github-mirrors/logstash
1
0
Fork 0
mirror of https://github.com/elastic/logstash.git synced 2025-04-22 13:47:21 -04:00
Code Issues Projects Releases Packages Wiki Activity
4545 commits 254 branches 379 tags 173 MiB
Commit graph

104 commits

Author SHA1 Message Date
Tray Torrance
10cd07c809 Add UTC to the TZ grok pattern 2013-08-26 09:43:59 -07:00
Brad Fritz
0630d51ac1 [syslog5424] do not capture chevrons with priority value 
Priority is "191", not "<191>".  The syslog_pri filter expects a
raw integer without the extra punctuation.
 2013-08-24 11:35:51 -04:00
Brad Fritz
4b345671ff [syslog5424] non-capturing parens since no backreferences needed 2013-08-23 14:34:47 -04:00
Brad Fritz
93990829f2 [syslog5424] structured data should be nil when RFC NILVALUE is used 2013-08-23 14:34:41 -04:00
Hugo Lopes Tavares
1e8f5d8b10 Add "emergency" to LOGLEVEL grok pattern 
Apache, nginx, syslog, and many systems use emergency level,
and it was missing in logstash.

Also add tests to cover all scenarios of `LOGLEVEL` expansion.
 2013-08-02 11:24:12 -04:00
Jordan Sissel
48409efc59 Revert "Update HOSTNAME in grok-patterns" 
This reverts commit a17f72150d.
This change caused a syntax error in the HOSTNAME pattern I believe.
 2013-06-26 15:06:28 -07:00
Jordan Sissel
93fe8c011f Merge pull request #520 from erezzarum/fix-pattern 
Europe date metric compliance is dd/mm/yyyy
 2013-06-23 23:32:23 -07:00
Erez Zarum
c113556765 Europe date metric compliance is dd/mm/yyyy 2013-06-17 19:27:33 +00:00
xiaclo
a17f72150d Update HOSTNAME in grok-patterns 
RFC952 states of a hostname: "The last character must not be a minus sign or period."
https://tools.ietf.org/html/rfc952

Some of the limitations in RFC952 were lifted by RFC1123, but not this one.
https://tools.ietf.org/html/rfc1123

The updated regex still allows single character hostnames, but does not allow the final character in any section to be a '-'.
 2013-06-10 14:11:43 +10:00
Oluf Lorenzen
2bf6a9c0d6 make numbers match w/o word-boundarys 2013-04-22 18:24:58 +03:00
Oluf Lorenzen
19f3bf2fb3 fix TTY (make subdir optional) 
seems as if i did not test the other patch W(
 2013-04-22 17:34:50 +03:00
Oluf Lorenzen
a49c52aab9 fix typo 2013-04-22 17:27:18 +03:00
Oluf Lorenzen
17c1ca2deb shorten/cleanup/fix TTY-pattern 
removed BSD/Linux-specific TTYS, as there are several more TTY-names under even under linux than /dev/pts/${NONNEGINT}.
This also allows
 * "/dev/ttyUSB0"
 * "/dev/ttyS0"
 2013-04-18 19:15:03 +03:00
Alexander Papaspyrou
e70c2d0ced And another one :-( Working in the eve is a **bad** idea. 2013-03-22 20:11:53 +01:00
Alexander Papaspyrou
d9b4b05f83 Meh. Forgot one variable... 2013-03-22 20:08:05 +01:00
Alexander Papaspyrou
c0937c5cb3 Changes wrt. @jordansissel's comments on [my pull request](https://github.com/logstash/logstash/pull/415). 2013-03-22 20:04:15 +01:00
Alexander Papaspyrou
e332f52c48 Added support for IETF 5425 syslog parsing in grok. 2013-03-22 18:30:14 +01:00
emergion
0ea3cbca40 Periods are common in usernames, allowed in most cases and RFC2617 thinks they are ok 2013-03-14 17:18:55 +11:00
Jordan Sissel
0503b11260 Merge pull request #316 from xiaclo/patch-2 
Update patterns/grok-patterns
 2013-02-27 09:00:31 -08:00
Jordan Sissel
d05407e29c Merge pull request #371 from alexkoltun/patch-1 
Make 'HOUR' accept single-digit hours.
 2013-02-26 12:14:02 -08:00
Aaron Blew
e019693cab Renamed mcollective patterns in the traditional app style 
Removed mcollective base pattern since it's just the standard Ruby pattern
 2013-02-26 11:55:38 -08:00
alexkoltun
9d26770a5b Update patterns/grok-patterns 
Fix the hour pattern to accept single digit hours, fixes an issue with timestamps like that: "2013-02-21 6:23:46"
 2013-02-21 09:42:39 +02:00
Jordan Sissel
2b739b5120 Merge pull request #361 from blewa/26bf4b3028bcb1beb2a01b3d2fdf681634750af4 
More app patterns
 2013-02-14 23:46:21 -08:00
Aaron Blew
26bf4b3028 Added patterns for MCollective audit and general logs 
Added redis pattern
Added Postgresql pattern
 2013-02-14 23:31:12 -08:00
Joseph Price
23f0c61229 Improvements to HAPROXYHTTP pattern. 
* haproxy may log "<BADREQ>" in http_request which was not previously
  matched.

