程序博客网 > ubuntu 12.04内核版本

logstash,nginx日志,grok pattern调试

来源:互联网 发布:ubuntu 12.04内核版本 编辑:程序博客网 时间:2024/05/07 07:26

#Nginx日志格式定义

log_format  combine '$remote_addr - $remote_user [$time_local] "$request" $http_host ' '$status $body_bytes_sent "$http_referer" ''"$http_user_agent" "$http_x_forwarded_for" ''$upstream_addr $upstream_status $upstream_cache_status "$upstream_http_content_type" $upstream_response_time > $request_time';


#日志内容

11.11.1.1 - - [01/Mar/2013:12:23:53 +0800] "GET /v1/api HTTP/1.1" api.xx.com 200 4003 "https://api.xx.com/v1/api" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)" "-" 10.1.1.1:80 200 - "text/html;charset=UTF-8" 0.023 > 0.023

#GROK pattern

%{IPORHOST:client_ip} (%{USER:ident}|-) (%{USER:auth}|-) \[%{HTTPDATE:timestamp}\] "(?:%{WORD:verb} (%{NOTSPACE:request}|-)(?: HTTP/%{NUMBER:http_version})?|-)" (%{HOST:domain}|-) (%{NUMBER:response}|-) (?:%{NUMBER:bytes}|-) "(%{NOTSPACE:referrer}|-)" (%{QS:agent}|-) "(%{WORD:x_forword}|-)" (%{URIHOST:upstream_host}|-) (%{NUMBER:upstream_response}|-) (%{WORD:upstream_cache_status}|-) (%{QS:upstream_content_type}|-) (%{BASE16FLOAT:upstream_response_time}|-) > (%{BASE16FLOAT:request_time}|-)

#GROK 在logstash里面的定义,双引号转义一下

filter {  grep {    match => [ "@message", "DNSPod-monitor|DNSPod-reporting|(Webluker NetWork Probe Agent)|JianKongBao" ]    type => "nginx-access"    negate=> true  } grok {    type => "nginx-access"    pattern => "%{IPORHOST:client_ip} (%{USER:ident}|-) (%{USER:auth}|-) \[%{HTTPDATE:timestamp}\] \"(?:%{WORD:verb} (%{NOTSPACE:request}|-)(?: HTTP/%{NUMBER:http_version})?|-)\" (%{HOST:domain}|-) (%{NUMBER:response}|-) (?:%{NUMBER:bytes}|-) \"(%{NOTSPACE:referrer}|-)\" (%{QS:agent}|-) \"(%{WORD:x_forword}|-)\" (%{URIHOST:upstream_host}|-) (%{NUMBER:upstream_response}|-) (%{WORD:upstream_cache_status}|-) (%{QS:upstream_content_type}|-) (%{BASE16FLOAT:upstream_response_time}|-) > (%{BASE16FLOAT:request_time}|-)"  } }

#GROK 内置pattern
https://github.com/logstash/logstash/blob/v1.1.9/patterns/grok-patterns

#在线调试地址:
http://grokdebug.herokuapp.com/

{  "client_ip": [    [      "11.11.1.1"    ]  ],  "ident": [    [      "-"    ]  ],  "auth": [    [      "-"    ]  ],  "timestamp": [    [      "01/Mar/2013:12:23:53 +0800"    ]  ],  "verb": [    [      "GET"    ]  ],  "request": [    [      "/v1/api"    ]  ],  "http_version": [    [      "1.1"    ]  ],  "domain": [    [      "api.xx.com"    ]  ],  "response": [    [      "200"    ]  ],  "bytes": [    [      "4003"    ]  ],  "referrer": [    [      "\"https://api.xx.com/v1/api\""    ]  ],  "agent": [    [      "\"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)\""    ]  ],  "x_forword": [    [      null    ]  ],  "upstream_host": [    [      "10.1.1.1:80"    ]  ],  "port": [    [      "80"    ]  ],  "upstream_response": [    [      "200"    ]  ],  "upstream_cache_status": [    [      null    ]  ],  "upstream_content_type": [    [      "\"text/html;charset=UTF-8\""    ]  ],  "upstream_response_time": [    [      "0.023"    ]  ],  "request_time": [    [      "0.023"    ]  ]}

StatsD监控

statsd {    host => "10.1.1.1"    port => 8125    increment => "nginx.response.%{response}"    increment => "nginx.request.total"    timing => ["nginx.request.time", "%{request_time}"]    timing => ["nginx.upstream.response.time", "%{upstream_response_time}"]  }

更新:upstream_host和status出现了多次,格式要改。

#nginxlog_format  combine   '$remote_addr - $remote_user [$time_local] "$request" $http_host '                      '$status $body_bytes_sent "$http_referer" '                      '"$http_user_agent" "$http_x_forwarded_for" '                      '"$upstream_addr" "$upstream_status" $upstream_cache_status "$upstream_http_content_type" "$upstream_response_time" > $request_time';
119.161.158.61 - - [01/Mar/2013:15:49:21 +0800] "GET /v1 HTTP/1.1" api.xxx.com 302 5 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.97 Safari/537.22" "-" "10.1.3.6:80, 10.1.3.7:80" "502, 302" - "-" "0.001, 0.006" > 0.007 11.11.1.1 - - [01/Mar/2013:12:23:53 +0800] "GET /v1/api HTTP/1.1" api.xx.com 200 4003 "https://api.xx.com/v1/api" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)" "-" "10.1.1.1:80" "200" - "text/html;charset=UTF-8" "0.023" > 0.023 119.161.158.61 - - [01/Mar/2013:15:41:53 +0800] "GET /img/80x80/7,289ffe3ea152 HTTP/1.1" st.xxx.com 200 2007 "-" "\xE6\x9C\x89\xE5\xBA\xB7\xE5\x8C\xBB\xE7\x94\x9F 1.6.0 (iPhone; iPhone OS 6.1.2; zh_HK)" "-" "10.1.3.8:8071" "200" MISS "image/jpeg" "0.018" > 0.018
#GROK%{IPORHOST:client_ip} (%{USER:ident}|-) (%{USER:auth}|-) \[%{HTTPDATE:timestamp}\] "(?:%{WORD:verb} (%{NOTSPACE:request}|-)(?: HTTP/%{NUMBER:http_version})?|-)" (%{HOST:domain}|-) (%{NUMBER:response}|-) (?:%{NUMBER:bytes}|-) "(%{NOTSPACE:referrer}|-)" "(?<agent>([\w\W]+?)|-)" "(%{WORD:x_forword}|-)" "((?<upstream_host>[\w\W,]+?)|-)" "(?<upstream_response>([0-9, ]+?)|-)" (%{WORD:upstream_cache_status}|-) "(?<upstream_content_type>([\w\W]+?)|-)" "(?<upstream_response_time>([0-9,. ]+?)|-)" > (%{BASE16FLOAT:request_time}|-)
#escaped GROK pattern%{IPORHOST:client_ip} (%{USER:ident}|-) (%{USER:auth}|-) \[%{HTTPDATE:timestamp}\] \"(?:%{WORD:verb} (%{NOTSPACE:request}|-)(?: HTTP/%{NUMBER:http_version})?|-)\" (%{HOST:domain}|-) (%{NUMBER:response}|-) (?:%{NUMBER:bytes}|-) \"(%{NOTSPACE:referrer}|-)\" \"(?<agent>([\w\W]+?)|-)\" \"(%{WORD:x_forword}|-)\" \"((?<upstream_host>[\w\W,]+?)|-)\" \"(?<upstream_response>([0-9, ]+?)|-)\" (%{WORD:upstream_cache_status}|-) \"(?<upstream_content_type>([\w\W]+?)|-)\" \"(?<upstream_response_time>([0-9,. ]+?)|-)\" > (%{BASE16FLOAT:request_time}|-)

