summaryrefslogtreecommitdiffstats
path: root/src/formats/unifi_log.json
diff options
context:
space:
mode:
Diffstat (limited to 'src/formats/unifi_log.json')
-rw-r--r--src/formats/unifi_log.json204
1 files changed, 204 insertions, 0 deletions
diff --git a/src/formats/unifi_log.json b/src/formats/unifi_log.json
new file mode 100644
index 0000000..369e753
--- /dev/null
+++ b/src/formats/unifi_log.json
@@ -0,0 +1,204 @@
+{
+ "$schema": "https://lnav.org/schemas/format-v1.schema.json",
+ "unifi_log": {
+ "title": "UniFi log",
+ "description": "The UniFi gateway messages logger format (for /var/log/messages).",
+ "url": "https://www.halolinux.us/firewalls/firewall-log-messages-what-do-they-mean.html",
+ "regex": {
+ "kernel-udp": {
+ "pattern": "^(?<timestamp>[A-Z][a-z]{2}\\s+\\d+\\s+\\d+:\\d+:\\d+) (?<host>[^\\s]+) (?<facility>\\w+)\\.(?<level>\\w+) (?<module>kernel): \\[(?:\\s*(?<ellapsed>\\d+\\.\\d+))\\]\\s(?:\\[(?<rule_name>[^\\]]+)\\]\\s*)?(?:ALIEN BLOCK: )?IN=(?<IP_IN>(?:\\d|\\w)*) OUT=(?<IP_OUT>(?:\\d|\\w)*) MAC=(?:(?<MAC>(?:[0-9a-f]{2}:){5}[0-9a-f]{2})(?::(?<MAC_SRC>[^\\s]+)))? SRC=(?<SRC>(?:[\\d\\.])+) DST=(?<DST>(?:[\\d\\.])+) LEN=(?<LEN>(?:\\d+)) TOS=(?<TOS>0x(?:[0-9A-F])+) PREC=(?<PREC>0x(?:[0-9A-F])+) TTL=(?<TTL>\\d+) ID=(?<ID>\\d+) (?<DF>(?:DF) )?PROTO=(?<PROTO>UDP) SPT=(?<SPT>\\d+) DPT=(?<DPT>\\d+) LEN=(?<LEN_UDP>\\d+)\\s*(?<body>.*)$"
+ },
+ "kernel-tcp": {
+ "pattern": "^(?<timestamp>[A-Z][a-z]{2}\\s+\\d+\\s+\\d+:\\d+:\\d+) (?<host>[^\\s]+) (?<facility>\\w+)\\.(?<level>\\w+) (?<module>kernel): \\[(?:\\s*(?<ellapsed>\\d+\\.\\d+))\\]\\s(?:\\[(?<rule_name>[^\\]]+)\\]\\s*)?(?:ALIEN BLOCK: )?IN=(?<IP_IN>(?:\\d|\\w)*) OUT=(?<IP_OUT>(?:\\d|\\w)*) MAC=(?:(?<MAC>(?:[0-9a-f]{2}:){5}[0-9a-f]{2})(?::(?<MAC_SRC>[^\\s]+))) SRC=(?<SRC>(?:[\\d\\.])+) DST=(?<DST>(?:[\\d\\.])+) LEN=(?<LEN>(?:\\d+)) TOS=(?<TOS>0x(?:[0-9A-F])+) PREC=(?<PREC>0x(?:[0-9A-F])+) TTL=(?<TTL>\\d+) ID=(?<ID>\\d+) (?<DF>(?:DF) )?PROTO=(?<PROTO>TCP) SPT=(?<SPT>\\d+) DPT=(?<DPT>\\d+) WINDOW=(?<WINDOW>\\d+) RES=(?<RES>0x(?:[0-9A-F])+) (?<SYN>(?:SYN) )?(?:URGP=(?<URGP>\\d+)\\s*)?(?<body>.*)$"
+ },
+ "kernel-other-proto": {
+ "pattern": "^(?<timestamp>[A-Z][a-z]{2}\\s+\\d+\\s+\\d+:\\d+:\\d+) (?<host>[^\\s]+) (?<facility>\\w+)\\.(?<level>\\w+) (?<module>kernel): \\[(?:\\s*(?<ellapsed>\\d+\\.\\d+))\\]\\s(?:\\[(?<rule_name>[^\\]]+)\\]\\s*)?(?:ALIEN BLOCK: )?IN=(?<IP_IN>(?:\\d|\\w)*) OUT=(?<IP_OUT>(?:\\d|\\w)*) MAC=(?:(?<MAC>(?:[0-9a-f]{2}:){5}[0-9a-f]{2})(?::(?<MAC_SRC>[^\\s]+)))? SRC=(?<SRC>(?:[\\d\\.])+) DST=(?<DST>(?:[\\d\\.])+) LEN=(?<LEN>(?:\\d+)) TOS=(?<TOS>0x(?:[0-9A-F])+) PREC=(?<PREC>0x(?:[0-9A-F])+) TTL=(?<TTL>\\d+) ID=(?<ID>\\d+) (?<DF>(?:DF) )?PROTO=(?<PROTO>(?!TCP|UDP)(?:\\w+))(?<body>.*)$"
