Patterns documentation
You will find here a generated documentation of all the patterns loaded by crowdsec.
They are sorted by pattern length, and are meant to be used in parsers, in the form %{PATTERN_NAME}
.
MONGO3_SEVERITY
Pattern :
\w
GREEDYDATA
Pattern :
.*
RAIL_ACTION
Pattern :
\w+
NOTSPACE
Pattern :
\S+
SPACE
Pattern :
\s*
DATA
Pattern :
.*?
JAVALOGMESSAGE
Pattern :
(.*)
NOTDQUOTE
Pattern :
[^"]*
DAY2
Pattern :
\d{2}
RAILS_CONSTROLLER
Pattern :
[^#]+
RUUID
Pattern :
\s{32}
SYSLOG5424PRINTASCII
Pattern :
[!-~]+
BACULA_JOB
Pattern :
%{USER}
BACULA_VERSION
Pattern :
%{USER}
CRON_ACTION
Pattern :
[A-Z ]+
BACULA_DEVICE
Pattern :
%{USER}
WORD
Pattern :
\b\w+\b
BACULA_VOLUME
Pattern :
%{USER}
TZ
Pattern :
[A-Z]{3}
MONGO3_COMPONENT
Pattern :
%{WORD}|-
NUMTZ
Pattern :
[+-]\d{4}
MINUTE
Pattern :
[0-5][0-9]
NAGIOS_TYPE_HOST_ALERT
Pattern :
HOST ALERT
NONNEGINT
Pattern :
\b[0-9]+\b
MONGO_WORDDASH
Pattern :
\b[\w-]+\b
USER
Pattern :
%{USERNAME}
BACULA_DEVICEPATH
Pattern :
%{UNIXPATH}
REDISLOG1
Pattern :
%{REDISLOG}
SYSLOGHOST
Pattern :
%{IPORHOST}
SYSLOG5424SD
Pattern :
\[%{DATA}\]+
NUMBER
Pattern :
%{BASE10NUM}
ISO8601_SECOND
Pattern :
%{SECOND}|60
MONTHNUM2
Pattern :
0[1-9]|1[0-2]
NGUSER
Pattern :
%{NGUSERNAME}
EXIM_PID
Pattern :
\[%{POSINT}\]
YEAR
Pattern :
(?:\d\d){1,2}
BACULA_HOST
Pattern :
[a-zA-Z0-9-]+
NAGIOS_TYPE_SERVICE_ALERT
Pattern :
SERVICE ALERT
MONTHNUM
Pattern :
0?[1-9]|1[0-2]
CISCO_XLATE_TYPE
Pattern :
static|dynamic
RAILS_CONTEXT
Pattern :
(?:%{DATA}\n)*
BACULA_LOG_ENDPRUNE
Pattern :
End auto prune.
USERNAME
Pattern :
[a-zA-Z0-9._-]+
POSINT
Pattern :
\b[1-9][0-9]*\b
QS
Pattern :
%{QUOTEDSTRING}
MODSECRULEVERS
Pattern :
\[ver "[^"]+"\]
INT
Pattern :
[+-]?(?:[0-9]+)
IP
Pattern :
%{IPV6}|%{IPV4}
NAGIOS_EC_ENABLE_SVC_CHECK
Pattern :
ENABLE_SVC_CHECK
NAGIOS_TYPE_EXTERNAL_COMMAND
Pattern :
EXTERNAL COMMAND
NAGIOS_EC_ENABLE_HOST_CHECK
Pattern :
ENABLE_HOST_CHECK
NAGIOS_TYPE_HOST_NOTIFICATION
Pattern :
HOST NOTIFICATION
NAGIOS_EC_DISABLE_SVC_CHECK
Pattern :
DISABLE_SVC_CHECK
IPORHOST
Pattern :
%{IP}|%{HOSTNAME}
DATESTAMP
Pattern :
%{DATE}[- ]%{TIME}
NAGIOS_EC_DISABLE_HOST_CHECK
Pattern :
DISABLE_HOST_CHECK
NAGIOS_TYPE_HOST_EVENT_HANDLER
Pattern :
HOST EVENT HANDLER
NAGIOS_TYPE_CURRENT_HOST_STATE
Pattern :
CURRENT HOST STATE
NAGIOS_TYPE_PASSIVE_HOST_CHECK
Pattern :
PASSIVE HOST CHECK
HOUR
Pattern :
2[0123]|[01]?[0-9]
NAGIOS_TYPE_HOST_FLAPPING_ALERT
Pattern :
HOST FLAPPING ALERT
NGUSERNAME
Pattern :
[a-zA-Z\.\@\-\+_%]+
NAGIOS_TYPE_HOST_DOWNTIME_ALERT
Pattern :
HOST DOWNTIME ALERT
BACULA_LOG_BEGIN_PRUNE_FILES
Pattern :
Begin pruning Files.