#在网站调试通过,但是直接用居然不行。。。

#Exception during filter {"event":{"@source":"file://ufo/home/wwwlogs/api.xxx.com.log","@tags":[],"@fields":{"client_ip":["1.1.1.1"],"ident":["-"],"auth":["-"],"timestamp":["01/Mar/2013:17:39:56 +0800"],"verb":["POST"],"request":["/v1/xxx"],"http_version":["1.1"],"domain":["api.xxx.com"],"response":["200"],"bytes":["56"],"referrer":["-"]},"@timestamp":"2013-03-01T09:39:57.068Z","@source_host":"ufo","@source_path":"/home/wwwlogs/api.xxx.com.log","@message":"1.1.1.1 - - [01/Mar/2013:17:39:56 +0800] \"POST /v1/ HTTP/1.1\" api.xxx.com 200 56 \"-\" \"Dalvik/1.4.0 (Linux; U; Android 2.3.7; Nexus One Build/MIUI)\" \"-\" \"10.1.3.6:80, 10.1.3.7:80\" \"502, 200\" - \"application/json-rpc\" \"0.001, 0.008\" > 1.526","@type":"nginx-access"},"exception":"undefined method `include?' for nil:NilClass","backtrace":["file:/usr/local/logstash/logstash-1.1.3-monolithic.jar!/logstash/filters/grok.rb:189:in `filter'","jar:file:/usr/local/logstash/logstash-1.1.3-monolithic.jar!/gems/jls-grok-0.10.7/lib/grok/pure/match.rb:25:in `each_capture'","org/jruby/RubyArray.java:1612:in `each'","jar:file:/usr/local/logstash/logstash-1.1.3-monolithic.jar!/gems/jls-grok-0.10.7/lib/grok/pure/match.rb:21:in `each_capture'","file:/usr/local/logstash/logstash-1.1.3-monolithic.jar!/logstash/filters/grok.rb:186:in `filter'","org/jruby/RubyArray.java:1612:in `each'","file:/usr/local/logstash/logstash-1.1.3-monolithic.jar!/logstash/filters/grok.rb:172:in `filter'","org/jruby/RubyHash.java:1192:in `each'","file:/usr/local/logstash/logstash-1.1.3-monolithic.jar!/logstash/filters/grok.rb:163:in `filter'","file:/usr/local/logstash/logstash-1.1.3-monolithic.jar!/logstash/filters/base.rb:88:in `execute'","file:/usr/local/logstash/logstash-1.1.3-monolithic.jar!/logstash/filterworker.rb:58:in `filter'","file:/usr/local/logstash/logstash-1.1.3-monolithic.jar!/logstash/filterworker.rb:56:in `filter'","org/jruby/RubyArray.java:1612:in `each'","file:/usr/local/logstash/logstash-1.1.3-monolithic.jar!/logstash/filterworker.rb:48:in `filter'","org/jruby/RubyArray.java:1612:in `each'","file:/usr/local/logstash/logstash-1.1.3-monolithic.jar!/logstash/filterworker.rb:47:in `filter'","file:/usr/local/logstash/logstash-1.1.3-monolithic.jar!/logstash/filterworker.rb:32:in `run'","file:/usr/local/logstash/logstash-1.1.3-monolithic.jar!/logstash/agent.rb:724:in `run_filter'","file:/usr/local/logstash/logstash-1.1.3-monolithic.jar!/logstash/agent.rb:438:in `run_with_config'"],"filter":"LogStash::Filters::Grok: {\"type\"=>\"nginx-access\", \"break_on_match\"=>false, \"pattern\"=>[\"%{IPORHOST:client_ip} (%{USER:ident}|-) (%{USER:auth}|-) \\\\[%{HTTPDATE:timestamp}\\\\] \\\\\\\"(?:%{WORD:verb} (%{NOTSPACE:request}|-)(?: HTTP/%{NUMBER:http_version})?|-)\\\\\\\" (%{HOST:domain}|-) (%{NUMBER:response}|-) (?:%{NUMBER:bytes}|-) \\\\\\\"(%{NOTSPACE:referrer}|-)\\\\\\\" \\\\\\\"(?<agent>([\\\\w\\\\W]+?)|-)\\\\\\\" \\\\\\\"(%{WORD:x_forword}|-)\\\\\\\" \\\\\\\"((?<upstream_host>[\\\\w\\\\W,]+?)|-)\\\\\\\" \\\\\\\"(?<upstream_response>([0-9, ]+?)|-)\\\\\\\" (%{WORD:upstream_cache_status}|-) \\\\\\\"(?<upstream_content_type>([\\\\w\\\\W]+?)|-)\\\\\\\" \\\\\\\"(?<upstream_response_time>([0-9,. ]+?)|-)\\\\\\\" > (%{BASE16FLOAT:request_time}|-)\"], \"tags\"=>[], \"exclude_tags\"=>[], \"add_tag\"=>[], \"remove_tag\"=>[], \"add_field\"=>{}, \"match\"=>{\"@message\"=>[\"%{IPORHOST:client_ip} (%{USER:ident}|-) (%{USER:auth}|-) \\\\[%{HTTPDATE:timestamp}\\\\] \\\\\\\"(?:%{WORD:verb} (%{NOTSPACE:request}|-)(?: HTTP/%{NUMBER:http_version})?|-)\\\\\\\" (%{HOST:domain}|-) (%{NUMBER:response}|-) (?:%{NUMBER:bytes}|-) \\\\\\\"(%{NOTSPACE:referrer}|-)\\\\\\\" \\\\\\\"(?<agent>([\\\\w\\\\W]+?)|-)\\\\\\\" \\\\\\\"(%{WORD:x_forword}|-)\\\\\\\" \\\\\\\"((?<upstream_host>[\\\\w\\\\W,]+?)|-)\\\\\\\" \\\\\\\"(?<upstream_response>([0-9, ]+?)|-)\\\\\\\" (%{WORD:upstream_cache_status}|-) \\\\\\\"(?<upstream_content_type>([\\\\w\\\\W]+?)|-)\\\\\\\" \\\\\\\"(?<upstream_response_time>([0-9,. ]+?)|-)\\\\\\\" > (%{BASE16FLOAT:request_time}|-)\"]}, \"patterns_dir\"=>[], \"drop_if_match\"=>false, \"named_captures_only\"=>true, \"keep_empty_captures\"=>false, \"singles\"=>false}","level":"warn"}

