github-mirrors/logstash
1
0
Fork 0
mirror of https://github.com/elastic/logstash.git synced 2025-04-22 21:57:26 -04:00
Code Issues Projects Releases Packages Wiki Activity
3849 commits 254 branches 379 tags 173 MiB
Commit graph

95 commits

Author SHA1 Message Date
Oluf Lorenzen
2bf6a9c0d6 make numbers match w/o word-boundarys 2013-04-22 18:24:58 +03:00
Oluf Lorenzen
19f3bf2fb3 fix TTY (make subdir optional) 
seems as if i did not test the other patch W(
 2013-04-22 17:34:50 +03:00
Oluf Lorenzen
a49c52aab9 fix typo 2013-04-22 17:27:18 +03:00
Oluf Lorenzen
17c1ca2deb shorten/cleanup/fix TTY-pattern 
removed BSD/Linux-specific TTYS, as there are several more TTY-names under even under linux than /dev/pts/${NONNEGINT}.
This also allows
 * "/dev/ttyUSB0"
 * "/dev/ttyS0"
 2013-04-18 19:15:03 +03:00
Alexander Papaspyrou
e70c2d0ced And another one :-( Working in the eve is a **bad** idea. 2013-03-22 20:11:53 +01:00
Alexander Papaspyrou
d9b4b05f83 Meh. Forgot one variable... 2013-03-22 20:08:05 +01:00
Alexander Papaspyrou
c0937c5cb3 Changes wrt. @jordansissel's comments on [my pull request](https://github.com/logstash/logstash/pull/415). 2013-03-22 20:04:15 +01:00
Alexander Papaspyrou
e332f52c48 Added support for IETF 5425 syslog parsing in grok. 2013-03-22 18:30:14 +01:00
emergion
0ea3cbca40 Periods are common in usernames, allowed in most cases and RFC2617 thinks they are ok 2013-03-14 17:18:55 +11:00
Jordan Sissel
0503b11260 Merge pull request #316 from xiaclo/patch-2 
Update patterns/grok-patterns
 2013-02-27 09:00:31 -08:00
Jordan Sissel
d05407e29c Merge pull request #371 from alexkoltun/patch-1 
Make 'HOUR' accept single-digit hours.
 2013-02-26 12:14:02 -08:00
Aaron Blew
e019693cab Renamed mcollective patterns in the traditional app style 
Removed mcollective base pattern since it's just the standard Ruby pattern
 2013-02-26 11:55:38 -08:00
alexkoltun
9d26770a5b Update patterns/grok-patterns 
Fix the hour pattern to accept single digit hours, fixes an issue with timestamps like that: "2013-02-21 6:23:46"
 2013-02-21 09:42:39 +02:00
Jordan Sissel
2b739b5120 Merge pull request #361 from blewa/26bf4b3028bcb1beb2a01b3d2fdf681634750af4 
More app patterns
 2013-02-14 23:46:21 -08:00
Aaron Blew
26bf4b3028 Added patterns for MCollective audit and general logs 
Added redis pattern
Added Postgresql pattern
 2013-02-14 23:31:12 -08:00
Joseph Price
23f0c61229 Improvements to HAPROXYHTTP pattern. 
* haproxy may log "<BADREQ>" in http_request which was not previously
  matched.

* http_request's closing '"' should not be collected with the optional
  http_version, it is required.
 2013-02-07 14:09:28 +00:00
Joseph Price
4560f862f8 Request-URI may be absolute. 2013-02-04 11:12:00 +00:00
Aaron Blew
e2a29e159f Added : as a valid separator between seconds and subseconds 2013-01-24 17:22:31 -08:00
xiaclo
c070cbd055 Update patterns/grok-patterns 
This is a personal preference, but for web logs, I prefer the parser to capture what it can.  Currently with an invalid request, it fails completely rather than capturing the other log information such as date, bytes transferred and HTTP status.

This patch captures the invalid request into @fields.rawrequest and leaves @fields.verb, @fields.request and @fields.httpversion as nulls if it cannot be properly parsed.

Here is a sample of invalid requests I have from my logs:
115.70.170.86 - - [31/Oct/2012:06:41:24 +1100] "G" 408 0 "-" "-"
165.86.71.20 - - [31/Oct/2012:04:27:01 +1100] "GET http://dis.us.criteo.com/dis/dis.aspx?&t1=sendEvent&c=2&p=3937&p1=v%3D2%26wi%3D7715628%26pt1%3D0%26pt2%3D1%26si%3D1&cb=21664477550&ref=&sc_r=1280x1024&sc_d=32 HTTP/1.0" 400 672 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)"

Obviously these are not valid requests, and I prefer to handle them this way, but the change is up to you.
 2013-01-14 14:39:03 +11:00
xiaclo
3c89bea927 Update patterns/grok-patterns 
The hyphens in the regexes are creating ranges and need to be escaped.  Without this change, results in parser failures for logs containing URIs such as:

/test/page.html?arg=hypenated-arg
 2013-01-11 12:04:14 +11:00
Frank Rosquin
698baed405 Fixed year pattern. 
Year was matching any digit, one or more times. This could lead to way
too eager matching.