NAGIOS_TYPE_SERVICE_NOTIFICATION
Pattern :
SERVICE NOTIFICATION
JAVAFILE
Pattern :
(?:[A-Za-z0-9_. -]+)
HOSTPORT
Pattern :
%{IPORHOST}:%{POSINT}
NAGIOS_TYPE_CURRENT_SERVICE_STATE
Pattern :
CURRENT SERVICE STATE
NAGIOS_TYPE_PASSIVE_SERVICE_CHECK
Pattern :
PASSIVE SERVICE CHECK
NAGIOS_TYPE_SERVICE_EVENT_HANDLER
Pattern :
SERVICE EVENT HANDLER
NAGIOS_TYPE_TIMEPERIOD_TRANSITION
Pattern :
TIMEPERIOD TRANSITION
EXIM_FLAGS
Pattern :
(<=|[-=>*]>|[*]{2}|==)
NAGIOS_TYPE_SERVICE_DOWNTIME_ALERT
Pattern :
SERVICE DOWNTIME ALERT
SSHD_CORRUPT_MAC
Pattern :
Corrupted MAC on input
NAGIOS_EC_SCHEDULE_HOST_DOWNTIME
Pattern :
SCHEDULE_HOST_DOWNTIME
PATH
Pattern :
%{UNIXPATH}|%{WINPATH}
EXIM_SUBJECT
Pattern :
(T=%{QS:exim_subject})
NAGIOS_TYPE_SERVICE_FLAPPING_ALERT
Pattern :
SERVICE FLAPPING ALERT
BACULA_LOG_NOPRUNE_JOBS
Pattern :
No Jobs found to prune.
HTTPDUSER
Pattern :
%{EMAILADDRESS}|%{USER}
BACULA_CAPACITY
Pattern :
%{INT}{1,3}(,%{INT}{3})*
EXIM_PROTOCOL
Pattern :
(P=%{NOTSPACE:protocol})
NAGIOS_EC_ENABLE_SVC_NOTIFICATIONS
Pattern :
ENABLE_SVC_NOTIFICATIONS
URIPROTO
Pattern :
[A-Za-z]+(\+[A-Za-z+]+)?
BACULA_LOG_NOPRUNE_FILES
Pattern :
No Files found to prune.
NAGIOS_EC_SCHEDULE_SERVICE_DOWNTIME
Pattern :
SCHEDULE_SERVICE_DOWNTIME
MONGO_QUERY
Pattern :
\{ \{ .* \} ntoreturn: \}
PROG
Pattern :
[\x21-\x5a\x5c\x5e-\x7e]+
NAGIOS_EC_DISABLE_SVC_NOTIFICATIONS
Pattern :
DISABLE_SVC_NOTIFICATIONS
NAGIOS_EC_PROCESS_HOST_CHECK_RESULT
Pattern :
PROCESS_HOST_CHECK_RESULT
BACULA_LOG_VSS
Pattern :
(Generate )?VSS (Writer)?
NAGIOS_EC_ENABLE_HOST_NOTIFICATIONS
Pattern :
ENABLE_HOST_NOTIFICATIONS
UNIXPATH
Pattern :
(/([\w_%!$@:.,~-]+|\\.)*)+
EMAILLOCALPART
Pattern :
[a-zA-Z][a-zA-Z0-9_.+-=:]+
URIPATHPARAM
Pattern :
%{URIPATH}(?:%{URIPARAM})?
KITCHEN
Pattern :
\d{1,2}:\d{2}(AM|PM|am|pm)
NAGIOS_EC_DISABLE_HOST_NOTIFICATIONS
Pattern :
DISABLE_HOST_NOTIFICATIONS
NAGIOSTIME
Pattern :
\[%{NUMBER:nagios_epoch}\]
RUBY_LOGLEVEL
Pattern :
DEBUG|FATAL|ERROR|WARN|INFO
TIME
Pattern :
%{HOUR}:%{MINUTE}:%{SECOND}
JAVATHREAD
Pattern :
(?:[A-Z]{2}-Processor[\d]+)
EXIM_MSG_SIZE
Pattern :
(S=%{NUMBER:exim_msg_size})
REDISTIMESTAMP
Pattern :
%{MONTHDAY} %{MONTH} %{TIME}
NAGIOS_EC_PROCESS_SERVICE_CHECK_RESULT
Pattern :
PROCESS_SERVICE_CHECK_RESULT
BASE16NUM
Pattern :
[+-]?(?:0x)?(?:[0-9A-Fa-f]+)
ISO8601_TIMEZONE
Pattern :
Z|[+-]%{HOUR}(?::?%{MINUTE})
MODSECRULEID
Pattern :
\[id %{QUOTEDSTRING:ruleid}\]
SYSLOGTIMESTAMP
Pattern :
%{MONTH} +%{MONTHDAY} %{TIME}
SSHD_PACKET_CORRUPT
Pattern :
Disconnecting: Packet corrupt
SYSLOG5424PRI
Pattern :
<%{NONNEGINT:syslog5424_pri}>
EMAILADDRESS
Pattern :
%{EMAILLOCALPART}@%{HOSTNAME}
NAGIOS_EC_ENABLE_HOST_SVC_NOTIFICATIONS
Pattern :
ENABLE_HOST_SVC_NOTIFICATIONS
NAGIOS_EC_DISABLE_HOST_SVC_NOTIFICATIONS
Pattern :
DISABLE_HOST_SVC_NOTIFICATIONS
URIHOST
Pattern :
%{IPORHOST}(?::%{POSINT:port})?
EXIM_HEADER_ID
Pattern :
(id=%{NOTSPACE:exim_header_id})
SSHD_TUNN_TIMEOUT
Pattern :
Timeout, client not responding.
