%{TIMESTAMP_ISO8601:timestamp} %{NOTSPACE:elb} %{IP:clientip}:%{INT:clientport:int} (?:(%{IP:backendip}:?:%{INT:backendport:int})|-) %{NUMBER:request_processing_time:float} %{NUMBER:backend_processing_time:float} %{NUMBER:response_processing_time:float} %{INT:response:int} %{INT:backend_response:int} %{INT:received_bytes:int} %{INT:bytes:int} \"%{ELB_REQUEST_LINE}\"", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.282000+0000", :message=>"Adding pattern", "RUBY_LOGLEVEL"=>"(?:DEBUG|FATAL|ERROR|WARN|INFO)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.283000+0000", :message=>"Adding pattern", "RUBY_LOGGER"=>"[DFEWI], \\[%{TIMESTAMP_ISO8601:timestamp} #%{POSINT:pid}\\] *%{RUBY_LOGLEVEL:loglevel} -- +%{DATA:progname}: %{GREEDYDATA:message}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.284000+0000", :message=>"Adding pattern", "USERNAME"=>"[a-zA-Z0-9._-]+", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.284000+0000", :message=>"Adding pattern", "USER"=>"%{USERNAME}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.285000+0000", :message=>"Adding pattern", "EMAILLOCALPART"=>"[a-zA-Z][a-zA-Z0-9_.+-=:]+", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.285000+0000", :message=>"Adding pattern", "EMAILADDRESS"=>"%{EMAILLOCALPART}@%{HOSTNAME}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.286000+0000", :message=>"Adding pattern", "HTTPDUSER"=>"%{EMAILADDRESS}|%{USER}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.286000+0000", :message=>"Adding pattern", "INT"=>"(?:[+-]?(?:[0-9]+))", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.286000+0000", :message=>"Adding pattern", "BASE10NUM"=>"(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\\.[0-9]+)?)|(?:\\.[0-9]+)))", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.287000+0000", :message=>"Adding pattern", "NUMBER"=>"(?:%{BASE10NUM})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.287000+0000", :message=>"Adding pattern", "BASE16NUM"=>"(?<![0-9A-Fa-f])(?:[+-]?(?:0x)?(?:[0-9A-Fa-f]+))", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.288000+0000", :message=>"Adding pattern", "BASE16FLOAT"=>"\\b(?<![0-9A-Fa-f.])(?:[+-]?(?:0x)?(?:(?:[0-9A-Fa-f]+(?:\\.[0-9A-Fa-f]*)?)|(?:\\.[0-9A-Fa-f]+)))\\b", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.288000+0000", :message=>"Adding pattern", "POSINT"=>"\\b(?:[1-9][0-9]*)\\b", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.289000+0000", :message=>"Adding pattern", "NONNEGINT"=>"\\b(?:[0-9]+)\\b", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.289000+0000", :message=>"Adding pattern", "WORD"=>"\\b\\w+\\b", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.290000+0000", :message=>"Adding pattern", "NOTSPACE"=>"\\S+", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.290000+0000", :message=>"Adding pattern", "SPACE"=>"\\s*", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.291000+0000", :message=>"Adding pattern", "DATA"=>".*?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.292000+0000", :message=>"Adding pattern", "GREEDYDATA"=>".*", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.292000+0000", :message=>"Adding pattern", "QUOTEDSTRING"=>"(?>(?<!\\\\)(?>\"(?>\\\\.|[^\\\\\"]+)+\"|\"\"|(?>'(?>\\\\.|[^\\\\']+)+')|''|(?>`(?>\\\\.|[^\\\\`]+)+`)|``))", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.293000+0000", :message=>"Adding pattern", "UUID"=>"[A-Fa-f0-9]{8}-(?:[A-Fa-f0-9]{4}-){3}[A-Fa-f0-9]{12}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.293000+0000", :message=>"Adding pattern", "MAC"=>"(?:%{CISCOMAC}|%{WINDOWSMAC}|%{COMMONMAC})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.293000+0000", :message=>"Adding pattern", "CISCOMAC"=>"(?:(?:[A-Fa-f0-9]{4}\\.){2}[A-Fa-f0-9]{4})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.294000+0000", :message=>"Adding pattern", "WINDOWSMAC"=>"(?:(?:[A-Fa-f0-9]{2}-){5}[A-Fa-f0-9]{2})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.294000+0000", :message=>"Adding pattern", "COMMONMAC"=>"(?:(?:[A-Fa-f0-9]{2}:){5}[A-Fa-f0-9]{2})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.295000+0000", :message=>"Adding pattern", "IPV6"=>"((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:)))(%.+)?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.295000+0000", :message=>"Adding pattern", "IPV4"=>"(?