* http_request's closing '"' should not be collected with the optional
  http_version, it is required.
 2013-02-07 14:09:28 +00:00
Joseph Price
4560f862f8 Request-URI may be absolute. 2013-02-04 11:12:00 +00:00
Aaron Blew
e2a29e159f Added : as a valid separator between seconds and subseconds 2013-01-24 17:22:31 -08:00
xiaclo
c070cbd055 Update patterns/grok-patterns 
This is a personal preference, but for web logs, I prefer the parser to capture what it can.  Currently with an invalid request, it fails completely rather than capturing the other log information such as date, bytes transferred and HTTP status.

This patch captures the invalid request into @fields.rawrequest and leaves @fields.verb, @fields.request and @fields.httpversion as nulls if it cannot be properly parsed.

Here is a sample of invalid requests I have from my logs:
115.70.170.86 - - [31/Oct/2012:06:41:24 +1100] "G" 408 0 "-" "-"
165.86.71.20 - - [31/Oct/2012:04:27:01 +1100] "GET http://dis.us.criteo.com/dis/dis.aspx?&t1=sendEvent&c=2&p=3937&p1=v%3D2%26wi%3D7715628%26pt1%3D0%26pt2%3D1%26si%3D1&cb=21664477550&ref=&sc_r=1280x1024&sc_d=32 HTTP/1.0" 400 672 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)"

Obviously these are not valid requests, and I prefer to handle them this way, but the change is up to you.
 2013-01-14 14:39:03 +11:00
xiaclo
3c89bea927 Update patterns/grok-patterns 
The hyphens in the regexes are creating ranges and need to be escaped.  Without this change, results in parser failures for logs containing URIs such as:

/test/page.html?arg=hypenated-arg
 2013-01-11 12:04:14 +11:00
Frank Rosquin
698baed405 Fixed year pattern. 
Year was matching any digit, one or more times. This could lead to way
too eager matching.

Match years as either a group of 2, or a group of 4 digits.
 2013-01-08 15:45:46 +01:00
Jordan Sissel
c39e5a4e97 Merge branch 'master' of https://github.com/gdb/logstash into gdb-master 
Conflicts:
	patterns/ruby
 2012-12-27 22:25:05 -08:00
Jordan Sissel
180509c3f6 Merge pull request #271 from decbis/patch-1 
Update patterns/ruby
 2012-12-21 16:18:15 -08:00
Jordan Sissel
124a14461f Add '.' as a valid date separator for EU dates (requested by rarruda in irc) 2012-12-21 01:34:09 -08:00
Eugen Dinca
96cfa49be6 Update patterns/ruby 
- Corrected missing % for POSINT
 - Made progname optional
 - Made message greedy
 - Made all fields named (except the first)
 2012-12-12 18:22:50 -05:00
Avishai Ish-Shalom
9d5649b845 fixed missing | 2012-12-04 22:41:12 +02:00
Avishai Ish-Shalom
e3a250e9bc Added TRACE to LOGLEVEL 2012-12-04 22:33:47 +02:00
MikeSchuette
e25a7701de Match invalid URI characters in COMBINEDAPACHELOG 
Apache generally logs whatever is requested, which is not guaranteed to be valid.
 2012-11-27 13:56:59 -06:00
MikeSchuette
cd0e08e29d Fix URIPARAM to allow square brackets 
PHP uses these all the time.
 2012-11-27 11:55:20 -06:00
Greg Brockman
a98879c07f Add missing percent 2012-11-17 16:28:08 -08:00
Jordan Sissel
defc9b9c61 Merge pull request #241 from tabletcorry/java_pattern_dollar 
Add '$' as valid character in java class name
 2012-11-17 11:29:44 -08:00
Jordan Sissel
919329320c - Use atomic grouping for PATH and its siblings. Fixes LOGSTASH-701 2012-11-13 13:06:13 -08:00
Corry Haines
b3283cdabc Add '$' as valid character in java class name 
This definately exists at the leaf name, but I am unsure if it is
allowed at higher levels.
 2012-11-12 08:53:51 -08:00
Jordan Sissel
20b36b84e4 Fix netscreen pattern 2012-10-31 13:49:06 -07:00
Jordan Sissel
68258c1944 fix spec/examples/parse-apache-logs failure due to QUOTEDSTRING not matching empty "" 2012-10-28 21:25:09 -07:00
Jordan Sissel
6f74511067 - use atomic groups (no backtracking) in QUOTEDSTRING - should prevent 
some additional watchdog timeouts due to onigiruma getting stuck.
  LOGSTASH-644
 2012-10-24 17:54:14 -07:00
olagache
71f471c60b Update patterns/grok-patterns 2012-09-27 18:28:46 +03:00
Jordan Sissel
06f91394c6 Hopefully fix some apache parsing issues 2012-09-26 23:08:03 -07:00
Matthew Baxa
528daa1114 Added '?' to URIPARAM 
Added the '?' character to URIPARAM to handle an edge case
 2012-09-26 15:14:00 -05:00
Jordan Sissel
99d88eb0ae - facility/severity can be zero. 2012-09-10 20:26:16 -07:00
Jordan Sissel
481472ec0c - don't capture 'ZONE' by name. (LOGSTASH-251) 2012-09-08 11:23:32 -07:00