MODSECRULEREV
Pattern :
\[rev %{QUOTEDSTRING:rulerev}\]
MCOLLECTIVEAUDIT
Pattern :
%{TIMESTAMP_ISO8601:timestamp}:
DATE
Pattern :
%{DATE_US}|%{DATE_EU}|%{DATE_X}
CISCOTAG
Pattern :
[A-Z0-9]+-%{INT}-(?:[A-Z0-9_]+)
WINPATH
Pattern :
(?:[A-Za-z]+:|\\)(?:\\[^\\?*]*)+
DATE_X
Pattern :
%{YEAR}/%{MONTHNUM2}/%{MONTHDAY}
SSHD_INIT
Pattern :
%{SSHD_LISTEN}|%{SSHD_TERMINATE}
HAPROXYCAPTUREDREQUESTHEADERS
Pattern :
%{DATA:captured_request_headers}
CISCO_INTERVAL
Pattern :
first hit|%{INT}-second interval
MODSECRULEFILE
Pattern :
\[file %{QUOTEDSTRING:rulefile}\]
MODSECURI
Pattern :
\[uri ["']%{DATA:targeturi}["']\]
HAPROXYCAPTUREDRESPONSEHEADERS
Pattern :
%{DATA:captured_response_headers}
MODSECRULELINE
Pattern :
\[line %{QUOTEDSTRING:ruleline}\]
MODSECRULEDATA
Pattern :
\[data %{QUOTEDSTRING:ruledata}\]
CISCO_DIRECTION
Pattern :
Inbound|inbound|Outbound|outbound
BACULA_LOG_CANCELLING
Pattern :
Cancelling duplicate JobId=%{INT}.
SECOND
Pattern :
(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?
MODSECRULEMSG
Pattern :
\[msg %{QUOTEDSTRING:rulemessage}\]
SSHD_TUNN_ERR3
Pattern :
error: bind: Address already in use
BACULA_LOG_STARTRESTORE
Pattern :
Start Restore Job %{BACULA_JOB:job}
SYSLOGLINE
Pattern :
%{SYSLOGBASE2} %{GREEDYDATA:message}
COMMONMAC
Pattern :
(?:[A-Fa-f0-9]{2}:){5}[A-Fa-f0-9]{2}
WINDOWSMAC
Pattern :
(?:[A-Fa-f0-9]{2}-){5}[A-Fa-f0-9]{2}
SYSLOGPROG
Pattern :
%{PROG:program}(?:\[%{POSINT:pid}\])?
JAVAMETHOD
Pattern :
(?:(<init>)|[a-zA-Z$_][a-zA-Z$_0-9]*)
DATE_US
Pattern :
%{MONTHNUM}[/-]%{MONTHDAY}[/-]%{YEAR}
CISCOMAC
Pattern :
(?:[A-Fa-f0-9]{4}\.){2}[A-Fa-f0-9]{4}
ELB_URIPATHPARAM
Pattern :
%{URIPATH:path}(?:%{URIPARAM:params})?
MAC
Pattern :
%{CISCOMAC}|%{WINDOWSMAC}|%{COMMONMAC}
MODSECUID
Pattern :
\[unique_id %{QUOTEDSTRING:uniqueid}\]
BACULA_LOG_NOPRIOR
Pattern :
No prior Full backup Job record found.
BACULA_TIMESTAMP
Pattern :
%{MONTHDAY}-%{MONTH} %{HOUR}:%{MINUTE}
MODSECMATCHOFFSET
Pattern :
\[offset %{QUOTEDSTRING:matchoffset}\]
DATE_EU
Pattern :
%{MONTHDAY}[./-]%{MONTHNUM}[./-]%{YEAR}
MODSECHOSTNAME
Pattern :
\[hostname ['"]%{DATA:targethost}["']\]
URIPATH
Pattern :
(?:/[A-Za-z0-9$.+!*'(){},~:;=@#%_\-]*)+
TTY
Pattern :
/dev/(pts|tty([pq])?)(\w+)?/?(?:[0-9]+)
HTTPD_ERRORLOG
Pattern :
%{HTTPD20_ERRORLOG}|%{HTTPD24_ERRORLOG}
MONTHDAY
Pattern :
(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9]
BACULA_LOG_USEDEVICE
Pattern :
Using Device \"%{BACULA_DEVICE:device}\"
MODSECRULESEVERITY
Pattern :
\[severity ["']%{WORD:ruleseverity}["']\]
ANSIC
Pattern :
%{DAY} %{MONTH} [_123]\d %{TIME} %{YEAR}"
RFC822Z
Pattern :
[0-3]\d %{MONTH} %{YEAR} %{TIME} %{NUMTZ}
SSHD_CONN_CLOSE
Pattern :
Connection closed by %{IP:sshd_client_ip}$
CISCOTIMESTAMP
Pattern :
%{MONTH} +%{MONTHDAY}(?: %{YEAR})? %{TIME}
GENERICAPACHEERROR
Pattern :
%{APACHEERRORPREFIX} %{GREEDYDATA:message}
CISCOFW104004
Pattern :
\((?:Primary|Secondary)\) Switching to OK\.