换logstash-1.1.5-monolithic.jar

Exception during filter {:event=>#<LogStash::Event:0x6a32edbe @data={"@source"=>"file://ufo/home/wwwlogs/api.xxx.com.log", "@tags"=>[], "@fields"=>{"client_ip"=>["1.1.1.1"], "ident"=>["-"], "auth"=>["-"], "timestamp"=>["01/Mar/2013:17:45:48 +0800"], "verb"=>["POST"], "request"=>["/v1/"], "http_version"=>["1.1"], "domain"=>["api.xxx.com"], "response"=>["200"], "bytes"=>["57"], "referrer"=>["-"]}, "@timestamp"=>"2013-03-01T09:45:49.098Z", "@source_host"=>"ufo", "@source_path"=>"/home/wwwlogs/api.xxx.com.log", "@message"=>"1.1.1.1 - - [01/Mar/2013:17:45:48 +0800] \"POST /v1/ HTTP/1.1\" api.xxx.com 200 57 \"-\" \"Dalvik/1.4.0 (Linux; U; Android 2.3.7; Nexus One Build/MIUI)\" \"-\" \"10.1.3.7:80\" \"200\" - \"application/json-rpc\" \"0.009\" > 0.316", "@type"=>"nginx-access"}, @cancelled=false>, :exception=>#<NoMethodError: undefined method `include?' for nil:NilClass>, :backtrace=>["file:/usr/local/logstash/logstash-1.1.5-monolithic.jar!/logstash/filters/grok.rb:189:in `filter'", "jar:file:/usr/local/logstash/logstash-1.1.5-monolithic.jar!/gems/jls-grok-0.10.8/lib/grok/pure/match.rb:25:in `each_capture'", "org/jruby/RubyArray.java:1612:in `each'", "jar:file:/usr/local/logstash/logstash-1.1.5-monolithic.jar!/gems/jls-grok-0.10.8/lib/grok/pure/match.rb:21:in `each_capture'", "file:/usr/local/logstash/logstash-1.1.5-monolithic.jar!/logstash/filters/grok.rb:186:in `filter'", "org/jruby/RubyArray.java:1612:in `each'", "file:/usr/local/logstash/logstash-1.1.5-monolithic.jar!/logstash/filters/grok.rb:172:in `filter'", "org/jruby/RubyHash.java:1192:in `each'", "file:/usr/local/logstash/logstash-1.1.5-monolithic.jar!/logstash/filters/grok.rb:163:in `filter'", "file:/usr/local/logstash/logstash-1.1.5-monolithic.jar!/logstash/filters/base.rb:88:in `execute'", "file:/usr/local/logstash/logstash-1.1.5-monolithic.jar!/logstash/filterworker.rb:58:in `filter'", "org/jruby/RubyArray.java:1612:in `each'", "file:/usr/local/logstash/logstash-1.1.5-monolithic.jar!/logstash/filterworker.rb:48:in `filter'", "org/jruby/RubyArray.java:1612:in `each'", "file:/usr/local/logstash/logstash-1.1.5-monolithic.jar!/logstash/filterworker.rb:47:in `filter'", "file:/usr/local/logstash/logstash-1.1.5-monolithic.jar!/logstash/filterworker.rb:32:in `run'", "file:/usr/local/logstash/logstash-1.1.5-monolithic.jar!/logstash/agent.rb:724:in `run_filter'", "file:/usr/local/logstash/logstash-1.1.5-monolithic.jar!/logstash/agent.rb:438:in `run_with_config'"], :filter=>#<LogStash::Filters::Grok:0x5461f89e @remove_tag=[], @singles=false, @named_captures_only=true, @pattern=["%{IPORHOST:client_ip} (%{USER:ident}|-) (%{USER:auth}|-) \\[%{HTTPDATE:timestamp}\\] \\\"(?:%{WORD:verb} (%{NOTSPACE:request}|-)(?: HTTP/%{NUMBER:http_version})?|-)\\\" (%{HOST:domain}|-) (%{NUMBER:response}|-) (?:%{NUMBER:bytes}|-) \\\"(%{NOTSPACE:referrer}|-)\\\" \\\"(?<agent>([\\w\\W]+?)|-)\\\" \\\"(%{WORD:x_forword}|-)\\\" \\\"((?<upstream_host>[\\w\\W,]+?)|-)\\\" \\\"(?<upstream_response>([0-9, ]+?)|-)\\\" (%{WORD:upstream_cache_status}|-) \\\"(?<upstream_content_type>([\\w\\W]+?)|-)\\\" \\\"(?<upstream_response_time>([0-9,. ]+?)|-)\\\" > (%{BASE16FLOAT:request_time}|-)"], @drop_if_match=false, @add_tag=[], @tags=[], @type="nginx-access", @keep_empty_captures=false, @params={"type"=>"nginx-access", "break_on_match"=>false, "pattern"=>["%{IPORHOST:client_ip} (%{USER:ident}|-) (%{USER:auth}|-) \\[%{HTTPDATE:timestamp}\\] \\\"(?:%{WORD:verb} (%{NOTSPACE:request}|-)(?: HTTP/%{NUMBER:http_version})?|-)\\\" (%{HOST:domain}|-) (%{NUMBER:response}|-) (?:%{NUMBER:bytes}|-) \\\"(%{NOTSPACE:referrer}|-)\\\" \\\"(?<agent>([\\w\\W]+?)|-)\\\" \\\"(%{WORD:x_forword}|-)\\\" \\\"((?<upstream_host>[\\w\\W,]+?)|-)\\\" \\\"(?<upstream_response>([0-9, ]+?)|-)\\\" (%{WORD:upstream_cache_status}|-) \\\"(?<upstream_content_type>([\\w\\W]+?)|-)\\\" \\\"(?<upstream_response_time>([0-9,. ]+?)|-)\\\" > (%{BASE16FLOAT:request_time}|-)"], "tags"=>[], "exclude_tags"=>[], "add_tag"=>[], "remove_tag"=>[], "add_field"=>{}, "match"=>{"@message"=>["%{IPORHOST:client_ip} (%{USER:ident}|-) (%{USER:auth}|-) \\[%{HTTPDATE:timestamp}\\] \\\"(?:%{WORD:verb} (%{NOTSPACE:request}|-)(?: HTTP/%{NUMBER:http_version})?|-)\\\" (%{HOST:domain}|-) (%{NUMBER:response}|-) (?:%{NUMBER:bytes}|-) \\\"(%{NOTSPACE:referrer}|-)\\\" \\\"(?<agent>([\\w\\W]+?)|-)\\\" \\\"(%{WORD:x_forword}|-)\\\" \\\"((?<upstream_host>[\\w\\W,]+?)|-)\\\" \\\"(?<upstream_response>([0-9, ]+?)|-)\\\" (%{WORD:upstream_cache_status}|-) \\\"(?<upstream_content_type>([\\w\\W]+?)|-)\\\" \\\"(?<upstream_response_time>([0-9,. ]+?)|-)\\\" > (%{BASE16FLOAT:request_time}|-)"]}, "patterns_dir"=>[], "drop_if_match"=>false, "named_captures_only"=>true, "keep_empty_captures"=>false, "singles"=>false}, @logger=#<LogStash::Logger:0x2a23f122 @target=#<IO:fd 2>, @subscriber_lock=#<Mutex:0x86ebaa5>, @data={}, @metrics=#<Cabin::Metrics:0x1d9faaf6 @channel=#<Cabin::Channel:0x5d910bab @subscriber_lock=#<Mutex:0x5d95378a>, @metrics=#<Cabin::Metrics:0x6f717505 @channel=#<Cabin::Channel:0x5d910bab ...>, @metrics={}, @metrics_lock=#<Mutex:0x1b9d46c>>, @data={}, @subscribers={}, @level=:info>, @metrics={}, @metrics_lock=#<Mutex:0x4f28ff56>>, @subscribers={2000=>#<Cabin::Outputs::IO:0x27988ee9 @io=#<IO:fd 2>, @lock=#<Mutex:0x10ce774e>>}, @level=:warn>, @add_field={}, @patterns={"@message"=>#<Grok::Pile:0x36cfec44 @patterns={"NETSCREENSESSIONLOG"=>"%{SYSLOGTIMESTAMP:date} %{IPORHOST:device} %{IPORHOST}: NetScreen device_id=%{WORD:device_id}%{DATA}: start_time=%{QUOTEDSTRING:start_time} duration=%{INT:duration} policy_id=%{INT:policy_id} service=%{DATA:service} proto=%{INT:proto} src zone=%{WORD:src_zone} dst zone=%{WORD:dst_zone} action=%{WORD:action} sent=%{INT:sent} rcvd=%{INT:rcvd} src=%{IPORHOST:src_ip} dst=%{IPORHOST:dst_ip} src_port=%{INT:src_port} dst_port=%{INT:dst_port} src-xlated ip=%{IPORHOST:src_xlated_ip} port=%{INT:src_xlated_port} dst-xlated ip=%{IPORHOST:dst_xlated_ip} port=%{INT:dst_xlated_port} session_id=%{INT:session_id} reason=%{GREEDYDATA:reason}", "USERNAME"=>"[a-zA-Z0-9_-]+", "USER"=>"%{USERNAME}", "INT"=>"(?:[+-]?(?:[0-9]+))", "BASE10NUM"=>"(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\\.[0-9]+)?)|(?:\\.[0-9]+)))", "NUMBER"=>"(?:%{BASE10NUM})", "BASE16NUM"=>"(?<![0-9A-Fa-f])(?:[+-]?(?:0x)?(?:[0-9A-Fa-f]+))", "BASE16FLOAT"=>"\\b(?<![0-9A-Fa-f.])(?:[+-]?(?:0x)?(?:(?:[0-9A-Fa-f]+(?:\\.[0-9A-Fa-f]*)?)|(?:\\.[0-9A-Fa-f]+)))\\b", "POSINT"=>"\\b(?:[1-9][0-9]*)\\b", "NONNEGINT"=>"\\b(?:[0-9]+)\\b", "WORD"=>"\\b\\w+\\b", "NOTSPACE"=>"\\S+", "SPACE"=>"\\s*", "DATA"=>".*?", "GREEDYDATA"=>".*", "QUOTEDSTRING"=>"(?>(?<!\\\\)(?>\"(?>\\\\.|[^\\\\\"]+)+\"|\"\"|(?>'(?>\\\\.|[^\\\\']+)+')|''|(?>`(?>\\\\.|[^\\\\`]+)+`)|``))", "UUID"=>"[A-Fa-f0-9]{8}-(?:[A-Fa-f0-9]{4}-){3}[A-Fa-f0-9]{12}", "MAC"=>"(?:%{CISCOMAC}|%{WINDOWSMAC}|%{COMMONMAC})", "CISCOMAC"=>"(?:(?:[A-Fa-f0-9]{4}\\.){2}[A-Fa-f0-9]{4})", "WINDOWSMAC"=>"(?:(?:[A-Fa-f0-9]{2}-){5}[A-Fa-f0-9]{2})", "COMMONMAC"=>"(?:(?:[A-Fa-f0-9]{2}:){5}[A-Fa-f0-9]{2})", "IP"=>"(?<![0-9])(?:(?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2}))(?![0-9])", "HOSTNAME"=>"\\b(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\\b)", "HOST"=>"%{HOSTNAME}", "IPORHOST"=>"(?:%{HOSTNAME}|%{IP})", "HOSTPORT"=>"(?:%{IPORHOST=~/\\./}:%{POSINT})", "PATH"=>"(?:%{UNIXPATH}|%{WINPATH})", "UNIXPATH"=>"(?:/(?:[\\w_%!$@:.,-]+|\\\\.)*)+", "LINUXTTY"=>"(?:/dev/pts/%{NONNEGINT})", "BSDTTY"=>"(?:/dev/tty[pq][a-z0-9])", "TTY"=>"(?:%{BSDTTY}|%{LINUXTTY})", "WINPATH"=>"(?:[A-Za-z]+:|\\\\)(?:\\\\[^\\\\?*]*)+", "URIPROTO"=>"[A-Za-z]+(\\+[A-Za-z+]+)?", "URIHOST"=>"%{IPORHOST}(?::%{POSINT:port})?", "URIPATH"=>"(?:/[A-Za-z0-9$.+!*'(){},~:;=#%_-]*)+", "URIPARAM"=>"\\?[A-Za-z0-9$.+!*'|(){},~#%&/=:;_?-]*", "URIPATHPARAM"=>"%{URIPATH}(?:%{URIPARAM})?", "URI"=>"%{URIPROTO}://(?:%{USER}(?::[^@]*)?@)?(?:%{URIHOST})?(?:%{URIPATHPARAM})?", "MONTH"=>"\\b(?:Jan(?:uary)?|Feb(?:ruary)?|Mar(?:ch)?|Apr(?:il)?|May|Jun(?:e)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|Oct(?:ober)?|Nov(?:ember)?|Dec(?:ember)?)\\b", "MONTHNUM"=>"(?:0?