diff options
Diffstat (limited to 'src/formats/syslog_log.json')
-rw-r--r-- | src/formats/syslog_log.json | 99 |
1 files changed, 99 insertions, 0 deletions
diff --git a/src/formats/syslog_log.json b/src/formats/syslog_log.json new file mode 100644 index 0000000..9207f74 --- /dev/null +++ b/src/formats/syslog_log.json @@ -0,0 +1,99 @@ +{ + "$schema": "https://lnav.org/schemas/format-v1.schema.json", + "syslog_log": { + "title": "Syslog", + "description": "The system logger format found on most posix systems.", + "url": "http://en.wikipedia.org/wiki/Syslog", + "regex": { + "std": { + "pattern": "^(?<timestamp>(?:\\S{3,8}\\s+\\d{1,2} \\d{2}:\\d{2}:\\d{2}|\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}(?:\\.\\d{3,6})?(?:Z|(?:\\+|-)\\d{2}:\\d{2})))(?: (?<log_hostname>[a-zA-Z0-9:][^ ]+[a-zA-Z0-9]))?(?: \\[CLOUDINIT\\])?(?:(?: syslogd [\\d\\.]+|(?: (?<log_syslog_tag>(?<log_procname>(?:[^\\[: ]+|[^ :]+))(?:\\[(?<log_pid>\\d+)\\](?: \\([^\\)]+\\))?)?))):\\s*(?<body>.*)$|:?(?:(?: ---)? last message repeated \\d+ times?(?: ---)?))" + }, + "rfc5424": { + "pattern": "^<(?<log_pri>\\d+)>(?<syslog_version>\\d+) (?<timestamp>\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}(?:\\.\\d{6})?(?:[^ ]+)?) (?<log_hostname>[^ ]+|-) (?<log_syslog_tag>(?<log_procname>[^ ]+|-) (?<log_pid>[^ ]+|-) (?<log_msgid>[^ ]+|-)) (?<log_struct>\\[(?:[^\\]\"]|\"(?:\\.|[^\"])+\")*\\]|-|)\\s+(?<body>.*)" + } + }, + "level-field": "body", + "level": { + "error": "(?:(?:(?<![a-zA-Z]))(?:(?i)error(?:s)?)(?:(?![a-zA-Z]))|failed|failure)", + "warning": "(?:(?:(?i)warn)|not responding|init: cannot execute)" + }, + "opid-field": "log_syslog_tag", + "multiline": true, + "module-field": "log_procname", + "value": { + "log_pri": { + "kind": "integer", + "foreign-key": true, + "description": "The priority level of the message" + }, + "syslog_version": { + "kind": "integer", + "foreign-key": true, + "description": "The version of the syslog format used for this message" + }, + "log_hostname": { + "kind": "string", + "collate": "ipaddress", + "identifier": true, + "description": "The name of the host that generated the message" + }, + "log_procname": { + "kind": "string", + "identifier": true, + "description": "The name of the process that generated the message" + }, + "log_pid": { + "kind": "string", + "identifier": true, + "action-list": [ + "dump_pid" + ], + "description": "The ID of the process that generated the message" + }, + "log_syslog_tag": { + "kind": "string", + "identifier": true, + "description": "The combination of the procname and pid" + }, + "log_msgid": { + "kind": "string", + "identifier": true + }, + "log_struct": { + "kind": "struct" + } + }, + "action": { + "dump_pid": { + "label": "Show Process Info", + "capture-output": true, + "cmd": [ + "dump-pid.sh" + ] + } + }, + "sample": [ + { + "line": "Apr 28 04:02:03 tstack-centos5 syslogd 1.4.1: restart." + }, + { + "line": "Jun 27 01:47:20 Tims-MacBook-Air.local configd[17]: network changed: v4(en0-:192.168.1.8) DNS- Proxy- SMB" + }, + { + "line": "Jun 20 17:26:13 ip-10-188-149-5 [CLOUDINIT] util.py[DEBUG]: Restoring selinux mode for /var/lib/cloud (recursive=False)" + }, + { + "line": "<46>1 2017-04-27T07:50:47.381967+02:00 logserver rsyslogd - - [origin software=\"rsyslogd\" swVersion=\"8.4.2\" x-pid=\"900\" x-info=\"http://www.rsyslog.com\"] start" + }, + { + "line": "<30>1 2017-04-27T07:59:12+02:00 nextcloud dhclient - - - DHCPREQUEST on eth0 to 192.168.1.1 port 67" + }, + { + "line": "<78>1 2017-04-27T08:09:01+02:00 nextcloud CRON 1472 - - (root) CMD ( [ -x /usr/lib/php5/sessionclean ] && /usr/lib/php5/sessionclean)" + }, + { + "line": "Aug 1 00:00:03 Tim-Stacks-iMac com.apple.xpc.launchd[1] (com.apple.mdworker.shared.0C000000-0700-0000-0000-000000000000[50989]): Service exited due to SIGKILL | sent by mds[198]" + } + ] + } +}
\ No newline at end of file |