APACHEERRORTIME
Pattern :
%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR}
HTTPDERROR_DATE
Pattern :
%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR}
HTTPDATE
Pattern :
%{MONTHDAY}/%{MONTH}/%{YEAR}:%{TIME} %{INT}
EXIM_MSGID
Pattern :
[0-9A-Za-z]{6}-[0-9A-Za-z]{6}-[0-9A-Za-z]{2}
NAGIOS_WARNING
Pattern :
Warning:%{SPACE}%{GREEDYDATA:nagios_message}
BACULA_LOG_NOJOBSTAT
Pattern :
Fatal error: No Job status returned from FD.
EXIM_QT
Pattern :
((\d+y)?(\d+w)?(\d+d)?(\d+h)?(\d+m)?(\d+s)?)
REDISLOG
Pattern :
\[%{POSINT:pid}\] %{REDISTIMESTAMP:time} \*\s
BASE10NUM
Pattern :
[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))
SYSLOGFACILITY
Pattern :
<%{NONNEGINT:facility}.%{NONNEGINT:priority}>
COMBINEDAPACHELOG
Pattern :
%{COMMONAPACHELOG} %{QS:referrer} %{QS:agent}
URIPARAM
Pattern :
\?[A-Za-z0-9$.+!*'|(){},~@#%&/=:;_?\-\[\]<>]*
RFC850
Pattern :
%{DAY}, [0-3]\d-%{MONTH}-%{YEAR} %{TIME} %{TZ}
RFC1123
Pattern :
%{DAY}, [0-3]\d %{MONTH} %{YEAR} %{TIME} %{TZ}
UNIXDATE
Pattern :
%{DAY} %{MONTH} [_123]\d %{TIME} %{TZ} %{YEAR}
CISCOFW104003
Pattern :
\((?:Primary|Secondary)\) Switching to FAILED\.
SYSLOG5424LINE
Pattern :
%{SYSLOG5424BASE} +%{GREEDYDATA:syslog5424_msg}
BACULA_LOG_STARTJOB
Pattern :
Start Backup JobId %{INT}, Job=%{BACULA_JOB:job}
RUBYDATE
Pattern :
%{DAY} %{MONTH} [0-3]\d %{TIME} %{NUMTZ} %{YEAR}
BACULA_LOG_NOOPEN
Pattern :
\s+Cannot open %{DATA}: ERR=%{GREEDYDATA:berror}
RFC1123Z
Pattern :
%{DAY}, [0-3]\d %{MONTH} %{YEAR} %{TIME} %{NUMTZ}
DATESTAMP_RFC822
Pattern :
%{DAY} %{MONTH} %{MONTHDAY} %{YEAR} %{TIME} %{TZ}
DATESTAMP_OTHER
Pattern :
%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{TZ} %{YEAR}
RFC3339
Pattern :
%{YEAR}-[01]\d-[0-3]\dT%{TIME}%{ISO8601_TIMEZONE}
SSHD_TERMINATE
Pattern :
Received signal %{NUMBER:sshd_signal}; terminating.
BACULA_LOG_NOSTAT
Pattern :
\s+Could not stat %{DATA}: ERR=%{GREEDYDATA:berror}
UUID
Pattern :
[A-Fa-f0-9]{8}-(?:[A-Fa-f0-9]{4}-){3}[A-Fa-f0-9]{12}
SSHD_LOGOUT_ERR
Pattern :
syslogin_perform_logout: logout\(\) returned an error
RCONTROLLER
Pattern :
%{RAILS_CONSTROLLER:controller}#%{RAIL_ACTION:action}
DATESTAMP_EVENTLOG
Pattern :
%{YEAR}%{MONTHNUM2}%{MONTHDAY}%{HOUR}%{MINUTE}%{SECOND}
JAVACLASS
Pattern :
(?:[a-zA-Z$_][a-zA-Z$_0-9]*\.)*[a-zA-Z$_][a-zA-Z$_0-9]*
RFC3339NANO
Pattern :
%{YEAR}-[01]\d-[0-3]\dT%{TIME}\.\d{9}%{ISO8601_TIMEZONE}
NGINXERRTIME
Pattern :
%{YEAR}/%{MONTHNUM2}/%{DAY2} %{HOUR}:%{MINUTE}:%{SECOND}
BACULA_LOG_BEGIN_PRUNE_JOBS
Pattern :
Begin pruning Jobs older than %{INT} month %{INT} days .
BACULA_LOG_NEW_VOLUME
Pattern :
Created new Volume \"%{BACULA_VOLUME:volume}\" in catalog.
BACULA_LOG_MARKCANCEL
Pattern :
JobId %{INT}, Job %{BACULA_JOB:job} marked to be canceled.
SSHD_TCPWRAP_FAIL5
Pattern :
warning: can't get client address: Connection reset by peer
EXIM_INTERFACE
Pattern :
(I=\[%{IP:exim_interface}\](:%{NUMBER:exim_interface_port}))
BACULA_LOG_NOOPENDIR
Pattern :
\s+Could not open directory %{DATA}: ERR=%{GREEDYDATA:berror}
BACULA_LOG_CLIENT_RBJ
Pattern :
shell command: run ClientRunBeforeJob \"%{GREEDYDATA:runjob}\"
SSHD_IDENT_FAIL
Pattern :
Did not receive identification string from %{IP:sshd_client_ip}
BACULA_LOG_MAXSTART
Pattern :
Fatal error: Job canceled because max start delay time exceeded.
