2013-06-29 13:22:24 +00:00
|
|
|
{
|
2013-06-29 18:00:34 +00:00
|
|
|
"syslog_log" : {
|
|
|
|
"regex" : [
|
2013-07-02 13:34:48 +00:00
|
|
|
"^(?<timestamp>\\w{3}\\s+\\d{1,2} \\d{2}:\\d{2}:\\d{2})(?: (?<log_hostname>[a-zA-Z0-9][^ ]+))?(?:(?: (?<log_procname>(?:[^ \\[:]+|[^:]+))(?:\\[(?<log_pid>\\d+)])?:(?<body>.*))|(?:(?: ---)? last message repeated \\d+ times?(?: ---)?))"
|
2013-06-29 18:00:34 +00:00
|
|
|
],
|
|
|
|
"level-field" : "body",
|
|
|
|
"level" : {
|
|
|
|
"error" : "(?:failed|failure|error)",
|
|
|
|
"warning" : "(?:warn|not responding|init: cannot execute)"
|
|
|
|
},
|
|
|
|
"value" : {
|
|
|
|
"log_hostname" : {
|
|
|
|
"kind" : "string",
|
|
|
|
"collate" : "ipaddress",
|
|
|
|
"identifier" : true
|
|
|
|
},
|
|
|
|
"log_procname" : {
|
|
|
|
"kind" : "string",
|
|
|
|
"identifier" : true
|
|
|
|
},
|
|
|
|
"log_pid" : {
|
|
|
|
"kind" : "string",
|
|
|
|
"identifier" : true
|
|
|
|
}
|
2013-06-30 04:19:03 +00:00
|
|
|
},
|
|
|
|
"sample" : [
|
|
|
|
{
|
|
|
|
"line" : "Jun 27 01:47:20 Tims-MacBook-Air.local configd[17]: network changed: v4(en0-:192.168.1.8) DNS- Proxy- SMB"
|
2013-07-02 13:34:48 +00:00
|
|
|
},
|
|
|
|
{
|
|
|
|
"line" : "Jun 20 17:26:13 ip-10-188-149-5 [CLOUDINIT] util.py[DEBUG]: Restoring selinux mode for /var/lib/cloud (recursive=False)"
|
2013-06-30 04:19:03 +00:00
|
|
|
}
|
|
|
|
]
|
2013-06-29 18:00:34 +00:00
|
|
|
},
|
2013-06-29 13:22:24 +00:00
|
|
|
"access_log" : {
|
2013-07-02 13:34:48 +00:00
|
|
|
"regex" : [
|
2013-07-09 04:09:35 +00:00
|
|
|
"^(?<timestamp>\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}(?:\\.\\d{3})?) (?<c_ip>[^ ]+) (?<cs_username>[^ ]+) (?<cs_method>[A-Z]+) (?<cs_uri_stem>[^ \\?]+)(?:\\?(?<cs_uri_query>[^ ]*))? (?:-1|\\d+) (?<sc_status>\\d+) \\d+",
|
2013-07-02 13:34:48 +00:00
|
|
|
"^(?<timestamp>\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}(?:\\.\\d{3})?) (?<c_ip>[^ ]+) (?<cs_username>[^ ]+) (?<cs_method>[A-Z]+) \"(?<cs_uri_stem>[^ \\?]+)(?:\\?(?<cs_uri_query>[^ ]*))?\" (?:-1|\\d+) (?<sc_status>\\d+) \\d+",
|
|
|
|
"^(?<c_ip>[\\w\\.\\-]+) [\\w\\.\\-]+ (?<cs_username>[\\w\\.\\-]+) \\[(?<timestamp>[^\\]]+)\\] \"(?:\\-|(?<cs_method>\\w+) (?<cs_uri_stem>[^ \\?]+)(?:\\?(?<cs_uri_query>[^ ]*))? (?<cs_version>[\\w/\\.]+))\" (?<sc_status>\\d+) (?<sc_bytes>\\d+|-)(?: \"(?<cs_referer>[^\"]+)\" \"(?<cs_user_agent>[^\"]+)\")?.*"
|
|
|
|
],
|
2013-06-29 13:22:24 +00:00
|
|
|
"level-field": "sc_status",
|
|
|
|
"level" : {
|
|
|
|
"error" : "^[^123]"
|
|
|
|
},
|
|
|
|
"value" : {
|
|
|
|
"c_ip" : {
|
|
|
|
"kind" : "string",
|
|
|
|
"collate" : "ipaddress",
|
|
|
|
"identifier" : true
|
|
|
|
},
|
|
|
|
"cs_username" : {
|
|
|
|
"kind" : "string",
|
|
|
|
"identifier" : true
|
|
|
|
},
|
|
|
|
"cs_method" : {
|
|
|
|
"kind" : "string",
|
|
|
|
"identifier" : true
|
|
|
|
},
|
|
|
|
"cs_uri_stem" : {
|
|
|
|
"kind" : "string",