+ },
+ "kernel-other": {
+ "pattern": "^(?<timestamp>[A-Z][a-z]{2}\\s+\\d+\\s+\\d+:\\d+:\\d+) (?<host>[^\\s]+) (?<facility>\\w+)\\.(?<level>\\w+) (?<module>kernel): (?:\\[(?:\\s*(?<ellapsed>\\d+\\.\\d+))\\]\\s)?(?!IN|ALIEN BLOCK)(?<body>[^\\[].*)$"
+ },
+ "dnsmasq-dhcp": {
+ "pattern": "^(?<timestamp>[A-Z][a-z]{2}\\s+\\d+\\s+\\d+:\\d+:\\d+) (?<host>[^\\s]+) (?<facility>\\w+)\\.(?<level>\\w+) (?<module>dnsmasq-dhcp[A-Za-z0-9\\.\\-]*)(?:\\[(?<ID>\\d+)\\])?: (?<dhcp_op>DHCP[^(]+)(?:\\((?<dhcp_iface>[^)]*)\\)) (?:(?<dhcp_ip>(?:\\d{1,3}\\.){3}\\d{1,3}) )?(?<dhcp_mac>(?:[0-9a-f]{2}:)+[0-9a-f]{2})(?: (?<body>.*))?$"
+ },
+ "other": {
+ "pattern": "^(?<timestamp>[A-Z][a-z]{2}\\s+\\d+\\s+\\d+:\\d+:\\d+) (?<host>[^\\s]+) (?<facility>\\w+)\\.(?<level>\\w+) (?<module>(?!kernel|dnsmasq-dhcp)[A-Za-z0-9\\.\\-]*)(?:\\[(?<ID>\\d+)\\])?: (?:\\[apply-config\\])?(?:\\[(?:\\s*(?<ellapsed>\\d+\\.\\d+))\\]\\s)?(?<body>.*)$"
+ }
+ },
+ "level-field": "level",
+ "level": {
+ "critical": "emerg",
+ "error": "err",
+ "warning": "warn",
+ "info": "notice"
+ },
+ "opid-field": "ID",
+ "multiline": false,
+ "module-field": "module",
+ "timestamp-format": [
+ "%b %d %H:%M:%S"
+ ],
+ "value": {
+ "level": {
+ "kind": "string",
+ "identifier": true
+ },
+ "facility": {
+ "kind": "string",
+ "identifier": false
+ },
+ "module": {
+ "kind": "string",
+ "identifier": false
+ },
+ "ellapsed": {
+ "kind": "float",
+ "identifier": false,
+ "hidden": true
+ },
+ "rule_name": {
+ "kind": "string",
+ "identifier": true
+ },
+ "host": {
+ "kind": "string",
+ "identifier": true,
+ "hidden": true
+ },
+ "dhcp_op": {
+ "kind": "string",
+ "identifier": true
+ },
+ "dhcp_mac": {
+ "kind": "string",
+ "identifier": true
+ },
+ "dhcp_iface": {
+ "kind": "string"
+ },
+ "dhcp_ip": {
+ "kind": "string",
+ "collate": "ipaddress",
+ "identifier": true
+ },
+ "ID": {
+ "kind": "integer",
+ "identifier": true
+ },
+ "IP_IN": {
+ "kind": "string",
+ "identifier": false
+ },
+ "IP_OUT": {
+ "kind": "string",
+ "identifier": false
+ },
+ "MAC": {
+ "kind": "string",
+ "identifier": true,
+ "hidden": true
+ },
+ "MAC_SRC": {
+ "kind": "string",
+ "identifier": false,
+ "hidden": true
+ },
+ "SRC": {
+ "kind": "string",
+ "collate": "ipaddress",
+ "identifier": true
+ },
+ "SPT": {
+ "kind": "integer",
+ "identifier": true
+ },
+ "DST": {
+ "kind": "string",
+ "collate": "ipaddress",
+ "identifier": true
+ },
+ "DPT": {
+ "kind": "integer",
+ "identifier": true
+ },
+ "LEN": {
+ "kind": "integer"
+ },
+ "TOS": {
+ "kind": "string",
+ "hidden": true
+ },
+ "PREC": {
+ "kind": "string",
+ "hidden": true
+ },
+ "TTL": {
+ "kind": "integer",
+ "hidden": true
+ },
+ "PROTO": {
+ "kind": "string",