DATESTAMP_RFC2822
Pattern :
%{DAY}, %{MONTHDAY} %{MONTH} %{YEAR} %{TIME} %{ISO8601_TIMEZONE}
REDISLOG2
Pattern :
%{POSINT:pid}:M %{REDISTIMESTAMP:time} [*#] %{GREEDYDATA:message}
QUOTEDSTRING
Pattern :
("(\\.|[^\\"]+)+")|""|('(\\.|[^\\']+)+')|''|(`(\\.|[^\\`]+)+`)|``
BACULA_LOG_PRUNED_JOBS
Pattern :
Pruned %{INT} Jobs* for client %{BACULA_HOST:client} from catalog.
RT_FLOW_EVENT
Pattern :
(RT_FLOW_SESSION_CREATE|RT_FLOW_SESSION_CLOSE|RT_FLOW_SESSION_DENY)
CISCOFW302010
Pattern :
%{INT:connection_count} in use, %{INT:connection_count_max} most used
BACULA_LOG_NOSUIT
Pattern :
No prior or suitable Full backup found in catalog. Doing FULL backup.
SSHD_SESSION_CLOSE
Pattern :
pam_unix\(sshd:session\): session closed for user %{USERNAME:sshd_user}
SSHD_INVAL_USER
Pattern :
Invalid user\s*%{USERNAME:sshd_invalid_user}? from %{IP:sshd_client_ip}
MONGO_LOG
Pattern :
%{SYSLOGTIMESTAMP:timestamp} \[%{WORD:component}\] %{GREEDYDATA:message}
BACULA_LOG_JOB
Pattern :
(Error: )?Bacula %{BACULA_HOST} %{BACULA_VERSION} \(%{BACULA_VERSION}\):
BACULA_LOG_READYAPPEND
Pattern :
Ready to append to end of Volume \"%{BACULA_VOLUME:volume}\" size=%{INT}
CRONLOG
Pattern :
%{SYSLOGBASE} \(%{USER:user}\) %{CRON_ACTION:action} \(%{DATA:message}\)
URI
Pattern :
%{URIPROTO}://(?:%{USER}(?::[^@]*)?@)?(?:%{URIHOST})?(?:%{URIPATHPARAM})?
SSHD_LISTEN
Pattern :
Server listening on %{IP:sshd_listen_ip} port %{NUMBER:sshd_listen_port}.
HAPROXYTIME
Pattern :
%{HOUR:haproxy_hour}:%{MINUTE:haproxy_minute}(?::%{SECOND:haproxy_second})
RAILS3
Pattern :
%{RAILS3HEAD}(?:%{RPROCESSING})?%{RAILS_CONTEXT:context}(?:%{RAILS3FOOT})?
BASE16FLOAT
Pattern :
\b[+-]?(?:0x)?(?:(?:[0-9A-Fa-f]+(?:\.[0-9A-Fa-f]*)?)|(?:\.[0-9A-Fa-f]+))\b
CISCOFW104001
Pattern :
\((?:Primary|Secondary)\) Switching to ACTIVE - %{GREEDYDATA:switch_reason}
HOSTNAME
Pattern :
\b[0-9A-Za-z][0-9A-Za-z-]{0,62}(?:\.[0-9A-Za-z][0-9A-Za-z-]{0,62})*(\.?|\b)
CISCOFW105008
Pattern :
\((?:Primary|Secondary)\) Testing [Ii]nterface %{GREEDYDATA:interface_name}
CATALINA_DATESTAMP
Pattern :
%{MONTH} %{MONTHDAY}, 20%{YEAR} %{HOUR}:?%{MINUTE}(?::?%{SECOND}) (?:AM|PM)
CISCOFW104002
Pattern :
\((?:Primary|Secondary)\) Switching to STANDBY - %{GREEDYDATA:switch_reason}
BACULA_LOG_VOLUME_PREVWRITTEN
Pattern :
Volume \"%{BACULA_VOLUME:volume}\" previously written, moving to end of data.
BACULA_LOG_PRUNED_FILES
Pattern :
Pruned Files from %{INT} Jobs* for client %{BACULA_HOST:client} from catalog.
SSHD_BAD_VERSION
Pattern :
Bad protocol version identification '%{GREEDYDATA}' from %{IP:sshd_client_ip}
SSHD_BADL_PREAUTH
Pattern :
Bad packet length %{NUMBER:sshd_packet_length}. \[%{GREEDYDATA:sshd_privsep}\]
EXIM_DATE
Pattern :
%{YEAR:exim_year}-%{MONTHNUM:exim_month}-%{MONTHDAY:exim_day} %{TIME:exim_time}
BACULA_LOG_DUPLICATE
Pattern :
Fatal error: JobId %{INT:duplicate} already running. Duplicate job not allowed.
RAILS_TIMESTAMP
Pattern :
%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{HOUR}:%{MINUTE}:%{SECOND} %{ISO8601_TIMEZONE}
SSHD_TUNN_ERR1
Pattern :
error: connect_to %{IP:sshd_listen_ip} port %{NUMBER:sshd_listen_port}: failed.
CATALINALOG
Pattern :
%{CATALINA_DATESTAMP:timestamp} %{JAVACLASS:class} %{JAVALOGMESSAGE:logmessage}
SSHD_REFUSE_CONN
Pattern :
refused connect from %{DATA:sshd_client_hostname} \(%{IPORHOST:sshd_client_ip}\)
BACULA_LOG_ALL_RECORDS_PRUNED
Pattern :
All records pruned from Volume \"%{BACULA_VOLUME:volume}\"; marking it \"Purged\"
SSHD_TOOMANY_AUTH
Pattern :
Disconnecting: Too many authentication failures for %{USERNAME:sshd_invalid_user}
SSHD_DISR_PREAUTH
Pattern :
Disconnecting: %{GREEDYDATA:sshd_disconnect_status} \[%{GREEDYDATA:sshd_privsep}\]
MCOLLECTIVE
Pattern :
., \[%{TIMESTAMP_ISO8601:timestamp} #%{POSINT:pid}\]%{SPACE}%{LOGLEVEL:event_level}
SSHD_TUNN_ERR2
Pattern :
error: channel_setup_fwd_listener: cannot listen to port: %{NUMBER:sshd_listen_port}
BACULA_LOG_DIFF_FS
Pattern :
\s+%{UNIXPATH} is a different filesystem. Will not descend from %{UNIXPATH} into it.
BACULA_LOG_NO_AUTH
Pattern :
Fatal error: Unable to authenticate with File daemon at %{HOSTNAME}. Possible causes:
CISCOFW321001
Pattern :
Resource '%{WORD:resource_name}' limit of %{POSINT:resource_limit} reached for system
ELB_REQUEST_LINE
Pattern :
(?:%{WORD:verb} %{ELB_URI:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})
POSTGRESQL
Pattern :
%{DATESTAMP:timestamp} %{TZ} %{DATA:user_id} %{GREEDYDATA:connection_id} %{POSINT:pid}
SSHD_SESSION_OPEN
Pattern :
pam_unix\(sshd:session\): session opened for user %{USERNAME:sshd_user} by \(uid=\d+\)
S3_REQUEST_LINE
Pattern :
(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})
TOMCAT_DATESTAMP
Pattern :
20%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{HOUR}:?%{MINUTE}(?::?%{SECOND}) %{ISO8601_TIMEZONE}
CISCOFW105004
Pattern :
\((?:Primary|Secondary)\) Monitoring on [Ii]nterface %{GREEDYDATA:interface_name} normal
RAILS3FOOT
Pattern :
Completed %{NUMBER:response}%{DATA} in %{NUMBER:totalms}ms %{RAILS3PROFILE}%{GREEDYDATA}
CISCOFW105003
Pattern :
\((?:Primary|Secondary)\) Monitoring on [Ii]nterface %{GREEDYDATA:interface_name} waiting
TIMESTAMP_ISO8601
Pattern :
%{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?%{ISO8601_TIMEZONE}?
BACULA_LOG_JOBEND
Pattern :
Job write elapsed time = %{DATA:elapsed}, Transfer rate = %{NUMBER} (K|M|G)? Bytes/second
SYSLOGBASE
Pattern :
%{SYSLOGTIMESTAMP:timestamp} (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource} %{SYSLOGPROG}:
SSHD_TUNN_ERR4
Pattern :
error: channel_setup_fwd_listener_tcpip: cannot listen to port: %{NUMBER:sshd_listen_port}
MODSECPREFIX
Pattern :
%{APACHEERRORPREFIX} ModSecurity: %{NOTSPACE:modsecseverity}\. %{GREEDYDATA:modsecmessage}
DAY
Pattern :
Mon(?:day)?|Tue(?:sday)?|Wed(?:nesday)?|Thu(?:rsday)?|Fri(?:day)?|Sat(?:urday)?|Sun(?:day)?
JAVASTACKTRACEPART
Pattern :
%{SPACE}at %{JAVACLASS:class}\.%{JAVAMETHOD:method}\(%{JAVAFILE:file}(?::%{NUMBER:line})?\)
ELB_URI
Pattern :
%{URIPROTO:proto}://(?:%{USER}(?::[^@]*)?@)?(?:%{URIHOST:urihost})?(?:%{ELB_URIPATHPARAM})?
EXIM_REMOTE_HOST
Pattern :
(H=(%{NOTSPACE:remote_hostname} )?(\(%{NOTSPACE:remote_heloname}\) )?\[%{IP:remote_host}\])
SSHD_SESSION_FAIL
Pattern :
pam_systemd\(sshd:session\): Failed to release session: %{GREEDYDATA:sshd_disconnect_status}
SSHD_TUNN
Pattern :
%{SSHD_TUNN_ERR1}|%{SSHD_TUNN_ERR2}|%{SSHD_TUNN_ERR3}|%{SSHD_TUNN_ERR4}|%{SSHD_TUNN_TIMEOUT}
BACULA_LOG_NOJOBS
Pattern :
There are no more Jobs associated with Volume \"%{BACULA_VOLUME:volume}\". Marking it purged.
RPROCESSING
Pattern :
\W*Processing by %{RCONTROLLER} as %{NOTSPACE:format}(?:\W*Parameters: \{\%\{DATA:params}}\W*)?
