generated from 18F/open-source-policy
-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathparsers.conf
51 lines (45 loc) · 1.52 KB
/
parsers.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
[MULTILINE_PARSER]
# Combine an HTTP POST into a single message
name combine-http-post
type regex
#
# Regex rules for multiline parsing
# ---------------------------------
#
# configuration hints:
#
# - first state always has the name: start_state
# - every field in the rule must be inside double quotes
#
# rules | state name | regex pattern | next state
# ------|---------------|--------------------------------------------
rule "start_state" "/^POST \S+ HTTP\/1\.1\r/" "cont"
rule "cont" "/.*/" "cont"
[PARSER]
Name post-with-syslog
Format regex
Regex /^\<(?<pri>[0-9]{1,5})\>1 (?<time>[^ ]+) (?<host>[^ ]*) (?<ident>[^ ]+) \[(?<ptype>[^ ]+)\] - (?<message>.*)/m
Time_Key time
Time_Format %Y-%m-%dT%H:%M:%S.%L%z
Time_Keep On
[PARSER]
Name extract-gauge
Format regex
Regex /\[gauge@\d+ (?<gauge>[^\]]+)/m
[PARSER]
Name extract-tags
Format regex
Regex /\[tags@\d+ (?<tags>[^\]]+)/m
[PARSER]
# "remainder" is additional log data you might want to write your own parsers for.
Name extract-remainder
Format regex
Regex /(\[(tags|gauge)@\d+ [^\]]+\])+\s*(?<message>.+)/m
[PARSER]
# Extract probable-json object from remainder. Experimental!
Name extract-json-object-from-message
Format regex
Regex /\d{2}:\d{2}:\d{2} (?<application_ident>\S+)\s+\|\s+(?<application_log>\{.*\})\s*$/m
[PARSER]
Name string-to-json
Format json