|
|
|
|
"identifier" : true
|
|
|
|
},
|
|
|
|
"cs_uri_query" : {
|
|
|
|
"kind" : "string"
|
|
|
|
},
|
|
|
|
"cs_version" : {
|
|
|
|
"kind" : "string",
|
|
|
|
"identifier" : true
|
|
|
|
},
|
|
|
|
"sc_status" : {
|
|
|
|
"kind" : "integer"
|
|
|
|
},
|
|
|
|
"sc_bytes" : {
|
|
|
|
"kind" : "integer"
|
|
|
|
},
|
|
|
|
"cs_referer" : {
|
|
|
|
"kind" : "string",
|
|
|
|
"identifier" : true
|
|
|
|
},
|
|
|
|
"cs_user_agent" : {
|
|
|
|
"kind" : "string",
|
|
|
|
"identifier" : true
|
|
|
|
}
|
2013-06-30 04:19:03 +00:00
|
|
|
},
|
|
|
|
"sample" : [
|
|
|
|
{
|
|
|
|
"line" : "10.112.72.172 - - [11/Feb/2013:06:43:36 +0000] \"GET /client/ HTTP/1.1\" 200 5778 \"-\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17\""
|
|
|
|
}
|
|
|
|
]
|
2013-06-29 13:22:24 +00:00
|
|
|
},
|
2013-07-09 13:51:18 +00:00
|
|
|
"error_log" : {
|
|
|
|
"regex" : [
|
2013-07-09 14:37:14 +00:00
|
|
|
"^(?<level>\\w) \\[(?<timestamp>[^\\]]+)\\] (?<body>.*)"
|
2013-07-09 13:51:18 +00:00
|
|
|
],
|
|
|
|
"level-field": "level",
|
|
|
|
"level" : {
|
|
|
|
"error" : "E",
|
|
|
|
"warning" : "W",
|
|
|
|
"info" : "I"
|
2013-07-09 14:37:14 +00:00
|
|
|
},
|
|
|
|
"sample" : [
|
|
|
|
{
|
|
|
|
"line" : "E [08/Jun/2013:11:28:58 -0700] Unknown directive BrowseOrder on line 22 of /private/etc/cups/cupsd.conf."
|
|
|
|
}
|
|
|
|
]
|
2013-07-09 13:51:18 +00:00
|
|
|
},
|
|
|
|
"page_log" : {
|
2013-07-09 14:37:14 +00:00
|
|
|
"url" : "http://www.cups.org/documentation.php/doc-1.7/ref-page_log.html",
|
2013-07-09 13:51:18 +00:00
|
|
|
"regex" : [
|
2013-07-09 14:37:14 +00:00
|
|
|
"^(?<printer>[\\w_\\-\\.]+) (?<username>[\\w\\.\\-]+) (?<job_id>\\d+) \\[(?<timestamp>[^\\]]+)\\] (?<page_number>total|\\d+) (?<num_copies>\\d+) (?<job_billing>[^ ]+) (?<job_originating_hostname>[\\w\\.\\-]+)$",
|
|
|
|
"^(?<printer>[\\w_\\-\\.]+) (?<username>[\\w\\.\\-]+) (?<job_id>\\d+) \\[(?<timestamp>[^\\]]+)\\] (?<page_number>total|\\d+) (?<num_copies>\\d+) (?<job_billing>[^ ]+) (?<job_originating_hostname>[\\w\\.\\-]+) (?<job_name>.+) (?<media>[^ ]+) (?<sides>.+)$"
|
2013-07-09 13:51:18 +00:00
|
|
|
],
|
|
|
|
"value" : {
|
|
|
|
"printer" : {
|
|
|
|
"kind" : "string",
|
|
|
|
"identifier" : true
|
|
|
|
},
|
|
|
|
"username" : {
|
|
|
|
"kind" : "string",
|
|
|
|
"identifier" : true
|
|
|
|
},
|
|
|
|
"job_id" : {
|
|
|
|
"kind" : "integer",
|
|
|
|
"identifier" : true
|
|
|
|
},
|
|
|
|
"page_number" : {
|
|
|
|
"kind" : "string"
|
|
|
|
},
|
2013-07-09 14:37:14 +00:00
|
|
|
"num_copies" : {
|
2013-07-09 13:51:18 +00:00
|
|
|
"kind" : "integer"
|
|
|
|
},
|
2013-07-09 14:37:14 +00:00
|
|
|
"job_billing" : {
|
2013-07-09 13:51:18 +00:00
|
|
|
"kind" : "string",
|
|
|
|
"identifier" : true
|
|
|
|
},
|
2013-07-09 14:37:14 +00:00
|
|
|
"job_originating_hostname" : {
|
2013-07-09 13:51:18 +00:00
|
|
|
"kind" : "string",
|
|
|
|
"identifier" : true
|
|
|
|
},
|
2013-07-09 14:37:14 +00:00
|
|
|
"job_name" : {
|
|
|
|
"kind" : "string",
|
|
|
|
"identifier" : true
|
|
|
|
},
|
|
|
|
"media" : {
|
|
|
|
"kind" : "string",
|
|
|
|
"identifier" : true
|
|
|
|
},
|
|
|
|
"sides" : {
|
2013-07-09 13:51:18 +00:00
|
|
|
"kind" : "string",
|
|
|
|
"identifier" : true
|
|
|
|
}
|
2013-07-09 14:37:14 +00:00
|
|
|
},
|
|
|
|
"sample" : [
|
|
|
|
{
|
|
|
|
"line" : "Photosmart_7520_series stack 11 [18/May/2013:13:21:15 -0700] total 0 - localhost 5615311548-159003235-tickets.pdf Letter one-sided"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"line" : "tec_IS2027 kurt 401 [22/Apr/2003:10:28:43 +0100] 1 3 #marketing 10.160.50.13"
|
|
|
|
}
|
|
|
|
]
|
2013-07-09 13:51:18 +00:00
|
|
|
},
|
2013-06-29 13:22:24 +00:00
|
|
|
"vmw_log" : {
|
2013-06-29 18:00:34 +00:00
|
|
|
"regex" : ["^(?<timestamp>\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{3}Z) \\[(?<tid>\\w+) (?<level>\\w+) '(?<comp>[^']+)'(?: opID=(?<opid>[^ \\]]+))?(?: user=(?<user>[\\w\\-]+))?\\](?<body>.*)$"],
|
2013-06-29 13:22:24 +00:00
|
|
|
"level-field": "level",
|
|
|
|
"level" : {
|
|
|
|
"error" : "error",
|
|
|
|
"warning" : "warning",
|
|
|
|
"trace" : "verbose"
|
|
|
|
},
|
|
|
|
"value" : {
|
|
|
|
"tid" : {
|
|
|
|
"kind" : "string",
|
|
|
|
"identifier" : true
|
|
|
|
},
|
|
|
|
"comp" : {
|
|
|
|
"kind" : "string",
|
|
|
|
"identifier" : true
|
|
|
|
},
|
|
|
|
"opid" : {
|
|
|
|
"kind" : "string",
|
|
|
|
"identifier" : true
|
|
|
|
},
|
|
|
|
"user" : {
|
|
|
|
"kind" : "string",
|
|
|
|
"identifier" : true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
},
|
2013-07-02 13:34:48 +00:00
|
|
|
"choose_repo_log" : {
|
|
|
|
"regex" : [
|
|
|
|
"^\\[(?<level>\\w+):[^\\]]+] [^:]+:\\d+ (?<timestamp>\\d{4}-\\d{2}-\\d{2}[T ]\\d{2}:\\d{2}:\\d{2}(?:[\\.,]\\d{3})?):(?<body>.*)"
|
|
|
|
],
|
|
|
|
"level-field" : "level",
|
|
|
|
"level" : {
|
|
|
|
"error" : "ERROR",
|
|
|
|
"debug" : "DEBUG",
|
|
|
|
"info" : "INFO",
|
|
|
|
"warning" : "WARNING"
|
|
|
|
},
|
|
|
|
"sample" : [
|
|
|
|
{
|
|
|
|
"line": "[INFO:choose_repo] choose_repo:47 2013-06-20 17:26:10,691: Setting region in redhat-rhui.repo"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
},
|
|
|
|
"dpkg_log" : {
|
|
|
|
"regex" : [
|
|
|
|
"^(?<timestamp>\\d{4}-\\d{2}-\\d{2}[T ]\\d{2}:\\d{2}:\\d{2}(?:\\.\\d{3})?) (?:(?:(?<action>startup|status|configure|install|upgrade|trigproc|remove|purge)(?: (?<status>config-files|failed-config|half-configured|half-installed|installed|not-installed|post-inst-failed|removal-failed|triggers-awaited|triggers-pending|unpacked))? (?<package>[^ ]+) (?<installed_version>[^ ]+)(?: (?<available_version>[^ ]+))?)|update-alternatives: (?<body>.*))$"
|
|
|
|
],
|
|
|
|
"value" : {
|
|
|
|
"action" : {
|
|
|
|
"kind" : "string",
|
|
|
|
"identifier" : true
|
|
|
|
},
|
|
|
|
"status" : {
|
|
|
|
"kind" : "string",
|
|
|
|
"identifier" : true
|
|
|
|
},
|
|
|
|
"package" : {
|
|
|
|
"kind" : "string",
|
|
|
|
"identifier" : true
|
|
|
|
},
|
|
|
|
"installed_version" : {
|
|
|
|
"kind" : "string"
|
|
|
|
},
|
|
|
|
"available_version" : {
|
|
|
|
"kind" : "string"
|
|
|
|
}
|
|
|
|
},
|
|
|
|
"sample" : [
|
|
|
|
{
|
|
|
|
"line" : "2012-02-14 10:44:10 configure base-files 5.0.0ubuntu20 5.0.0ubuntu20"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"line" : "2012-02-14 10:44:30 status unpacked rsyslog 4.2.0-2ubuntu8"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"line" : "2012-02-14 10:44:32 update-alternatives: run with --install /usr/bin/rview rview /usr/bin/vim.tiny 10"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
},
|
2013-07-09 13:51:18 +00:00
|
|
|
"block_log" : {
|
|
|
|
"regex" : [
|
|
|
|
"^(?<timestamp>\\w{3} \\w{3}\\s+\\d{1,2} \\d{2}:\\d{2}:\\d{2} \\w+ \\d{4})$"
|
2013-07-09 14:37:14 +00:00
|
|
|
],
|
|
|
|
"sample" : [
|
|
|
|
{
|
|
|
|
"line" : "Sat Apr 27 03:33:07 PDT 2013"
|
|
|
|
}
|
2013-07-09 13:51:18 +00:00
|
|
|
]
|
|
|
|
},
|
|
|
|
"fsck_hfs_log" : {
|
|
|
|
"regex" : [
|
|
|
|
"^(?<device>[^:]+): fsck_hfs run at (?<timestamp>\\w{3} \\w{3}\\s+\\d{1,2} \\d{2}:\\d{2}:\\d{2} \\d{4})"
|
|
|
|
],
|
|
|
|
"value" : {
|
|
|
|
"device" : {
|
|
|
|
"kind" : "string",
|
|
|
|
"identifier" : true
|
|
|
|
}
|
2013-07-09 14:37:14 +00:00
|
|
|
},
|
|
|
|
"sample" : [
|
|
|
|
{
|
|
|
|
"line" : "/dev/rdisk0s2: fsck_hfs run at Wed Jul 25 23:01:18 2012"
|
|
|
|
}
|
|
|
|
]
|
2013-07-09 13:51:18 +00:00
|
|
|
},
|
2013-06-29 13:22:24 +00:00
|
|
|
"snaplogic_log" : {
|
2013-07-02 13:34:48 +00:00
|
|
|
"regex" : ["^(?<timestamp>\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}(?:\\.\\d{3})?) (?:(?:(?<level>\\w+) (?<logger>[^ ]+) (?<facility>[^ ]+) (?<msgid>[^ ]+) (?<pipe_rid>[^ \\.]+)(?:\\.(?<comp_rid>[^ ]+))? (?<resource_name>[^ ]+) (?<invoker>[^ ]+))|(?:stdout: ))(?<body>.*)"],
|
2013-06-29 13:22:24 +00:00
|
|
|
"level-field" : "level",
|
|
|
|
"level" : {
|
|
|
|
"error" : "ERROR",
|
|
|
|
"debug" : "DEBUG",
|
|
|
|
"info" : "INFO",
|
|
|
|
"warning" : "WARNING"
|
|
|
|
},
|
|
|
|
"value" : {
|
|
|
|
"logger" : {
|
|
|
|
"kind" : "string",
|
|
|
|
"identifier" : true
|
|
|
|
},
|
|
|
|
"facility" : {
|
|
|
|
"kind" : "string",
|
|
|
|
"identifier" : true
|
|
|
|
},
|
|
|
|
"msgid" : {
|
|
|
|
"kind" : "string",
|
|
|
|
"identifier" : true
|
|
|
|
},
|
|
|
|
"pipe_rid" : {
|
|
|
|
"kind" : "string",
|
|
|
|
"identifier" : true
|
|
|
|
},
|
|
|
|
"comp_rid" : {
|
|
|
|
"kind" : "string",
|
|
|
|
"identifier" : true
|
|
|
|
},
|
|
|
|
"resource_name" : {
|
|
|
|
"kind" : "string",
|
|
|
|
"identifier" : true
|
|
|
|
},
|
|
|
|
"invoker" : {
|
|
|
|
"kind" : "string",
|
|
|
|
"identifier" : true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|