CISCOFW105009
Pattern :
\((?:Primary|Secondary)\) Testing on [Ii]nterface %{GREEDYDATA:interface_name} (?:Passed|Failed)
SSHD_LOG
Pattern :
%{SSHD_INIT}|%{SSHD_NORMAL_LOG}|%{SSHD_PROBE_LOG}|%{SSHD_CORRUPTED}|%{SSHD_TUNN}|%{SSHD_PREAUTH}
SSHD_DISC_PREAUTH
Pattern :
Disconnected from %{IP:sshd_client_ip} port %{NUMBER:sshd_port}\s*(?:\[%{GREEDYDATA:sshd_privsep}\]|)
TOMCATLOG
Pattern :
%{TOMCAT_DATESTAMP:timestamp} \| %{LOGLEVEL:level} \| %{JAVACLASS:class} - %{JAVALOGMESSAGE:logmessage}
SSHD_REST_PREAUTH
Pattern :
Connection reset by %{IP:sshd_client_ip} port %{NUMBER:sshd_port}\s*(?:\[%{GREEDYDATA:sshd_privsep}\]|)
SSHD_CLOS_PREAUTH
Pattern :
Connection closed by %{IP:sshd_client_ip} port %{NUMBER:sshd_port}\s*(?:\[%{GREEDYDATA:sshd_privsep}\]|)
CISCO_TAGGED_SYSLOG
Pattern :
^<%{POSINT:syslog_pri}>%{CISCOTIMESTAMP:timestamp}( %{SYSLOGHOST:sysloghost})? ?: %%{CISCOTAG:ciscotag}:
SSHD_INVA_PREAUTH
Pattern :
input_userauth_request: invalid user %{USERNAME:sshd_invalid_user}?\s*(?:\[%{GREEDYDATA:sshd_privsep}\]|)
RAILS3HEAD
Pattern :
(?m)Started %{WORD:verb} "%{URIPATHPARAM:request}" for %{IPORHOST:clientip} at %{RAILS_TIMESTAMP:timestamp}
CISCOFW105005
Pattern :
\((?:Primary|Secondary)\) Lost Failover communications with mate on [Ii]nterface %{GREEDYDATA:interface_name}
BACULA_LOG_NEW_LABEL
Pattern :
Labeled new Volume \"%{BACULA_VOLUME:volume}\" on device \"%{BACULA_DEVICE:device}\" \(%{BACULA_DEVICEPATH}\).
CISCO_ACTION
Pattern :
Built|Teardown|Deny|Denied|denied|requested|permitted|denied by ACL|discarded|est-allowed|Dropping|created|deleted
NAGIOS_EC_LINE_ENABLE_HOST_CHECK
Pattern :
%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_ENABLE_HOST_CHECK:nagios_command};%{DATA:nagios_hostname}
COWRIE_NEW_CO
Pattern :
New connection: %{IPV4:source_ip}:[0-9]+ \(%{IPV4:dest_ip}:%{INT:dest_port}\) \[session: %{DATA:telnet_session}\]$
NAGIOS_EC_LINE_DISABLE_HOST_CHECK
Pattern :
%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_DISABLE_HOST_CHECK:nagios_command};%{DATA:nagios_hostname}
CISCOFW402117
Pattern :
%{WORD:protocol}: Received a non-IPSec packet \(protocol= %{WORD:orig_protocol}\) from %{IP:src_ip} to %{IP:dst_ip}
BACULA_LOG_WROTE_LABEL
Pattern :
Wrote label to prelabeled Volume \"%{BACULA_VOLUME:volume}\" on device \"%{BACULA_DEVICE}\" \(%{BACULA_DEVICEPATH}\)
CISCOFW500004
Pattern :
%{CISCO_REASON:reason} for protocol=%{WORD:protocol}, from %{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port}
RAILS3PROFILE
Pattern :
(?:\(Views: %{NUMBER:viewms}ms \| ActiveRecord: %{NUMBER:activerecordms}ms|\(ActiveRecord: %{NUMBER:activerecordms}ms)?
NAGIOS_PASSIVE_HOST_CHECK
Pattern :
%{NAGIOS_TYPE_PASSIVE_HOST_CHECK:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{GREEDYDATA:nagios_comment}
NAGIOS_TIMEPERIOD_TRANSITION
Pattern :
%{NAGIOS_TYPE_TIMEPERIOD_TRANSITION:nagios_type}: %{DATA:nagios_service};%{DATA:nagios_unknown1};%{DATA:nagios_unknown2}
NAGIOS_HOST_DOWNTIME_ALERT
Pattern :
%{NAGIOS_TYPE_HOST_DOWNTIME_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{GREEDYDATA:nagios_comment}
HTTPD20_ERRORLOG
Pattern :
\[%{HTTPDERROR_DATE:timestamp}\] \[%{LOGLEVEL:loglevel}\] (?:\[client %{IPORHOST:clientip}\] ){0,1}%{GREEDYDATA:errormsg}
NAGIOS_HOST_FLAPPING_ALERT
Pattern :
%{NAGIOS_TYPE_HOST_FLAPPING_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{GREEDYDATA:nagios_message}
MYSQL_AUTH_FAIL
Pattern :
%{TIMESTAMP_ISO8601:time} %{NUMBER} \[Note\] Access denied for user '%{DATA:user}'@'%{IP:source_ip}' \(using password: YES\)
NGINXERROR
Pattern :
%{NGINXERRTIME:time} \[%{LOGLEVEL:loglevel}\] %{NONNEGINT:pid}#%{NONNEGINT:tid}: (\*%{NONNEGINT:cid} )?%{GREEDYDATA:message}
BACULA_LOG_MAX_CAPACITY
Pattern :