[1-9]|1[0-2])", "MONTHDAY"=>"(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9])", "DAY"=>"(?:Mon(?:day)?|Tue(?:sday)?|Wed(?:nesday)?|Thu(?:rsday)?|Fri(?:day)?|Sat(?:urday)?|Sun(?:day)?)", "YEAR"=>"[0-9]+", "HOUR"=>"(?:2[0123]|[01][0-9])", "MINUTE"=>"(?:[0-5][0-9])", "SECOND"=>"(?:(?:[0-5][0-9]|60)(?:[.,][0-9]+)?)", "TIME"=>"(?!<[0-9])%{HOUR}:%{MINUTE}(?::%{SECOND})(?![0-9])", "DATE_US"=>"%{MONTHNUM}[/-]%{MONTHDAY}[/-]%{YEAR}", "DATE_EU"=>"%{YEAR}[/-]%{MONTHNUM}[/-]%{MONTHDAY}", "ISO8601_TIMEZONE"=>"(?:Z|[+-]%{HOUR}(?::?%{MINUTE}))", "ISO8601_SECOND"=>"(?:%{SECOND}|60)", "TIMESTAMP_ISO8601"=>"%{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?%{ISO8601_TIMEZONE}?", "DATE"=>"%{DATE_US}|%{DATE_EU}", "DATESTAMP"=>"%{DATE}[- ]%{TIME}", "TZ"=>"(?:[PMCE][SD]T)", "DATESTAMP_RFC822"=>"%{DAY} %{MONTH} %{MONTHDAY} %{YEAR} %{TIME} %{TZ}", "DATESTAMP_OTHER"=>"%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{TZ} %{YEAR}", "SYSLOGTIMESTAMP"=>"%{MONTH} +%{MONTHDAY} %{TIME}", "PROG"=>"(?:[\\w._/%-]+)", "SYSLOGPROG"=>"%{PROG:program}(?:\\[%{POSINT:pid}\\])?", "SYSLOGHOST"=>"%{IPORHOST}", "SYSLOGFACILITY"=>"<%{NONNEGINT:facility}.%{NONNEGINT:priority}>", "HTTPDATE"=>"%{MONTHDAY}/%{MONTH}/%{YEAR}:%{TIME} %{INT}", "QS"=>"%{QUOTEDSTRING}", "SYSLOGBASE"=>"%{SYSLOGTIMESTAMP:timestamp} (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource} %{SYSLOGPROG}:", "COMBINEDAPACHELOG"=>"%{IPORHOST:clientip} %{USER:ident} %{USER:auth} \\[%{HTTPDATE:timestamp}\\] \"(?:%{WORD:verb} %{URIPATHPARAM:request}(?: HTTP/%{NUMBER:httpversion})?|-)\" %{NUMBER:response} (?:%{NUMBER:bytes}|-) %{QS:referrer} %{QS:agent}", "LOGLEVEL"=>"([D|d]ebug|DEBUG|[N|n]otice|NOTICE|[I|i]nfo|INFO|[W|w]arn?(?:ing)?|WARN?(?:ING)?|[E|e]rr?(?:or)?|ERR?(?:OR)?|[C|c]rit?(?:ical)?|CRIT?(?:ICAL)?|[F|f]atal|FATAL|[S|s]evere|SEVERE)", "HAPROXYTIME"=>"(?!<[0-9])%{HOUR:haproxy_hour}:%{MINUTE:haproxy_minute}(?::%{SECOND:haproxy_second})(?![0-9])", "HAPROXYDATE"=>"%{MONTHDAY:haproxy_monthday}/%{MONTH:haproxy_month}/%{YEAR:haproxy_year}:%{HAPROXYTIME:haproxy_time}.%{INT:haproxy_milliseconds}", "HAPROXYCAPTUREDREQUESTHEADERS"=>"%{DATA:captured_request_headers}", "HAPROXYCAPTUREDRESPONSEHEADERS"=>"%{DATA:captured_response_headers}", "HAPROXYHTTP"=>"%{SYSLOGTIMESTAMP:syslog_timestamp} %{IPORHOST:syslog_server} %{SYSLOGPROG}: %{IP:client_ip}:%{INT:client_port} \\[%{HAPROXYDATE:accept_date}\\] %{NOTSPACE:frontend_name} %{NOTSPACE:backend_name}/%{NOTSPACE:server_name} %{INT:time_request}/%{INT:time_queue}/%{INT:time_backend_connect}/%{INT:time_backend_response}/%{NOTSPACE:time_duration} %{INT:http_status_code} %{NOTSPACE:bytes_read} %{DATA:captured_request_cookie} %{DATA:captured_response_cookie} %{NOTSPACE:termination_state} %{INT:actconn}/%{INT:feconn}/%{INT:beconn}/%{INT:srvconn}/%{NOTSPACE:retries} %{INT:srv_queue}/%{INT:backend_queue} (\\{%{HAPROXYCAPTUREDREQUESTHEADERS}\\})?( )?(\\{%{HAPROXYCAPTUREDRESPONSEHEADERS}\\})?( )?\"%{WORD:http_verb} %{URIPATHPARAM:http_request}( HTTP/%{NUMBER:http_version}\")?", "HAPROXYTCP"=>"%{SYSLOGTIMESTAMP:syslog_timestamp} %{IPORHOST:syslog_server} %{SYSLOGPROG}: %{IP:client_ip}:%{INT:client_port} \\[%{HAPROXYDATE:accept_date}\\] %{NOTSPACE:frontend_name} %{NOTSPACE:backend_name}/%{NOTSPACE:server_name} %{INT:time_queue}/%{INT:time_backend_connect}/%{NOTSPACE:time_duration} %{NOTSPACE:bytes_read} %{NOTSPACE:termination_state} %{INT:actconn}/%{INT:feconn}/%{INT:beconn}/%{INT:srvconn}/%{NOTSPACE:retries} %{INT:srv_queue}/%{INT:backend_queue}", "JAVACLASS"=>"(?:[a-zA-Z0-9-]+\\.)+[A-Za-z0-9]+", "JAVAFILE"=>"(?:[A-Za-z0-9_.-]+)", "JAVASTACKTRACEPART"=>"at %{JAVACLASS:class}\\.%{WORD:method}\\(%{JAVAFILE:file}:%{NUMBER:line}\\)", "SYSLOGBASE2"=>"(?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource} %{SYSLOGPROG}:", "SYSLOGPAMSESSION"=>"%{SYSLOGBASE} (?=%{GREEDYDATA:message})%{WORD:pam_module}\\(%{DATA:pam_caller}\\): session %{WORD:pam_session_state} for user %{USERNAME:username}(?: by %{GREEDYDATA:pam_by})?", "CRON_ACTION"=>"[A-Z ]+", "CRONLOG"=>"%{SYSLOGBASE} \\(%{USER:user}\\) %{CRON_ACTION:action} \\(%{DATA:message}\\)", "SYSLOGLINE"=>"%{SYSLOGBASE2} %{GREEDYDATA:message}", "NAGIOSTIME"=>"\\[%{NUMBER:nagios_epoch}\\]", "NAGIOS_TYPE_CURRENT_SERVICE_STATE"=>"CURRENT SERVICE STATE", "NAGIOS_TYPE_CURRENT_HOST_STATE"=>"CURRENT HOST STATE", "NAGIOS_TYPE_SERVICE_NOTIFICATION"=>"SERVICE NOTIFICATION", "NAGIOS_TYPE_HOST_NOTIFICATION"=>"HOST NOTIFICATION", "NAGIOS_TYPE_SERVICE_ALERT"=>"SERVICE ALERT", "NAGIOS_TYPE_HOST_ALERT"=>"HOST ALERT", "NAGIOS_TYPE_SERVICE_FLAPPING_ALERT"=>"SERVICE FLAPPING ALERT", "NAGIOS_TYPE_HOST_FLAPPING_ALERT"=>"HOST FLAPPING ALERT", "NAGIOS_TYPE_SERVICE_DOWNTIME_ALERT"=>"SERVICE DOWNTIME ALERT", "NAGIOS_TYPE_HOST_DOWNTIME_ALERT"=>"HOST DOWNTIME ALERT", "NAGIOS_TYPE_PASSIVE_SERVICE_CHECK"=>"PASSIVE SERVICE CHECK", "NAGIOS_TYPE_PASSIVE_HOST_CHECK"=>"PASSIVE HOST CHECK", "NAGIOS_TYPE_SERVICE_EVENT_HANDLER"=>"SERVICE EVENT HANDLER", "NAGIOS_TYPE_HOST_EVENT_HANDLER"=>"HOST EVENT HANDLER", "NAGIOS_TYPE_EXTERNAL_COMMAND"=>"EXTERNAL COMMAND", "NAGIOS_TYPE_TIMEPERIOD_TRANSITION"=>"TIMEPERIOD TRANSITION", "NAGIOS_EC_DISABLE_SVC_CHECK"=>"DISABLE_SVC_CHECK", "NAGIOS_EC_ENABLE_SVC_CHECK"=>"ENABLE_SVC_CHECK", "NAGIOS_EC_DISABLE_HOST_CHECK"=>"DISABLE_HOST_CHECK", "NAGIOS_EC_ENABLE_HOST_CHECK"=>"ENABLE_HOST_CHECK", "NAGIOS_EC_PROCESS_SERVICE_CHECK_RESULT"=>"PROCESS_SERVICE_CHECK_RESULT", "NAGIOS_EC_PROCESS_HOST_CHECK_RESULT"=>"PROCESS_HOST_CHECK_RESULT", "NAGIOS_EC_SCHEDULE_SERVICE_DOWNTIME"=>"SCHEDULE_SERVICE_DOWNTIME", "NAGIOS_EC_SCHEDULE_HOST_DOWNTIME"=>"SCHEDULE_HOST_DOWNTIME", "NAGIOS_WARNING"=>"Warning:%{SPACE}%{GREEDYDATA:nagios_message}", "NAGIOS_CURRENT_SERVICE_STATE"=>"%{NAGIOS_TYPE_CURRENT_SERVICE_STATE:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{DATA:nagios_statetype};%{DATA:nagios_statecode};%{GREEDYDATA:nagios_message}", "NAGIOS_CURRENT_HOST_STATE"=>"%{NAGIOS_TYPE_CURRENT_HOST_STATE:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{DATA:nagios_statetype};%{DATA:nagios_statecode};%{GREEDYDATA:nagios_message}", "NAGIOS_SERVICE_NOTIFICATION"=>"%{NAGIOS_TYPE_SERVICE_NOTIFICATION:nagios_type}: %{DATA:nagios_notifyname};%{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{DATA:nagios_contact};%{GREEDYDATA:nagios_message}", "NAGIOS_HOST_NOTIFICATION"=>"%{NAGIOS_TYPE_HOST_NOTIFICATION}: %{DATA:nagios_notifyname};%{DATA:nagios_hostname};%{DATA:nagios_state};%{DATA:nagios_contact};%{GREEDYDATA:nagios_message}", "NAGIOS_SERVICE_ALERT"=>"%{NAGIOS_TYPE_SERVICE_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{DATA:nagios_statelevel};%{NUMBER:nagios_attempt};%{GREEDYDATA:nagios_message}", "NAGIOS_HOST_ALERT"=>"%{NAGIOS_TYPE_HOST_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{DATA:nagios_statelevel};%{NUMBER:nagios_attempt};%{GREEDYDATA:nagios_message}", "NAGIOS_SERVICE_FLAPPING_ALERT"=>"%{NAGIOS_TYPE_SERVICE_FLAPPING_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{GREEDYDATA:nagios_message}", "NAGIOS_HOST_FLAPPING_ALERT"=>"%{NAGIOS_TYPE_HOST_FLAPPING_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{GREEDYDATA:nagios_message}", "NAGIOS_SERVICE_DOWNTIME_ALERT"=>"%{NAGIOS_TYPE_SERVICE_DOWNTIME_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{GREEDYDATA:nagios_comment}", "NAGIOS_HOST_DOWNTIME_ALERT"=>"%{NAGIOS_TYPE_HOST_DOWNTIME_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{GREEDYDATA:nagios_comment}", "NAGIOS_PASSIVE_SERVICE_CHECK"=>"%{NAGIOS_TYPE_PASSIVE_SERVICE_CHECK:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{GREEDYDATA:nagios_comment}", "NAGIOS_PASSIVE_HOST_CHECK"=>"%{NAGIOS_TYPE_PASSIVE_HOST_CHECK:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{GREEDYDATA:nagios_comment}", "NAGIOS_SERVICE_EVENT_HANDLER"=>"%{NAGIOS_TYPE_SERVICE_EVENT_HANDLER:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{DATA:nagios_statelevel};%{DATA:nagios_event_handler_name}", "NAGIOS_HOST_EVENT_HANDLER"=>"%{NAGIOS_TYPE_HOST_EVENT_HANDLER:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{DATA:nagios_statelevel};%{DATA:nagios_event_handler_name}", "NAGIOS_TIMEPERIOD_TRANSITION"=>"%{NAGIOS_TYPE_TIMEPERIOD_TRANSITION:nagios_type}: %{DATA:nagios_service};%{DATA:nagios_unknown1};%{DATA:nagios_unknown2};", "NAGIOS_EC_LINE_DISABLE_SVC_CHECK"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_DISABLE_SVC_CHECK:nagios_command};%{DATA:nagios_hostname};%{DATA:nagios_service}", "NAGIOS_EC_LINE_DISABLE_HOST_CHECK"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_DISABLE_HOST_CHECK:nagios_command};%{DATA:nagios_hostname}", "NAGIOS_EC_LINE_ENABLE_SVC_CHECK"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_ENABLE_SVC_CHECK:nagios_command};%{DATA:nagios_hostname};%{DATA:nagios_service}", "NAGIOS_EC_LINE_ENABLE_HOST_CHECK"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_ENABLE_HOST_CHECK:nagios_command};%{DATA:nagios_hostname}", "NAGIOS_EC_LINE_PROCESS_SERVICE_CHECK_RESULT"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_PROCESS_SERVICE_CHECK_RESULT:nagios_command};%{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{GREEDYDATA:nagios_check_result}", "NAGIOS_EC_LINE_PROCESS_HOST_CHECK_RESULT"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_PROCESS_HOST_CHECK_RESULT:nagios_command};%{DATA:nagios_hostname};%{DATA:nagios_state};%{GREEDYDATA:nagios_check_result}", "NAGIOS_EC_LINE_SCHEDULE_HOST_DOWNTIME"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_SCHEDULE_HOST_DOWNTIME:nagios_command};%{DATA:nagios_hostname};%{NUMBER:nagios_start_time};%{NUMBER:nagios_end_time};%{NUMBER:nagios_fixed};%{NUMBER:nagios_trigger_id};%{NUMBER:nagios_duration};%{DATA:author};%{DATA:comment}", "NAGIOSLOGLINE"=>"%{NAGIOSTIME} (?:%{NAGIOS_WARNING}|%{NAGIOS_CURRENT_SERVICE_STATE}|%{NAGIOS_CURRENT_HOST_STATE}|%{NAGIOS_SERVICE_NOTIFICATION}|%{NAGIOS_HOST_NOTIFICATION}|%{NAGIOS_SERVICE_ALERT}|%{NAGIOS_HOST_ALERT}|%{NAGIOS_SERVICE_FLAPPING_ALERT}|%{NAGIOS_HOST_FLAPPING_ALERT}|%{NAGIOS_SERVICE_DOWNTIME_ALERT}|%{NAGIOS_HOST_DOWNTIME_ALERT}|%{NAGIOS_PASSIVE_SERVICE_CHECK}|%{NAGIOS_PASSIVE_HOST_CHECK}|%{NAGIOS_SERVICE_EVENT_HANDLER}|%{NAGIOS_HOST_EVENT_HANDLER}|%{NAGIOS_TIMEPERIOD_TRANSITION}|%{NAGIOS_EC_LINE_DISABLE_SVC_CHECK}|%{NAGIOS_EC_LINE_ENABLE_SVC_CHECK}|%{NAGIOS_EC_LINE_DISABLE_HOST_CHECK|%{NAGIOS_EC_LINE_ENABLE_HOST_CHECK}|%{NAGIOS_EC_LINE_PROCESS_HOST_CHECK_RESULT}|%{NAGIOS_EC_LINE_PROCESS_SERVICE_CHECK_RESULT}|%{NAGIOS_EC_LINE_SCHEDULE_HOST_DOWNTIME})", "RUBY_LOGLEVEL"=>"(?:DEBUG|FATAL|ERROR|WARN|INFO)", "RUBY_LOGGER"=>"[DFEWI], \\[%{TIMESTAMP_ISO8601} \#{POSINT:pid}\\] *%{RUBY_LOGLEVEL} -- %{DATA:progname}: %{DATA:message}"}, @pattern_files=[], @logger=#<Cabin::Channel:0x7d528e68 @subscriber_lock=#<Mutex:0x4a67b170>, @metrics=#<Cabin::Metrics:0x5db25639 @channel=#<Cabin::Channel:0x7d528e68 ...>, @metrics={}, @metrics_lock=#<Mutex:0x673ae83d>>, @data={}, @subscribers={4250=>#<Cabin::Outputs::StdlibLogger:0x46932781 @logger=#<Logger:0x6706aa59 @logdev=#<Logger::LogDevice:0x6699ede6 @shift_age=nil, @filename=nil, @dev=#<IO:fd 1>, @mutex=#<Logger::LogDevice::LogDeviceMutex:0x3d1cbaa @mon_count=0, @mon_mutex=#<Mutex:0x429207db>, @mon_owner=nil>, @shift_size=nil>, @formatter=nil, @progname=nil, @default_formatter=#<Logger::Formatter:0x141dd02 @datetime_format=nil>, @level=0>>}, @level=:warn>, @groks=[#<Grok:0x7ae9d933 @regexp=/(?<a0>(?:(?<a1>\b(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\.?|\b))|(?<a2>(?<![0-9])(?:(?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2}))(?![0-9])))) ((?<a3>(?<a4>[a-zA-Z0-9_-]+))|-) ((?<a5>(?<a6>[a-zA-Z0-9_-]+))|-) \[(?<a7>(?<a8>(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9]))\/(?<a9>\b(?:Jan(?:uary)?|Feb(?:ruary)?|Mar(?:ch)?|Apr(?:il)?|May|Jun(?:e)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|Oct(?:ober)?|Nov(?:ember)?|Dec(?:ember)?)\b)\/(?<a10>[0-9]+):(?<a11>(?!<[0-9])(?<a12>(?:2[0123]|[01][0-9])):(?<a13>(?:[0-5][0-9]))(?::(?<a14>(?:(?:[0-5][0-9]|60)(?:[.,][0-9]+)?)))(?![0-9])) (?<a15>(?:[+-]?(?:[0-9]+))))\] \"(?:(?<a16>\b\w+\b) ((?<a17>\S+)|-)(?: HTTP\/(?<a18>(?:(?<a19>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))))))?|-)\" ((?<a20>(?<a21>\b(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\.?|\b)))|-) ((?<a22>(?:(?<a23>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))))|-) (?:(?<a24>(?:(?<a25>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))))|-) \"((?<a26>\S+)|-)\" \"(?<agent>([\w\W]+?)|-)\" \"((?<a27>\b\w+\b)|-)\" \"((?<upstream_host>[\w\W,]+?)|-)\" \"(?<upstream_response>([0-9, ]+?)|-)\" ((?<a28>\b\w+\b)|-) \"(?<upstream_content_type>([\w\W]+?)|-)\" \"(?<upstream_response_time>([0-9,. ]+?)|-)\" > ((?<a29>\b(?<![0-9A-Fa-f.])(?:[+-]?(?:0x)?(?:(?:[0-9A-Fa-f]+(?:\.[0-9A-Fa-f]*)?)|(?:\.[0-9A-Fa-f]+)))\b)|-)/, @patterns={"NETSCREENSESSIONLOG"=>"%{SYSLOGTIMESTAMP:date} %{IPORHOST:device} %{IPORHOST}: NetScreen device_id=%{WORD:device_id}%{DATA}: start_time=%{QUOTEDSTRING:start_time} duration=%{INT:duration} policy_id=%{INT:policy_id} service=%{DATA:service} proto=%{INT:proto} src zone=%{WORD:src_zone} dst zone=%{WORD:dst_zone} action=%{WORD:action} sent=%{INT:sent} rcvd=%{INT:rcvd} src=%{IPORHOST:src_ip} dst=%{IPORHOST:dst_ip} src_port=%{INT:src_port} dst_port=%{INT:dst_port} src-xlated ip=%{IPORHOST:src_xlated_ip} port=%{INT:src_xlated_port} dst-xlated ip=%{IPORHOST:dst_xlated_ip} port=%{INT:dst_xlated_port} session_id=%{INT:session_id} reason=%{GREEDYDATA:reason}", "USERNAME"=>"[a-zA-Z0-9_-]+", "USER"=>"%{USERNAME}", "INT"=>"(?:[+-]?(?:[0-9]+))", "BASE10NUM"=>"(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\\.[0-9]+)?)|(?:\\.[0-9]+)))", "NUMBER"=>"(?:%{BASE10NUM})", "BASE16NUM"=>"(?<![0-9A-Fa-f])(?:[+-]?(?:0x)?(?:[0-9A-Fa-f]+))", "BASE16FLOAT"=>"\\b(?<![0-9A-Fa-f.])(?:[+-]?(?:0x)?(?:(?:[0-9A-Fa-f]+(?:\\.[0-9A-Fa-f]*)?)|(?:\\.[0-9A-Fa-f]+)))\\b", "POSINT"=>"\\b(?:[1-9][0-9]*)\\b", "NONNEGINT"=>"\\b(?:[0-9]+)\\b", "WORD"=>"\\b\\w+\\b", "NOTSPACE"=>"\\S+", "SPACE"=>"\\s*", "DATA"=>".*?", "GREEDYDATA"=>".*", "QUOTEDSTRING"=>"(?>(?<!\\\\)(?>\"(?>\\\\.|[^\\\\\"]+)+\"|\"\"|(?>'(?>\\\\.|[^\\\\']+)+')|''|(?>`(?>\\\\.|[^\\\\`]+)+`)|``))", "UUID"=>"[A-Fa-f0-9]{8}-(?:[A-Fa-f0-9]{4}-){3}[A-Fa-f0-9]{12}", "MAC"=>"(?:%{CISCOMAC}|%{WINDOWSMAC}|%{COMMONMAC})", "CISCOMAC"=>"(?:(?:[A-Fa-f0-9]{4}\\.){2}[A-Fa-f0-9]{4})", "WINDOWSMAC"=>"(?:(?:[A-Fa-f0-9]{2}-){5}[A-Fa-f0-9]{2})", "COMMONMAC"=>"(?:(?:[A-Fa-f0-9]{2}:){5}[A-Fa-f0-9]{2})", "IP"=>"(?<![0-9])(?:(?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2}))(?![0-9])", "HOSTNAME"=>"\\b(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\\b)", "HOST"=>"%{HOSTNAME}", "IPORHOST"=>"(?:%{HOSTNAME}|%{IP})", "HOSTPORT"=>"(?:%{IPORHOST=~/\\./}:%{POSINT})", "PATH"=>"(?:%{UNIXPATH}|%{WINPATH})", "UNIXPATH"=>"(?:/(?:[\\w_%!$@:.,-]+|\\\\.)*)+", "LINUXTTY"=>"(?:/dev/pts/%{NONNEGINT})", "BSDTTY"=>"(?:/dev/tty[pq][a-z0-9])", "TTY"=>"(?:%{BSDTTY}|%{LINUXTTY})", "WINPATH"=>"(?:[A-Za-z]+:|\\\\)(?:\\\\[^\\\\?*]*)+", "URIPROTO"=>"[A-Za-z]+(\\+[A-Za-z+]+)?", "URIHOST"=>"%{IPORHOST}(?::%{POSINT:port})?", "URIPATH"=>"(?:/[A-Za-z0-9$.+!*'(){},~:;=#%_-]*)+", "URIPARAM"=>"\\?[A-Za-z0-9$.+!*'|(){},~#%&/=:;_?-]*", "URIPATHPARAM"=>"%{URIPATH}(?:%{URIPARAM})?", "URI"=>"%{URIPROTO}://(?:%{USER}(?::[^@]*)?@)?(?:%{URIHOST})?(?:%{URIPATHPARAM})?", "MONTH"=>"\\b(?:Jan(?:uary)?|Feb(?:ruary)?|Mar(?:ch)?|Apr(?:il)?|May|Jun(?:e)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|Oct(?:ober)?|Nov(?:ember)?|Dec(?:ember)?)\\b", "MONTHNUM"=>"(?:0?[1-9]|1[0-2])", "MONTHDAY"=>"(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9])", "DAY"=>"(?:Mon(?:day)?|Tue(?:sday)?|Wed(?:nesday)?|Thu(?:rsday)?|Fri(?:day)?|Sat(?:urday)?|Sun(?:day)?)", "YEAR"=>"[0-9]+", "HOUR"=>"(?:2[0123]|[01][0-9])", "MINUTE"=>"(?:[0-5][0-9])", "SECOND"=>"(?:(?:[0-5][0-9]|60)(?:[.,][0-9]+)?)", "TIME"=>"(?!<[0-9])%{HOUR}:%{MINUTE}(?::%{SECOND})(?![0-9])", "DATE_US"=>"%{MONTHNUM}[/-]%{MONTHDAY}[/-]%{YEAR}", "DATE_EU"=>"%{YEAR}[/-]%{MONTHNUM}[/-]%{MONTHDAY}", "ISO8601_TIMEZONE"=>"(?:Z|[+-]%{HOUR}(?::?%{MINUTE}))", "ISO8601_SECOND"=>"(?:%{SECOND}|60)", "TIMESTAMP_ISO8601"=>"%{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?