Match years as either a group of 2, or a group of 4 digits.
 2013-01-08 15:45:46 +01:00
Jordan Sissel
c39e5a4e97 Merge branch 'master' of https://github.com/gdb/logstash into gdb-master 
Conflicts:
	patterns/ruby
 2012-12-27 22:25:05 -08:00
Jordan Sissel
180509c3f6 Merge pull request #271 from decbis/patch-1 
Update patterns/ruby
 2012-12-21 16:18:15 -08:00
Jordan Sissel
124a14461f Add '.' as a valid date separator for EU dates (requested by rarruda in irc) 2012-12-21 01:34:09 -08:00
Eugen Dinca
96cfa49be6 Update patterns/ruby 
- Corrected missing % for POSINT
 - Made progname optional
 - Made message greedy
 - Made all fields named (except the first)
 2012-12-12 18:22:50 -05:00
Avishai Ish-Shalom
9d5649b845 fixed missing | 2012-12-04 22:41:12 +02:00
Avishai Ish-Shalom
e3a250e9bc Added TRACE to LOGLEVEL 2012-12-04 22:33:47 +02:00
MikeSchuette
e25a7701de Match invalid URI characters in COMBINEDAPACHELOG 
Apache generally logs whatever is requested, which is not guaranteed to be valid.
 2012-11-27 13:56:59 -06:00
MikeSchuette
cd0e08e29d Fix URIPARAM to allow square brackets 
PHP uses these all the time.
 2012-11-27 11:55:20 -06:00
Greg Brockman
a98879c07f Add missing percent 2012-11-17 16:28:08 -08:00
Jordan Sissel
defc9b9c61 Merge pull request #241 from tabletcorry/java_pattern_dollar 
Add '$' as valid character in java class name
 2012-11-17 11:29:44 -08:00
Jordan Sissel
919329320c - Use atomic grouping for PATH and its siblings. Fixes LOGSTASH-701 2012-11-13 13:06:13 -08:00
Corry Haines
b3283cdabc Add '$' as valid character in java class name 
This definately exists at the leaf name, but I am unsure if it is
allowed at higher levels.
 2012-11-12 08:53:51 -08:00
Jordan Sissel
20b36b84e4 Fix netscreen pattern 2012-10-31 13:49:06 -07:00
Jordan Sissel
68258c1944 fix spec/examples/parse-apache-logs failure due to QUOTEDSTRING not matching empty "" 2012-10-28 21:25:09 -07:00
Jordan Sissel
6f74511067 - use atomic groups (no backtracking) in QUOTEDSTRING - should prevent 
some additional watchdog timeouts due to onigiruma getting stuck.
  LOGSTASH-644
 2012-10-24 17:54:14 -07:00
olagache
71f471c60b Update patterns/grok-patterns 2012-09-27 18:28:46 +03:00
Jordan Sissel
06f91394c6 Hopefully fix some apache parsing issues 2012-09-26 23:08:03 -07:00
Matthew Baxa
528daa1114 Added '?' to URIPARAM 
Added the '?' character to URIPARAM to handle an edge case
 2012-09-26 15:14:00 -05:00
Jordan Sissel
99d88eb0ae - facility/severity can be zero. 2012-09-10 20:26:16 -07:00
Jordan Sissel
481472ec0c - don't capture 'ZONE' by name. (LOGSTASH-251) 2012-09-08 11:23:32 -07:00
Corry Haines
a0cea051a0 Add FATAL loglevel to grok pattern 
It may not be in syslog, but it is somewhat common.
 2012-08-14 12:36:50 -07:00
Jordan Sissel
20bd118444 Merge pull request #184 from maguec/master 
Patterns URIPARAM accept pipes
 2012-08-14 12:07:18 -07:00
Kevin Nuckolls
a7b297fb4c haproxy log format doesn't put in the {} {} if you don't capture headers. made that section optional. also made the ending optional in case of a very long url that syslog truncates. 2012-08-13 22:55:40 -05:00
Chris Mague
0b8e3ee904 Update patterns/grok-patterns 
Add pipes as an acceptable character in URIPARAM as some sites use them.

eg http://b.foo.com/shop/uk/fr/omesuff?iid=Suff%20tail|foo|%2Fbuy%2Fuk%2Ffr%2F22
 2012-08-13 14:11:59 -07:00
John A. Barbuto
a411cdca0d Added NONNEGINT to patterns 
Commit e62536a introduced a complication: there are times when one
wants to match against zero as well as the positive integers (such
as in the LINUXTTY pattern).  For these times, NONNEGINT can be used.

Existing users of POSINT might continue to expect zero to match, so
this change should probably be mentioned in the release notes (on the
other hand, some could be using POSINT without wanting it to match
zero, as happened to me).

Ref: Paragraph 3 of http://en.wikipedia.org/wiki/Natural_number
 2012-06-22 12:01:26 -07:00
Pete Fritchman
e9cd3446fb Merge commit 'e62536a' 2012-06-22 09:52:54 -04:00
John A. Barbuto
e62536a614 Zero isn't a positive integer :) 2012-06-19 18:49:05 -07:00
Pete Fritchman
5f8ac852e5 Merge remote-tracking branch 'blewa/master' 2012-06-18 12:14:43 -04:00
Pete Fritchman
584d07de36 Merge pull request #158 from prune998/patch-1 
Changed the PROG pattern to match Cisco PROG name starting with a percen...
 2012-06-18 01:27:11 -07:00