+ "identifier": true
+ },
+ "LEN_UDP": {
+ "kind": "integer"
+ },
+ "WINDOW": {
+ "kind": "integer",
+ "hidden": true
+ },
+ "RES": {
+ "kind": "string",
+ "hidden": true
+ },
+ "SYN": {
+ "kind": "string",
+ "hidden": true
+ },
+ "URGP": {
+ "kind": "integer",
+ "hidden": true
+ },
+ "body": {
+ "kind": "string"
+ }
+ },
+ "sample": [
+ {
+ "line": "Mar 2 23:24:28 UDM-Pro user.warn kernel: [1293979.679369] IN=br46 OUT= MAC=24:5a:4c:a2:b1:0b:74:7a:90:9f:e4:ff:08:00 SRC=192.168.46.5 DST=8.8.8.8 LEN=68 TOS=0x00 PREC=0x00 TTL=255 ID=34103 DF PROTO=UDP SPT=65450 DPT=53 LEN=48"
+ },
+ {
+ "line": "Mar 2 23:24:28 UDM-Pro user.warn kernel: [ 979.679369] [DNAT-br46-udp]IN=br46 OUT= MAC=24:5a:4c:a2:b1:0b:74:7a:90:9f:e4:ff:08:00 SRC=192.168.46.5 DST=8.8.8.8 LEN=68 TOS=0x00 PREC=0x00 TTL=255 ID=34103 DF PROTO=UDP SPT=65450 DPT=53 LEN=48"
+ },
+ {
+ "line": "Mar 2 23:00:01 UDM-Pro user.warn kernel: [1293512.217894] [FW-A-LAN_LOCAL_U-2013]IN=br96 OUT= MAC=24:5a:4c:a2:b1:0b:24:5e:be:46:df:c8:08:00 SRC=192.168.96.10 DST=192.168.16.1 LEN=40 TOS=0x00 PREC=0x20 TTL=64 ID=44654 DF PROTO=TCP SPT=55144 DPT=22 WINDOW=837 RES=0x00 ACK URGP=0"
+ },
+ {
+ "line": "Mar 4 19:25:13 UDM-Pro user.warn kernel: [ 1170.826385] ALIEN BLOCK: IN=eth8 OUT= MAC=24:5a:4c:a2:b1:09:48:2c:d0:ab:93:3f:08:00 SRC=185.128.41.50 DST=192.168.10.2 LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=51242 PROTO=TCP SPT=56958 DPT=7001 WINDOW=1024 RES=0x00 SYN URGP=0"
+ },
+ {
+ "line": "Mar 2 23:27:40 UDM-Pro authpriv.notice dropbear[29787]: Pubkey auth succeeded for 'root' with key sha1!! 0e:16:76:2b:89:b3:c0:c7:14:a4:00:be:8f:9b:38:9a:12:fd:20:48 from 192.168.96.27:56718"
+ },
+ {
+ "line": "Mar 4 19:26:07 UDM-Pro user.warn kernel: [ 1225.134675] conntrack: generic helper won't handle protocol 47. Please consider loading the specific helper module."
+ },
+ {
+ "line": "Mar 4 19:39:06 UDM-Pro user.notice syswrapper: [apply-config] using fast apply"
+ },
+ {
+ "line": "Feb 27 23:59:39 UDM-Pro user.notice dpi-flow-stats: ubnt-dpi-util: fingerprint_overrides API failed with HTTP -1"
+ },
+ {
+ "line": "Mar 4 19:09:18 UDM-Pro user.notice getsig.sh: alien enabled, starting update."
+ },
+ {
+ "line": "Mar 4 19:22:19 UDM-Pro daemon.info dnsmasq-dhcp[7431]: DHCPREQUEST(br96) 192.168.96.31 a0:57:e3:00:78:9e"
+ },
+ {
+ "line": "Mar 6 22:38:20 UDM-Pro user.warn kernel: [ 6509.503966] [FW-A-LAN_LOCAL_U-2147483647]IN=br96 OUT= MAC= SRC=192.168.96.1 DST=233.89.188.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2"
+ },
+ {
+ "line": "Feb 28 14:25:54 UDM-Pro daemon.err mcad: mcad[2910]: ace_reporter.reporter_fail(): initial contact failed #6, url=http://localhost:8080/inform, rc=7"
+ }
+ ]
+ }
+}