%{ISO8601_TIMEZONE}?", "DATE"=>"%{DATE_US}|%{DATE_EU}", "DATESTAMP"=>"%{DATE}[- ]%{TIME}", "TZ"=>"(?:[PMCE][SD]T)", "DATESTAMP_RFC822"=>"%{DAY} %{MONTH} %{MONTHDAY} %{YEAR} %{TIME} %{TZ}", "DATESTAMP_OTHER"=>"%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{TZ} %{YEAR}", "SYSLOGTIMESTAMP"=>"%{MONTH} +%{MONTHDAY} %{TIME}", "PROG"=>"(?:[\\w._/%-]+)", "SYSLOGPROG"=>"%{PROG:program}(?:\\[%{POSINT:pid}\\])?", "SYSLOGHOST"=>"%{IPORHOST}", "SYSLOGFACILITY"=>"<%{NONNEGINT:facility}.%{NONNEGINT:priority}>", "HTTPDATE"=>"%{MONTHDAY}/%{MONTH}/%{YEAR}:%{TIME} %{INT}", "QS"=>"%{QUOTEDSTRING}", "SYSLOGBASE"=>"%{SYSLOGTIMESTAMP:timestamp} (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource} %{SYSLOGPROG}:", "COMBINEDAPACHELOG"=>"%{IPORHOST:clientip} %{USER:ident} %{USER:auth} \\[%{HTTPDATE:timestamp}\\] \"(?:%{WORD:verb} %{URIPATHPARAM:request}(?: HTTP/%{NUMBER:httpversion})?|-)\" %{NUMBER:response} (?:%{NUMBER:bytes}|-) %{QS:referrer} %{QS:agent}", "LOGLEVEL"=>"([D|d]ebug|DEBUG|[N|n]otice|NOTICE|[I|i]nfo|INFO|[W|w]arn?(?:ing)?|WARN?(?:ING)?|[E|e]rr?(?:or)?|ERR?(?:OR)?|[C|c]rit?(?:ical)?|CRIT?(?:ICAL)?|[F|f]atal|FATAL|[S|s]evere|SEVERE)", "HAPROXYTIME"=>"(?!<[0-9])%{HOUR:haproxy_hour}:%{MINUTE:haproxy_minute}(?::%{SECOND:haproxy_second})(?![0-9])", "HAPROXYDATE"=>"%{MONTHDAY:haproxy_monthday}/%{MONTH:haproxy_month}/%{YEAR:haproxy_year}:%{HAPROXYTIME:haproxy_time}.%{INT:haproxy_milliseconds}", "HAPROXYCAPTUREDREQUESTHEADERS"=>"%{DATA:captured_request_headers}", "HAPROXYCAPTUREDRESPONSEHEADERS"=>"%{DATA:captured_response_headers}", "HAPROXYHTTP"=>"%{SYSLOGTIMESTAMP:syslog_timestamp} %{IPORHOST:syslog_server} %{SYSLOGPROG}: %{IP:client_ip}:%{INT:client_port} \\[%{HAPROXYDATE:accept_date}\\] %{NOTSPACE:frontend_name} %{NOTSPACE:backend_name}/%{NOTSPACE:server_name} %{INT:time_request}/%{INT:time_queue}/%{INT:time_backend_connect}/%{INT:time_backend_response}/%{NOTSPACE:time_duration} %{INT:http_status_code} %{NOTSPACE:bytes_read} %{DATA:captured_request_cookie} %{DATA:captured_response_cookie} %{NOTSPACE:termination_state} %{INT:actconn}/%{INT:feconn}/%{INT:beconn}/%{INT:srvconn}/%{NOTSPACE:retries} %{INT:srv_queue}/%{INT:backend_queue} (\\{%{HAPROXYCAPTUREDREQUESTHEADERS}\\})?( )?(\\{%{HAPROXYCAPTUREDRESPONSEHEADERS}\\})?( )?\"%{WORD:http_verb} %{URIPATHPARAM:http_request}( HTTP/%{NUMBER:http_version}\")?", "HAPROXYTCP"=>"%{SYSLOGTIMESTAMP:syslog_timestamp} %{IPORHOST:syslog_server} %{SYSLOGPROG}: %{IP:client_ip}:%{INT:client_port} \\[%{HAPROXYDATE:accept_date}\\] %{NOTSPACE:frontend_name} %{NOTSPACE:backend_name}/%{NOTSPACE:server_name} %{INT:time_queue}/%{INT:time_backend_connect}/%{NOTSPACE:time_duration} %{NOTSPACE:bytes_read} %{NOTSPACE:termination_state} %{INT:actconn}/%{INT:feconn}/%{INT:beconn}/%{INT:srvconn}/%{NOTSPACE:retries} %{INT:srv_queue}/%{INT:backend_queue}", "JAVACLASS"=>"(?:[a-zA-Z0-9-]+\\.)+[A-Za-z0-9]+", "JAVAFILE"=>"(?:[A-Za-z0-9_.-]+)", "JAVASTACKTRACEPART"=>"at %{JAVACLASS:class}\\.%{WORD:method}\\(%{JAVAFILE:file}:%{NUMBER:line}\\)", "SYSLOGBASE2"=>"(?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource} %{SYSLOGPROG}:", "SYSLOGPAMSESSION"=>"%{SYSLOGBASE} (?=%{GREEDYDATA:message})%{WORD:pam_module}\\(%{DATA:pam_caller}\\): session %{WORD:pam_session_state} for user %{USERNAME:username}(?: by %{GREEDYDATA:pam_by})?", "CRON_ACTION"=>"[A-Z ]+", "CRONLOG"=>"%{SYSLOGBASE} \\(%{USER:user}\\) %{CRON_ACTION:action} \\(%{DATA:message}\\)", "SYSLOGLINE"=>"%{SYSLOGBASE2} %{GREEDYDATA:message}", "NAGIOSTIME"=>"\\[%{NUMBER:nagios_epoch}\\]", "NAGIOS_TYPE_CURRENT_SERVICE_STATE"=>"CURRENT SERVICE STATE", "NAGIOS_TYPE_CURRENT_HOST_STATE"=>"CURRENT HOST STATE", "NAGIOS_TYPE_SERVICE_NOTIFICATION"=>"SERVICE NOTIFICATION", "NAGIOS_TYPE_HOST_NOTIFICATION"=>"HOST NOTIFICATION", "NAGIOS_TYPE_SERVICE_ALERT"=>"SERVICE ALERT", "NAGIOS_TYPE_HOST_ALERT"=>"HOST ALERT", "NAGIOS_TYPE_SERVICE_FLAPPING_ALERT"=>"SERVICE FLAPPING ALERT", "NAGIOS_TYPE_HOST_FLAPPING_ALERT"=>"HOST FLAPPING ALERT", "NAGIOS_TYPE_SERVICE_DOWNTIME_ALERT"=>"SERVICE DOWNTIME ALERT", "NAGIOS_TYPE_HOST_DOWNTIME_ALERT"=>"HOST DOWNTIME ALERT", "NAGIOS_TYPE_PASSIVE_SERVICE_CHECK"=>"PASSIVE SERVICE CHECK", "NAGIOS_TYPE_PASSIVE_HOST_CHECK"=>"PASSIVE HOST CHECK", "NAGIOS_TYPE_SERVICE_EVENT_HANDLER"=>"SERVICE EVENT HANDLER", "NAGIOS_TYPE_HOST_EVENT_HANDLER"=>"HOST EVENT HANDLER", "NAGIOS_TYPE_EXTERNAL_COMMAND"=>"EXTERNAL COMMAND", "NAGIOS_TYPE_TIMEPERIOD_TRANSITION"=>"TIMEPERIOD TRANSITION", "NAGIOS_EC_DISABLE_SVC_CHECK"=>"DISABLE_SVC_CHECK", "NAGIOS_EC_ENABLE_SVC_CHECK"=>"ENABLE_SVC_CHECK", "NAGIOS_EC_DISABLE_HOST_CHECK"=>"DISABLE_HOST_CHECK", "NAGIOS_EC_ENABLE_HOST_CHECK"=>"ENABLE_HOST_CHECK", "NAGIOS_EC_PROCESS_SERVICE_CHECK_RESULT"=>"PROCESS_SERVICE_CHECK_RESULT", "NAGIOS_EC_PROCESS_HOST_CHECK_RESULT"=>"PROCESS_HOST_CHECK_RESULT", "NAGIOS_EC_SCHEDULE_SERVICE_DOWNTIME"=>"SCHEDULE_SERVICE_DOWNTIME", "NAGIOS_EC_SCHEDULE_HOST_DOWNTIME"=>"SCHEDULE_HOST_DOWNTIME", "NAGIOS_WARNING"=>"Warning:%{SPACE}%{GREEDYDATA:nagios_message}", "NAGIOS_CURRENT_SERVICE_STATE"=>"%{NAGIOS_TYPE_CURRENT_SERVICE_STATE:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{DATA:nagios_statetype};%{DATA:nagios_statecode};%{GREEDYDATA:nagios_message}", "NAGIOS_CURRENT_HOST_STATE"=>"%{NAGIOS_TYPE_CURRENT_HOST_STATE:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{DATA:nagios_statetype};%{DATA:nagios_statecode};%{GREEDYDATA:nagios_message}", "NAGIOS_SERVICE_NOTIFICATION"=>"%{NAGIOS_TYPE_SERVICE_NOTIFICATION:nagios_type}: %{DATA:nagios_notifyname};%{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{DATA:nagios_contact};%{GREEDYDATA:nagios_message}", "NAGIOS_HOST_NOTIFICATION"=>"%{NAGIOS_TYPE_HOST_NOTIFICATION}: %{DATA:nagios_notifyname};%{DATA:nagios_hostname};%{DATA:nagios_state};%{DATA:nagios_contact};%{GREEDYDATA:nagios_message}", "NAGIOS_SERVICE_ALERT"=>"%{NAGIOS_TYPE_SERVICE_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{DATA:nagios_statelevel};%{NUMBER:nagios_attempt};%{GREEDYDATA:nagios_message}", "NAGIOS_HOST_ALERT"=>"%{NAGIOS_TYPE_HOST_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{DATA:nagios_statelevel};%{NUMBER:nagios_attempt};%{GREEDYDATA:nagios_message}", "NAGIOS_SERVICE_FLAPPING_ALERT"=>"%{NAGIOS_TYPE_SERVICE_FLAPPING_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{GREEDYDATA:nagios_message}", "NAGIOS_HOST_FLAPPING_ALERT"=>"%{NAGIOS_TYPE_HOST_FLAPPING_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{GREEDYDATA:nagios_message}", "NAGIOS_SERVICE_DOWNTIME_ALERT"=>"%{NAGIOS_TYPE_SERVICE_DOWNTIME_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{GREEDYDATA:nagios_comment}", "NAGIOS_HOST_DOWNTIME_ALERT"=>"%{NAGIOS_TYPE_HOST_DOWNTIME_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{GREEDYDATA:nagios_comment}", "NAGIOS_PASSIVE_SERVICE_CHECK"=>"%{NAGIOS_TYPE_PASSIVE_SERVICE_CHECK:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{GREEDYDATA:nagios_comment}", "NAGIOS_PASSIVE_HOST_CHECK"=>"%{NAGIOS_TYPE_PASSIVE_HOST_CHECK:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{GREEDYDATA:nagios_comment}", "NAGIOS_SERVICE_EVENT_HANDLER"=>"%{NAGIOS_TYPE_SERVICE_EVENT_HANDLER:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{DATA:nagios_statelevel};%{DATA:nagios_event_handler_name}", "NAGIOS_HOST_EVENT_HANDLER"=>"%{NAGIOS_TYPE_HOST_EVENT_HANDLER:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{DATA:nagios_statelevel};%{DATA:nagios_event_handler_name}", "NAGIOS_TIMEPERIOD_TRANSITION"=>"%{NAGIOS_TYPE_TIMEPERIOD_TRANSITION:nagios_type}: %{DATA:nagios_service};%{DATA:nagios_unknown1};%{DATA:nagios_unknown2};", "NAGIOS_EC_LINE_DISABLE_SVC_CHECK"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_DISABLE_SVC_CHECK:nagios_command};%{DATA:nagios_hostname};%{DATA:nagios_service}", "NAGIOS_EC_LINE_DISABLE_HOST_CHECK"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_DISABLE_HOST_CHECK:nagios_command};%{DATA:nagios_hostname}", "NAGIOS_EC_LINE_ENABLE_SVC_CHECK"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_ENABLE_SVC_CHECK:nagios_command};%{DATA:nagios_hostname};%{DATA:nagios_service}", "NAGIOS_EC_LINE_ENABLE_HOST_CHECK"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_ENABLE_HOST_CHECK:nagios_command};%{DATA:nagios_hostname}", "NAGIOS_EC_LINE_PROCESS_SERVICE_CHECK_RESULT"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_PROCESS_SERVICE_CHECK_RESULT:nagios_command};%{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{GREEDYDATA:nagios_check_result}", "NAGIOS_EC_LINE_PROCESS_HOST_CHECK_RESULT"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_PROCESS_HOST_CHECK_RESULT:nagios_command};%{DATA:nagios_hostname};%{DATA:nagios_state};%{GREEDYDATA:nagios_check_result}", "NAGIOS_EC_LINE_SCHEDULE_HOST_DOWNTIME"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_SCHEDULE_HOST_DOWNTIME:nagios_command};%{DATA:nagios_hostname};%{NUMBER:nagios_start_time};%{NUMBER:nagios_end_time};%{NUMBER:nagios_fixed};%{NUMBER:nagios_trigger_id};%{NUMBER:nagios_duration};%{DATA:author};%{DATA:comment}", "NAGIOSLOGLINE"=>"%{NAGIOSTIME} (?:%{NAGIOS_WARNING}|%{NAGIOS_CURRENT_SERVICE_STATE}|%{NAGIOS_CURRENT_HOST_STATE}|%{NAGIOS_SERVICE_NOTIFICATION}|%{NAGIOS_HOST_NOTIFICATION}|%{NAGIOS_SERVICE_ALERT}|%{NAGIOS_HOST_ALERT}|%{NAGIOS_SERVICE_FLAPPING_ALERT}|%{NAGIOS_HOST_FLAPPING_ALERT}|%{NAGIOS_SERVICE_DOWNTIME_ALERT}|%{NAGIOS_HOST_DOWNTIME_ALERT}|%{NAGIOS_PASSIVE_SERVICE_CHECK}|%{NAGIOS_PASSIVE_HOST_CHECK}|%{NAGIOS_SERVICE_EVENT_HANDLER}|%{NAGIOS_HOST_EVENT_HANDLER}|%{NAGIOS_TIMEPERIOD_TRANSITION}|%{NAGIOS_EC_LINE_DISABLE_SVC_CHECK}|%{NAGIOS_EC_LINE_ENABLE_SVC_CHECK}|%{NAGIOS_EC_LINE_DISABLE_HOST_CHECK|%{NAGIOS_EC_LINE_ENABLE_HOST_CHECK}|%{NAGIOS_EC_LINE_PROCESS_HOST_CHECK_RESULT}|%{NAGIOS_EC_LINE_PROCESS_SERVICE_CHECK_RESULT}|%{NAGIOS_EC_LINE_SCHEDULE_HOST_DOWNTIME})", "RUBY_LOGLEVEL"=>"(?:DEBUG|FATAL|ERROR|WARN|INFO)", "RUBY_LOGGER"=>"[DFEWI], \\[%{TIMESTAMP_ISO8601} \#{POSINT:pid}\\] *%{RUBY_LOGLEVEL} -- %{DATA:progname}: %{DATA:message}"}, @pattern="%{IPORHOST:client_ip} (%{USER:ident}|-) (%{USER:auth}|-) \\[%{HTTPDATE:timestamp}\\] \\\"(?:%{WORD:verb} (%{NOTSPACE:request}|-)(?: HTTP/%{NUMBER:http_version})?|-)\\\" (%{HOST:domain}|-) (%{NUMBER:response}|-) (?:%{NUMBER:bytes}|-) \\\"(%{NOTSPACE:referrer}|-)\\\" \\\"(?<agent>([\\w\\W]+?)|-)\\\" \\\"(%{WORD:x_forword}|-)\\\" \\\"((?<upstream_host>[\\w\\W,]+?)|-)\\\" \\\"(?<upstream_response>([0-9, ]+?)|-)\\\" (%{WORD:upstream_cache_status}|-) \\\"(?<upstream_content_type>([\\w\\W]+?)|-)\\\" \\\"(?<upstream_response_time>([0-9,. ]+?)|-)\\\" > (%{BASE16FLOAT:request_time}|-)", @expanded_pattern="(?<a0>(?:(?<a1>\\b(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\\b))|(?<a2>(?<![0-9])(?:(?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2}))(?![0-9])))) ((?<a3>(?<a4>[a-zA-Z0-9_-]+))|-) ((?<a5>(?<a6>[a-zA-Z0-9_-]+))|-) \\[(?<a7>(?<a8>(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9]))/(?<a9>\\b(?:Jan(?:uary)?|Feb(?:ruary)?|Mar(?:ch)?|Apr(?:il)?|May|Jun(?:e)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|Oct(?:ober)?|Nov(?:ember)?|Dec(?:ember)?)\\b)/(?<a10>[0-9]+):(?<a11>(?!<[0-9])(?<a12>(?:2[0123]|[01][0-9])):(?<a13>(?:[0-5][0-9]))(?::(?<a14>(?:(?:[0-5][0-9]|60)(?:[.,][0-9]+)?)))(?![0-9])) (?<a15>(?:[+-]?(?:[0-9]+))))\\] \\\"(?:(?<a16>\\b\\w+\\b) ((?<a17>\\S+)|-)(?: HTTP/(?<a18>(?:(?<a19>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\\.[0-9]+)?)|(?:\\.[0-9]+)))))))?|-)\\\" ((?<a20>(?<a21>\\b(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\\b)))|-) ((?<a22>(?:(?<a23>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\\.[0-9]+)?)|(?:\\.[0-9]+))))))|-) (?:(?<a24>(?:(?<a25>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\\.[0-9]+)?)|(?:\\.[0-9]+))))))|-) \\\"((?<a26>\\S+)|-)\\\" \\\"(?<agent>([\\w\\W]+?)|-)\\\" \\\"((?<a27>\\b\\w+\\b)|-)\\\" \\\"((?<upstream_host>[\\w\\W,]+?)|-)\\\" \\\"(?<upstream_response>([0-9, ]+?)|-)\\\" ((?<a28>\\b\\w+\\b)|-) \\\"(?<upstream_content_type>([\\w\\W]+?)|-)\\\" \\\"(?<upstream_response_time>([0-9,. ]+?)|-)\\\" > ((?<a29>\\b(?<![0-9A-Fa-f.])(?:[+-]?(?:0x)?(?:(?:[0-9A-Fa-f]+(?:\\.[0-9A-Fa-f]*)?)|(?:\\.[0-9A-Fa-f]+)))\\b)|-)", @capture_map={"a0"=>"IPORHOST:client_ip", "a1"=>"HOSTNAME", "a2"=>"IP", "a3"=>"USER:ident", "a4"=>"USERNAME", "a5"=>"USER:auth", "a6"=>"USERNAME", "a7"=>"HTTPDATE:timestamp", "a8"=>"MONTHDAY", "a9"=>"MONTH", "a10"=>"YEAR", "a11"=>"TIME", "a12"=>"HOUR", "a13"=>"MINUTE", "a14"=>"SECOND", "a15"=>"INT", "a16"=>"WORD:verb", "a17"=>"NOTSPACE:request", "a18"=>"NUMBER:http_version", "a19"=>"BASE10NUM", "a20"=>"HOST:domain", "a21"=>"HOSTNAME", "a22"=>"NUMBER:response", "a23"=>"BASE10NUM", "a24"=>"NUMBER:bytes", "a25"=>"BASE10NUM", "a26"=>"NOTSPACE:referrer", "a27"=>"WORD:x_forword", "a28"=>"WORD:upstream_cache_status", "a29"=>"BASE16FLOAT:request_time"}, @logger=#<Cabin::Channel:0x7d528e68 @subscriber_lock=#<Mutex:0x4a67b170>, @metrics=#<Cabin::Metrics:0x5db25639 @channel=#<Cabin::Channel:0x7d528e68 ...>, @metrics={}, @metrics_lock=#<Mutex:0x673ae83d>>, @data={}, @subscribers={4250=>#<Cabin::Outputs::StdlibLogger:0x46932781 @logger=#<Logger:0x6706aa59 @logdev=#<Logger::LogDevice:0x6699ede6 @shift_age=nil, @filename=nil, @dev=#<IO:fd 1>, @mutex=#<Logger::LogDevice::LogDeviceMutex:0x3d1cbaa @mon_count=0, @mon_mutex=#<Mutex:0x429207db>, @mon_owner=nil>, @shift_size=nil>, @formatter=nil, @progname=nil, @default_formatter=#<Logger::Formatter:0x141dd02 @datetime_format=nil>, @level=0>>}, @level=:warn>>]>}, @threadsafe=true, @patternfiles=["file:/usr/local/logstash/logstash-1.1.5-monolithic.jar!/patterns/firewalls", "file:/usr/local/logstash/logstash-1.1.5-monolithic.jar!/patterns/grok-patterns", "file:/usr/local/logstash/logstash-1.1.5-monolithic.jar!/patterns/haproxy", "file:/usr/local/logstash/logstash-1.1.5-monolithic.jar!/patterns/java", "file:/usr/local/logstash/logstash-1.1.5-monolithic.jar!/patterns/linux-syslog", "file:/usr/local/logstash/logstash-1.1.5-monolithic.jar!/patterns/nagios", "file:/usr/local/logstash/logstash-1.1.5-monolithic.jar!/patterns/ruby"], @patterns_dir=["file:/usr/local/logstash/logstash-1.1.5-monolithic.jar!/logstash/filters/../../patterns/*"], @config={"type"=>"nginx-access", "break_on_match"=>false, "pattern"=>["%{IPORHOST:client_ip} (%{USER:ident}|-) (%{USER:auth}|-) \\[%{HTTPDATE:timestamp}\\] \\\"(?:%{WORD:verb} (%{NOTSPACE:request}|-)(?: HTTP/%{NUMBER:http_version})?|-)\\\" (%{HOST:domain}|-) (%{NUMBER:response}|-) (?:%{NUMBER:bytes}|-) \\\"(%{NOTSPACE:referrer}|-)\\\" \\\"(?<agent>([\\w\\W]+?)|-)\\\" \\\"(%{WORD:x_forword}|-)\\\" \\\"((?<upstream_host>[\\w\\W,]+?)|-)\\\" \\\"(?<upstream_response>([0-9, ]+?)|-)\\\" (%{WORD:upstream_cache_status}|-) \\\"(?<upstream_content_type>([\\w\\W]+?)|-)\\\" \\\"(?<upstream_response_time>([0-9,. ]+?)|-)\\\" > (%{BASE16FLOAT:request_time}|-)"], "tags"=>[], "exclude_tags"=>[], "add_tag"=>[], "remove_tag"=>[], "add_field"=>{}, "match"=>{"@message"=>["%{IPORHOST:client_ip} (%{USER:ident}|-) (%{USER:auth}|-) \\[%{HTTPDATE:timestamp}\\] \\\"(?:%{WORD:verb} (%{NOTSPACE:request}|-)(?: HTTP/%{NUMBER:http_version})?|-)\\\" (%{HOST:domain}|-) (%{NUMBER:response}|-) (?:%{NUMBER:bytes}|-) \\\"(%{NOTSPACE:referrer}|-)\\\" \\\"(?<agent>([\\w\\W]+?)|-)\\\" \\\"(%{WORD:x_forword}|-)\\\" \\\"((?<upstream_host>[\\w\\W,]+?)|-)\\\" \\\"(?<upstream_response>([0-9, ]+?)|-)\\\" (%{WORD:upstream_cache_status}|-) \\\"(?<upstream_content_type>([\\w\\W]+?)|-)\\\" \\\"(?<upstream_response_time>([0-9,. ]+?)|-)\\\" > (%{BASE16FLOAT:request_time}|-)"]}, "patterns_dir"=>[], "drop_if_match"=>false, "named_captures_only"=>true, "keep_empty_captures"=>false, "singles"=>false}, @break_on_match=false, @match={"@message"=>["%{IPORHOST:client_ip} (%{USER:ident}|-) (%{USER:auth}|-) \\[%{HTTPDATE:timestamp}\\] \\\"(?:%{WORD:verb} (%{NOTSPACE:request}|-)(?: HTTP/%{NUMBER:http_version})?|-)\\\" (%{HOST:domain}|-) (%{NUMBER:response}|-) (?:%{NUMBER:bytes}|-) \\\"(%{NOTSPACE:referrer}|-)\\\" \\\"(?<agent>([\\w\\W]+?)|-)\\\" \\\"(%{WORD:x_forword}|-)\\\" \\\"((?<upstream_host>[\\w\\W,]+?)|-)\\\" \\\"(?<upstream_response>([0-9, ]+?)|-)\\\" (%{WORD:upstream_cache_status}|-) \\\"(?<upstream_content_type>([\\w\\W]+?)|-)\\\" \\\"(?<upstream_response_time>([0-9,. ]+?)|-)\\\" > (%{BASE16FLOAT:request_time}|-)"]}, @exclude_tags=[]>, :level=>:warn}