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]))(?![0-9])", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.296000+0000", :message=>"Adding pattern", "IP"=>"(?:%{IPV6}|%{IPV4})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.296000+0000", :message=>"Adding pattern", "HOSTNAME"=>"\\b(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\\b)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.297000+0000", :message=>"Adding pattern", "IPORHOST"=>"(?:%{IP}|%{HOSTNAME})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.297000+0000", :message=>"Adding pattern", "HOSTPORT"=>"%{IPORHOST}:%{POSINT}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.297000+0000", :message=>"Adding pattern", "PATH"=>"(?:%{UNIXPATH}|%{WINPATH})", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.298000+0000", :message=>"Adding pattern", "UNIXPATH"=>"(/([\\w_%!$@:.,~-]+|\\\\.)*)+", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.298000+0000", :message=>"Adding pattern", "TTY"=>"(?:/dev/(pts|tty([pq])?)(\\w+)?/?(?:[0-9]+))", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.299000+0000", :message=>"Adding pattern", "WINPATH"=>"(?>[A-Za-z]+:|\\\\)(?:\\\\[^\\\\?*]*)+", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.299000+0000", :message=>"Adding pattern", "URIPROTO"=>"[A-Za-z]+(\\+[A-Za-z+]+)?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.299000+0000", :message=>"Adding pattern", "URIHOST"=>"%{IPORHOST}(?::%{POSINT:port})?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.300000+0000", :message=>"Adding pattern", "URIPATH"=>"(?:/[A-Za-z0-9$.+!*'(){},~:;=@#%_\\-]*)+", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.300000+0000", :message=>"Adding pattern", "URIPARAM"=>"\\?[A-Za-z0-9$.+!*'|(){},~@#%&/=:;_?\\-\\[\\]<>]*", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.300000+0000", :message=>"Adding pattern", "URIPATHPARAM"=>"%{URIPATH}(?:%{URIPARAM})?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.301000+0000", :message=>"Adding pattern", "URI"=>"%{URIPROTO}://(?:%{USER}(?::[^@]*)?@)?(?:%{URIHOST})?(?:%{URIPATHPARAM})?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.301000+0000", :message=>"Adding pattern", "MONTH"=>"\\b(?:Jan(?:uary|uar)?|Feb(?:ruary|ruar)?|M(?:a|ä)?r(?:ch|z)?|Apr(?:il)?|Ma(?:y|i)?|Jun(?:e|i)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|O(?:c|k)?t(?:ober)?|Nov(?:ember)?|De(?:c|z)(?:ember)?)\\b", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.302000+0000", :message=>"Adding pattern", "MONTHNUM"=>"(?:0?[1-9]|1[0-2])", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.302000+0000", :message=>"Adding pattern", "MONTHNUM2"=>"(?:0[1-9]|1[0-2])", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.303000+0000", :message=>"Adding pattern", "MONTHDAY"=>"(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9])", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.303000+0000", :message=>"Adding pattern", "DAY"=>"(?:Mon(?:day)?|Tue(?:sday)?|Wed(?:nesday)?|Thu(?:rsday)?|Fri(?:day)?|Sat(?:urday)?|Sun(?:day)?)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.304000+0000", :message=>"Adding pattern", "YEAR"=>"(?>\\d\\d){1,2}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.304000+0000", :message=>"Adding pattern", "HOUR"=>"(?:2[0123]|[01]?[0-9])", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.305000+0000", :message=>"Adding pattern", "MINUTE"=>"(?:[0-5][0-9])", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.305000+0000", :message=>"Adding pattern", "SECOND"=>"(?:(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.305000+0000", :message=>"Adding pattern", "TIME"=>"(?!<[0-9])%{HOUR}:%{MINUTE}(?::%{SECOND})(?![0-9])", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.306000+0000", :message=>"Adding pattern", "DATE_US"=>"%{MONTHNUM}[/-]%{MONTHDAY}[/-]%{YEAR}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.306000+0000", :message=>"Adding pattern", "DATE_EU"=>"%{MONTHDAY}[./-]%{MONTHNUM}[./-]%{YEAR}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.307000+0000", :message=>"Adding pattern", "ISO8601_TIMEZONE"=>"(?:Z|[+-]%{HOUR}(?::?%{MINUTE}))", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.307000+0000", :message=>"Adding pattern", "ISO8601_SECOND"=>"(?:%{SECOND}|60)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.308000+0000", :message=>"Adding pattern", "TIMESTAMP_ISO8601"=>"%{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?