User defined maximum volume capacity %{BACULA_CAPACITY} exceeded on device \"%{BACULA_DEVICE:device}\" \(%{BACULA_DEVICEPATH}\)
HAPROXYDATE
Pattern :
%{MONTHDAY:haproxy_monthday}/%{MONTH:haproxy_month}/%{YEAR:haproxy_year}:%{HAPROXYTIME:haproxy_time}.%{INT:haproxy_milliseconds}
NAGIOS_EC_LINE_ENABLE_HOST_NOTIFICATIONS
Pattern :
%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_ENABLE_HOST_NOTIFICATIONS:nagios_command};%{GREEDYDATA:nagios_hostname}
CISCOFW106021
Pattern :
%{CISCO_ACTION:action} %{WORD:protocol} reverse path check from %{IP:src_ip} to %{IP:dst_ip} on interface %{GREEDYDATA:interface}
NAGIOS_EC_LINE_DISABLE_HOST_NOTIFICATIONS
Pattern :
%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_DISABLE_HOST_NOTIFICATIONS:nagios_command};%{GREEDYDATA:nagios_hostname}
RUBY_LOGGER
Pattern :
[DFEWI], \[%{TIMESTAMP_ISO8601:timestamp} #%{POSINT:pid}\] *%{RUBY_LOGLEVEL:loglevel} -- +%{DATA:progname}: %{GREEDYDATA:message}
CISCOFW110002
Pattern :
%{CISCO_REASON:reason} for %{WORD:protocol} from %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port}
NAGIOS_EC_LINE_ENABLE_HOST_SVC_NOTIFICATIONS
Pattern :
%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_ENABLE_HOST_SVC_NOTIFICATIONS:nagios_command};%{GREEDYDATA:nagios_hostname}
NAGIOS_EC_LINE_DISABLE_HOST_SVC_NOTIFICATIONS
Pattern :
%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_DISABLE_HOST_SVC_NOTIFICATIONS:nagios_command};%{GREEDYDATA:nagios_hostname}
HAPROXYHTTP
Pattern :
(?:%{SYSLOGTIMESTAMP:syslog_timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) %{IPORHOST:syslog_server} %{SYSLOGPROG}: %{HAPROXYHTTPBASE}
SSHD_RMAP_FAIL
Pattern :
reverse mapping checking getaddrinfo for %{HOSTNAME:sshd_client_hostname} \[%{IP:sshd_client_ip}\] failed - POSSIBLE BREAK-IN ATTEMPT!
SYSLOGBASE2
Pattern :
(?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource}+(?: %{SYSLOGPROG}:|)
SSHD_USER_FAIL
Pattern :
Failed password for invalid user %{USERNAME:sshd_invalid_user} from %{IP:sshd_client_ip} port %{NUMBER:sshd_port} %{WORD:sshd_protocol}
NAGIOS_EC_LINE_ENABLE_SVC_CHECK
Pattern :
%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_ENABLE_SVC_CHECK:nagios_command};%{DATA:nagios_hostname};%{DATA:nagios_service}
SSHD_NORMAL_LOG
Pattern :
%{SSHD_SUCCESS}|%{SSHD_DISCONNECT}|%{SSHD_CONN_CLOSE}|%{SSHD_SESSION_OPEN}|%{SSHD_SESSION_CLOSE}|%{SSHD_SESSION_FAIL}|%{SSHD_LOGOUT_ERR}
SSHD_FAIL
Pattern :
Failed %{WORD:sshd_auth_type} for %{USERNAME:sshd_invalid_user} from %{IP:sshd_client_ip} port %{NUMBER:sshd_port} %{WORD:sshd_protocol}
CISCO_REASON
Pattern :
Duplicate TCP SYN|Failed to locate egress interface|Invalid transport field|No matching connection|DNS Response|DNS Query|(?:%{WORD}\s*)*
NAGIOS_EC_LINE_DISABLE_SVC_CHECK
Pattern :
%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_DISABLE_SVC_CHECK:nagios_command};%{DATA:nagios_hostname};%{DATA:nagios_service}
SSHD_CORRUPTED
Pattern :
%{SSHD_IDENT_FAIL}|%{SSHD_MAPB_FAIL}|%{SSHD_RMAP_FAIL}|%{SSHD_TOOMANY_AUTH}|%{SSHD_CORRUPT_MAC}|%{SSHD_PACKET_CORRUPT}|%{SSHD_BAD_VERSION}
SSHD_DISCONNECT
Pattern :
Received disconnect from %{IP:sshd_client_ip} port %{NUMBER:sshd_port}:%{NUMBER:sshd_disconnect_code}: %{GREEDYDATA:sshd_disconnect_status}
BACULA_LOG_NO_CONNECT
Pattern :
Warning: bsock.c:127 Could not connect to (Client: %{BACULA_HOST:client}|Storage daemon) on %{HOSTNAME}:%{POSINT}. ERR=%{GREEDYDATA:berror}
SSHD_MAPB_FAIL
Pattern :
Address %{IP:sshd_client_ip} maps to %{HOSTNAME:sshd_client_hostname}, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
SSHD_TCPWRAP_FAIL2
Pattern :
warning: %{DATA:sshd_tcpd_file}, line %{NUMBER}: host name/address mismatch: %{IPORHOST:sshd_client_ip} != %{HOSTNAME:sshd_paranoid_hostname}