diff options
Diffstat (limited to 'config/filter.d/common.conf')
| -rw-r--r-- | config/filter.d/common.conf | 32 |
1 files changed, 27 insertions, 5 deletions
diff --git a/config/filter.d/common.conf b/config/filter.d/common.conf index a8cba188..e6b3c641 100644 --- a/config/filter.d/common.conf +++ b/config/filter.d/common.conf @@ -10,6 +10,9 @@ after = common.local [DEFAULT] +# Type of log-file resp. log-format (file, short, journal, rfc5424): +logtype = file + # Daemon definition is to be specialized (if needed) in .conf file _daemon = \S* @@ -22,7 +25,7 @@ __pid_re = (?:\[\d+\]) # Daemon name (with optional source_file:line or whatever) # EXAMPLES: pam_rhosts_auth, [sshd], pop(pam_unix) -__daemon_re = [\[\(]?%(_daemon)s(?:\(\S+\))?[\]\)]?:? +__daemon_re = [\[\(]?<_daemon>(?:\(\S+\))?[\]\)]?:? # extra daemon info # EXAMPLE: [ID 800047 auth.info] @@ -30,11 +33,11 @@ __daemon_extra_re = \[ID \d+ \S+\] # Combinations of daemon name and PID # EXAMPLES: sshd[31607], pop(pam_unix)[4920] -__daemon_combs_re = (?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:?) +__daemon_combs_re = (?:<__pid_re>?:\s+<__daemon_re>|<__daemon_re><__pid_re>?:?) # Some messages have a kernel prefix with a timestamp # EXAMPLES: kernel: [769570.846956] -__kernel_prefix = kernel: \[ *\d+\.\d+\] +__kernel_prefix = kernel:\s?\[ *\d+\.\d+\]:? __hostname = \S+ @@ -55,13 +58,32 @@ __date_ambit = (?:\[\]) # [bsdverbose]? [hostname] [vserver tag] daemon_id spaces # # This can be optional (for instance if we match named native log files) -__prefix_line = %(__date_ambit)s?\s*(?:%(__bsd_syslog_verbose)s\s+)?(?:%(__hostname)s\s+)?(?:%(__kernel_prefix)s\s+)?(?:%(__vserver)s\s+)?(?:%(__daemon_combs_re)s\s+)?(?:%(__daemon_extra_re)s\s+)? +__prefix_line = <lt_<logtype>/__prefix_line> # PAM authentication mechanism check for failures, e.g.: pam_unix, pam_sss, # pam_ldap __pam_auth = pam_unix # standardly all formats using prefix have line-begin anchored date: +datepattern = <lt_<logtype>/datepattern> + +[lt_file] +# Common line prefixes for logtype "file": +__prefix_line = <__date_ambit>?\s*(?:<__bsd_syslog_verbose>\s+)?(?:<__hostname>\s+)?(?:<__kernel_prefix>\s+)?(?:<__vserver>\s+)?(?:<__daemon_combs_re>\s+)?(?:<__daemon_extra_re>\s+)? datepattern = {^LN-BEG} -# Author: Yaroslav Halchenko +[lt_short] +# Common (short) line prefix for logtype "journal" (corresponds output of formatJournalEntry): +__prefix_line = \s*(?:<__hostname>\s+)?(?:<_daemon><__pid_re>?:?\s+)?(?:<__kernel_prefix>\s+)? +datepattern = %(lt_file/datepattern)s +[lt_journal] +__prefix_line = %(lt_short/__prefix_line)s +datepattern = %(lt_short/datepattern)s + +[lt_rfc5424] +# RFC 5424 log-format, see gh-2309: +#__prefix_line = \s*<__hostname> <__daemon_re> \d+ \S+ \S+\s+ +__prefix_line = \s*<__hostname> <__daemon_re> \d+ \S+ (?:[^\[\]\s]+|(?:\[(?:[^\]"]*|"[^"]*")*\])+)\s+ +datepattern = ^<\d+>\d+\s+{DATE} + +# Author: Yaroslav Halchenko, Sergey G. Brester (aka sebres) |