%{ISO8601_TIMEZONE}?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.308000+0000", :message=>"Adding pattern", "DATE"=>"%{DATE_US}|%{DATE_EU}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.308000+0000", :message=>"Adding pattern", "DATESTAMP"=>"%{DATE}[- ]%{TIME}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.309000+0000", :message=>"Adding pattern", "TZ"=>"(?:[PMCE][SD]T|UTC)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.309000+0000", :message=>"Adding pattern", "DATESTAMP_RFC822"=>"%{DAY} %{MONTH} %{MONTHDAY} %{YEAR} %{TIME} %{TZ}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.309000+0000", :message=>"Adding pattern", "DATESTAMP_RFC2822"=>"%{DAY}, %{MONTHDAY} %{MONTH} %{YEAR} %{TIME} %{ISO8601_TIMEZONE}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.310000+0000", :message=>"Adding pattern", "DATESTAMP_OTHER"=>"%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{TZ} %{YEAR}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.311000+0000", :message=>"Adding pattern", "DATESTAMP_EVENTLOG"=>"%{YEAR}%{MONTHNUM2}%{MONTHDAY}%{HOUR}%{MINUTE}%{SECOND}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.311000+0000", :message=>"Adding pattern", "HTTPDERROR_DATE"=>"%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.311000+0000", :message=>"Adding pattern", "SYSLOGTIMESTAMP"=>"%{MONTH} +%{MONTHDAY} %{TIME}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.312000+0000", :message=>"Adding pattern", "PROG"=>"[\\x21-\\x5a\\x5c\\x5e-\\x7e]+", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.312000+0000", :message=>"Adding pattern", "SYSLOGPROG"=>"%{PROG:program}(?:\\[%{POSINT:pid}\\])?", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.312000+0000", :message=>"Adding pattern", "SYSLOGHOST"=>"%{IPORHOST}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.312000+0000", :message=>"Adding pattern", "SYSLOGFACILITY"=>"<%{NONNEGINT:facility}.%{NONNEGINT:priority}>", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.313000+0000", :message=>"Adding pattern", "HTTPDATE"=>"%{MONTHDAY}/%{MONTH}/%{YEAR}:%{TIME} %{INT}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.313000+0000", :message=>"Adding pattern", "QS"=>"%{QUOTEDSTRING}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.313000+0000", :message=>"Adding pattern", "SYSLOGBASE"=>"%{SYSLOGTIMESTAMP:timestamp} (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource} %{SYSLOGPROG}:", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.314000+0000", :message=>"Adding pattern", "COMMONAPACHELOG"=>"%{IPORHOST:clientip} %{HTTPDUSER:ident} %{USER:auth} \\[%{HTTPDATE:timestamp}\\] \"(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})\" %{NUMBER:response} (?:%{NUMBER:bytes}|-)", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.314000+0000", :message=>"Adding pattern", "COMBINEDAPACHELOG"=>"%{COMMONAPACHELOG} %{QS:referrer} %{QS:agent}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.317000+0000", :message=>"Adding pattern", "HTTPD20_ERRORLOG"=>"\\[%{HTTPDERROR_DATE:timestamp}\\] \\[%{LOGLEVEL:loglevel}\\] (?:\\[client %{IPORHOST:clientip}\\] ){0,1}%{GREEDYDATA:errormsg}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.318000+0000", :message=>"Adding pattern", "HTTPD24_ERRORLOG"=>"\\[%{HTTPDERROR_DATE:timestamp}\\] \\[%{WORD:module}:%{LOGLEVEL:loglevel}\\] \\[pid %{POSINT:pid}:tid %{NUMBER:tid}\\]( \\(%{POSINT:proxy_errorcode}\\)%{DATA:proxy_errormessage}:)?( \\[client %{IPORHOST:client}:%{POSINT:clientport}\\])? %{DATA:errorcode}: %{GREEDYDATA:message}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.318000+0000", :message=>"Adding pattern", "HTTPD_ERRORLOG"=>"%{HTTPD20_ERRORLOG}|%{HTTPD24_ERRORLOG}", :level=>:info}
{:timestamp=>"2016-01-10T11:14:27.319000+0000", :message=>"Adding pattern", "LOGLEVEL"=>"([Aa]lert|ALERT|[Tt]race|TRACE|[Dd]ebug|DEBUG|[Nn]otice|NOTICE|[Ii]nfo|INFO|[Ww]arn?(?:ing)?|WARN?(?:ING)?|[Ee]rr?(?:or)?|ERR?(?:OR)?|[Cc]rit?(?:ical)?|CRIT?(?:ICAL)?|[Ff]atal|FATAL|[Ss]evere|SEVERE|EMERG(?:ENCY)?|[Ee]merg(?:ency)?)", :level=>:info}
The error reported is:
can't convert Array into String
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment