github-mirrors/logstash
1
0
Fork 0
mirror of https://github.com/elastic/logstash.git synced 2025-04-22 21:57:26 -04:00
Code Issues Projects Releases Packages Wiki Activity
7028 commits 254 branches 379 tags 173 MiB
Commit graph

145 commits

Author SHA1 Message Date
Joao Duarte
b5c069aa1e removes the patterns from patterns dir 
The core patterns are now provided by the logstash-patterns-core gem.
This empty folder can be used for custom patterns.

Fixes #2228
 2014-12-17 19:40:38 +00:00
Simon Mulser
fbf7bd0790 allow user@hostname in commonapache log 
Closes #1500 #1736
 2014-10-08 16:12:39 -07:00
Brian DeFreitas
8f39b53322 Add tilde to UNIXPATH 
Tilde '~' is a valid character in UNIXPATHs.

Closes #1195
 2014-07-25 17:51:34 -07:00
Philippe Weber
634014ca68 consolidate java grok patterns 2014-07-16 12:53:34 -07:00
Colin Surprenant
31cb21efa2 Merge pull request #1127 from logongas/master 
Change [A|a] by [Aa], etc.
 2014-04-09 21:55:12 -04:00
Guillaume Espanel
838e07bf96 Improve RFC-5424 app, proc and msgid matching 2014-04-07 11:19:28 +02:00
Lorenzo González
7bbb594f73 Change [A|a] by [Aa], etc. 2014-02-26 10:26:49 +01:00
Richard Pijnenburg
cc94abdc59 Merge pull request #1117 from logongas/master 
Not range in LOGLEVEL pattern em grok for Alert
 2014-02-25 10:44:32 +00:00
Richard Pijnenburg
4e6d222677 Merge pull request #886 from tjrobinson/patch-1 
Fix problem in MONTHNUM and add DATESTAMP_EVENTLOG pattern
 2014-02-25 09:23:43 +00:00
Richard Pijnenburg
ab39172485 Merge pull request #957 from vincentbernat/feature/grok-rfc2822 
Add a RFC2822 compliant date pattern
 2014-02-25 09:23:22 +00:00
Richard Pijnenburg
2ac81f333f Merge pull request #1068 from jarsever/patch-1 
Update java
 2014-02-25 09:22:17 +00:00
Richard Pijnenburg
dd73e907bc Merge pull request #1069 from gswallow/master 
Add some patterns I found useful in parsing mongo logs.
 2014-02-25 09:22:00 +00:00
Lorenzo González
e5c94b14b7 Not range in Alert is | 2014-02-25 09:24:18 +01:00
Greg Swallow
7cc3ee99a1 Prefix patterns with MONGO_ 2014-02-18 10:19:54 -05:00
Richard Pijnenburg
5a501db821 Merge pull request #1080 from wiibaa/patch-1 
Allow to grok unpadded seconds
 2014-02-18 14:07:28 +00:00
Richard Pijnenburg
f883d0fd08 Merge pull request #816 from pamelia/master 
Added file with patterns for JUNOS 11.4 RT_FLOW log messages
 2014-02-17 19:13:52 +00:00
Richard Pijnenburg
8457276d19 Merge pull request #807 from timidri/patch-1 
HOSTPORT doesn't parse anything useful
 2014-02-17 19:12:20 +00:00
Wiibaa
815e984cf3 Allow to grok unpadded seconds 
As identified in LOGSTASH-709 : Grok "TIME" failing on unpadded "seconds"
 2014-02-17 09:13:12 +01:00
Greg Swallow
5b929f8909 Add some patterns I found useful in parsing mongo logs. 2014-02-14 18:11:15 -05:00
jarsever
93466af1d6 Update java 
Added support for an "_" in the JAVACLASS and added support for a space in the JAVAFILE expression.

Examples are: "at org.jnp.server.NamingServer_Stub.lookup(Unknown Source)"

This example would have failed without the update.
 2014-02-14 15:41:33 -07:00
Vincent Bernat
b3260145a0 Add a RFC2822 compliant date pattern 
The pattern is defined in RFC2822 and differs from the one defined in
RFC822:
 http://www.ietf.org/rfc/rfc2822.txt

Example:
 Mon, 20 Jan 2014 18:40:18 +0100
 2014-01-20 19:12:50 +01:00
Tom Robinson
768518c182 Fix problem in MONTHNUM and add DATESTAMP_EVENTLOG pattern and 
Whilst trying to get Windows Event Log data into logstash I had some problems with the the timestamp format Windows uses.

Taking an example value (the TimeGenerated field provided by the eventlog input):

20131218141650.687853-000

And using:

%{YEAR}%{MONTHNUM}%{MONTHDAY}%{HOUR}%{MINUTE}%{SECOND}

I get a %{MONTHNUM} value of 1, but it should be 12. This is because the MONTHNUM pattern allows for single digit month values. I created a new pattern which removed this flexibility:

MONTHNUM2 (?:0[1-9]|1[0-2])

This, along with the pattern below works as I would expect:

DATESTAMP_EVENTLOG %{YEAR}%{MONTHNUM2}%{MONTHDAY}%{HOUR}%{MINUTE}%{SECOND}

I'm sure there's a better way of implementing this but I think this is a genuine problem.
 2013-12-18 14:56:07 +00:00
Jordan Sissel
5e7e81ce2c Merge pull request #882 from logstash/remove-old-comment 
- remove some unused stuff
 2013-12-16 23:00:07 -08:00
Marcus Pamelia
5be87a0fef Added file with patterns for JUNOS 11.4 RT_FLOW log messages 2013-12-02 06:06:20 +01:00
Dimitri Tischenko
a50d3aadd1 HOSTPORT didn't parse anything useful 
Changed HOSTPORT to a simple combination of IPORHOST and POSINT. What was the old pattern supposed to do and what does =~ mean?
 2013-11-27 12:07:22 +01:00
Kurt Hurtado
53764eeafc add COMMONAPACHELOG 2013-11-26 14:42:36 -08:00
Kurt Hurtado
4cd7941dc2 adding COMMONAPACHELOG 2013-11-26 14:40:26 -08:00
Nick Ethier
fce464d021 Merge pull request #758 from GregMefford/master 
Eliminated named literal captures in favor of Grok expressions for ASA firewall patterns
 2013-11-22 20:08:47 -08:00
Kurt Hurtado
8a3b510174 Adding COMMONAPACHELOG format 2013-11-22 19:29:13 -08:00
Peter Fern
01737e0547 [LOGSTASH-1630] Syslog 5424 patterns fail to match additional spaces 
https://logstash.jira.com/browse/LOGSTASH-1630

Split the start of `SYSLOG5424LINE` out to `SYSLOG5424BASE`, in case
people want to create PAM or CRON patterns, similar to those available
for `SYSLOG`.

Also make syslog5424_sd optionally match nothing, since it seems to be
ommitted entirely with rsyslog's `RSYSLOG_SyslogProtocol23Format` (ie -
there is no SD data, and it is not correctly replaced with a `-`).
 2013-11-21 16:05:26 +11:00
Greg Mefford
a76d0bc70b Finished removing literal named captures from Cisco ASA Grok patterns 2013-11-05 21:13:12 -05:00
Greg Mefford
bb1d7ba7d2 Begin converting literal named captures to Grok expressions. 2013-11-05 21:13:11 -05:00
Jordan Sissel
f531aa5c67 - remove some unused stuff 2013-10-29 14:51:25 -07:00
fbarbeira
e7e3db89de Update grok-patterns 
Add LOGLEVEL pattern "ALERT"
 2013-09-27 12:44:57 +02:00
Matt Dainty
b9949fe11c Add IPv6 grok pattern. 
Rename IP pattern to IPV4 and add new IP pattern that matches either IPV6 or
IPV4 patterns.

IPV6 regex swiped from http://forums.intermapper.com/viewtopic.php?t=452
 2013-09-04 17:25:55 +01:00
Jordan Sissel
cb58e2c800 Merge pull request #585 from nilya/patch-1 
Add @ to URIPATH and URIPARAM
 2013-09-03 11:39:57 -07:00
Greg Mefford
55a3e80fb8 Fixed missing policy-id and hashcodes in Cisco ASA-4-106023 log format 2013-09-02 20:58:47 -04:00
Greg Mefford
e3f0220fe3 Add a Grok expression for the base part of the Cisco ASA syslog message 2013-09-01 16:26:55 -04:00
Greg Mefford
33f6297924 List all matched message codes in the Grok names to help troublshoot parse failures 2013-09-01 08:24:36 -04:00
Greg Mefford
be6754fc66 Added a bunch of Grok patterns for Cisco ASA firewall syslog messages. 
* Confirmed to work:
  ASA-6-106015
  ASA-1-106021
  ASA-4-106023
  ASA-5-106100
  ASA-6-110002
  ASA-6-302010
  ASA-6-302013
  ASA-6-302014
  ASA-6-302015
  ASA-6-302016
  ASA-6-302020
  ASA-6-302021
  ASA-3-313001
  ASA-3-313004
  ASA-4-313005
  ASA-3-313008
  ASA-4-402117
  ASA-4-402119
  ASA-4-419002
  ASA-6-602303
  ASA-6-602304
  ASA-6-713172
  ASA-4-733100
* Based on patterns found here(https://gist.github.com/dav3860/5345656) and documentation here(http://www.cisco.com/en/US/docs/security/asa/syslog-guide/logmsgs.html#wp4771036)
  ASA-2-106001
  ASA-2-106006
  ASA-2-106007
  ASA-2-106010
  ASA-3-106014
  ASA-4-419001
  ASA-4-500004
  ASA-6-305011
  ASA-7-710001
  ASA-7-710002
  ASA-7-710003
  ASA-7-710005
  ASA-7-710006
 2013-08-31 23:54:45 -04:00
Tray Torrance
10cd07c809 Add UTC to the TZ grok pattern 2013-08-26 09:43:59 -07:00
Brad Fritz
0630d51ac1 [syslog5424] do not capture chevrons with priority value 
Priority is "191", not "<191>".  The syslog_pri filter expects a
raw integer without the extra punctuation.
 2013-08-24 11:35:51 -04:00
Brad Fritz
4b345671ff [syslog5424] non-capturing parens since no backreferences needed 2013-08-23 14:34:47 -04:00
Brad Fritz
93990829f2 [syslog5424] structured data should be nil when RFC NILVALUE is used 2013-08-23 14:34:41 -04:00
Ilya Nazarov
0a628929cb Add @ to URIPATH and URIPARAM 
URIPATH and URIPARAM don't match URIs like "/assets/img/icon_image_detail@2x.png".
 2013-08-22 14:24:08 +06:00
Hugo Lopes Tavares
1e8f5d8b10 Add "emergency" to LOGLEVEL grok pattern 
Apache, nginx, syslog, and many systems use emergency level,
and it was missing in logstash.

Also add tests to cover all scenarios of `LOGLEVEL` expansion.
 2013-08-02 11:24:12 -04:00
Jordan Sissel
48409efc59 Revert "Update HOSTNAME in grok-patterns" 
This reverts commit a17f72150d.
This change caused a syntax error in the HOSTNAME pattern I believe.
 2013-06-26 15:06:28 -07:00
Jordan Sissel
93fe8c011f Merge pull request #520 from erezzarum/fix-pattern 
Europe date metric compliance is dd/mm/yyyy
 2013-06-23 23:32:23 -07:00
Erez Zarum
c113556765 Europe date metric compliance is dd/mm/yyyy 2013-06-17 19:27:33 +00:00
xiaclo
a17f72150d Update HOSTNAME in grok-patterns 
RFC952 states of a hostname: "The last character must not be a minus sign or period."
https://tools.ietf.org/html/rfc952

Some of the limitations in RFC952 were lifted by RFC1123, but not this one.
https://tools.ietf.org/html/rfc1123

The updated regex still allows single character hostnames, but does not allow the final character in any section to be a '-'.
 2013-06-10 14:11:43 +10:00