换https://logstash.objects.dreamhost.com/release/logstash-1.1.9-monolithic.jar
可以了!

es版本是0.20.2,都要升级。恨啊。。。。

不整自动部署看来是不行了。

原文地址:http://log.medcl.net/item/2013/03/logstash-nginx-logs-grok-pattern-debugging/?utm_source=tuicool&utm_medium=referral

1 0
ubuntu 12.04内核版本 ubuntu 12.04内核版本
原创粉丝点击
热门IT博客
网购成瘾怎么办 知乎网购成瘾怎么办 知乎
桌面美女跳舞软件桌面美女跳舞软件
买家淘宝号怎么升级快
连衣裙淘宝网
java ftp 文件排序
js调用微信内置浏览器
access数据库实例视频
c语言数组去重的方法
羞辱2优化补丁
linux usb hub控制命令
mysql行锁
云计算与电子政务
湖北大数据问责汇报
html a标签调用php文件
傲剑太玄升级数据大全
淘宝店提高流量
一元夺宝作弊软件
飞行仿真软件
信息数据信号的关系
淘宝怎么看扣款记录
热门问题 老师的惩罚 人脸识别 我在镇武司摸鱼那些年 重生之率土为王 我在大康的咸鱼生活 盘龙之生命进化 天生仙种 凡人之先天五行 春回大明朝 姑娘不必设防,我是瞎子 心绞痛如何检查 不稳定型心绞痛分级 突发心绞痛 心绞痛的原因 心肌绞痛 心脏绞痛 心绞痛是怎么引起的 心绞痛严重吗 心绞痛症状自查 心绞痛是什么原因 心绞痛症状是什么 什么是心绞痛 突然心绞痛是怎么回事 为什么会心绞痛 心绞痛是什么原因引起的 心绞痛的临床表现 心绞痛是怎么回事 劳累性心绞痛 劳力性心绞痛 心绞痛名词解释 轻微心绞痛症状 绞痛 心绞痛怎么缓解 心绞痛应该怎么办 怎样缓解心绞痛 心绞痛有什么症状 心绞痛持续时间 缓解心绞痛 心绞痛缓解 如何缓解心绞痛 怎么缓解心绞痛 心绞痛什么症状 心绞痛病因 心绞痛怎么检查 心绞痛的部位 心绞痛啥症状 心绞痛的疼痛部位 心绞痛如何护理 心绞痛注意事项 心绞痛分级 轻微心绞痛

程序博客网,程序员的互联网技术博客家园。csdn论坛精品 msdn技术资料都在这里