From 62e4c68907d8d33709c2c1f92a161dff00b3d5f2 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Mon, 15 Apr 2024 22:01:36 +0200 Subject: Adding upstream version 0.11.2. Signed-off-by: Daniel Baumann --- src/formats/unifi_log.json | 204 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 204 insertions(+) create mode 100644 src/formats/unifi_log.json (limited to 'src/formats/unifi_log.json') diff --git a/src/formats/unifi_log.json b/src/formats/unifi_log.json new file mode 100644 index 0000000..369e753 --- /dev/null +++ b/src/formats/unifi_log.json @@ -0,0 +1,204 @@ +{ + "$schema": "https://lnav.org/schemas/format-v1.schema.json", + "unifi_log": { + "title": "UniFi log", + "description": "The UniFi gateway messages logger format (for /var/log/messages).", + "url": "https://www.halolinux.us/firewalls/firewall-log-messages-what-do-they-mean.html", + "regex": { + "kernel-udp": { + "pattern": "^(?[A-Z][a-z]{2}\\s+\\d+\\s+\\d+:\\d+:\\d+) (?[^\\s]+) (?\\w+)\\.(?\\w+) (?kernel): \\[(?:\\s*(?\\d+\\.\\d+))\\]\\s(?:\\[(?[^\\]]+)\\]\\s*)?(?:ALIEN BLOCK: )?IN=(?(?:\\d|\\w)*) OUT=(?(?:\\d|\\w)*) MAC=(?:(?(?:[0-9a-f]{2}:){5}[0-9a-f]{2})(?::(?[^\\s]+)))? SRC=(?(?:[\\d\\.])+) DST=(?(?:[\\d\\.])+) LEN=(?(?:\\d+)) TOS=(?0x(?:[0-9A-F])+) PREC=(?0x(?:[0-9A-F])+) TTL=(?\\d+) ID=(?\\d+) (?(?:DF) )?PROTO=(?UDP) SPT=(?\\d+) DPT=(?\\d+) LEN=(?\\d+)\\s*(?.*)$" + }, + "kernel-tcp": { + "pattern": "^(?[A-Z][a-z]{2}\\s+\\d+\\s+\\d+:\\d+:\\d+) (?[^\\s]+) (?\\w+)\\.(?\\w+) (?kernel): \\[(?:\\s*(?\\d+\\.\\d+))\\]\\s(?:\\[(?[^\\]]+)\\]\\s*)?(?:ALIEN BLOCK: )?IN=(?(?:\\d|\\w)*) OUT=(?(?:\\d|\\w)*) MAC=(?:(?(?:[0-9a-f]{2}:){5}[0-9a-f]{2})(?::(?[^\\s]+))) SRC=(?(?:[\\d\\.])+) DST=(?(?:[\\d\\.])+) LEN=(?(?:\\d+)) TOS=(?0x(?:[0-9A-F])+) PREC=(?0x(?:[0-9A-F])+) TTL=(?\\d+) ID=(?\\d+) (?(?:DF) )?PROTO=(?TCP) SPT=(?\\d+) DPT=(?\\d+) WINDOW=(?\\d+) RES=(?0x(?:[0-9A-F])+) (?(?:SYN) )?(?:URGP=(?\\d+)\\s*)?(?.*)$" + }, + "kernel-other-proto": { + "pattern": "^(?[A-Z][a-z]{2}\\s+\\d+\\s+\\d+:\\d+:\\d+) (?[^\\s]+) (?\\w+)\\.(?\\w+) (?kernel): \\[(?:\\s*(?\\d+\\.\\d+))\\]\\s(?:\\[(?[^\\]]+)\\]\\s*)?(?:ALIEN BLOCK: )?IN=(?(?:\\d|\\w)*) OUT=(?(?:\\d|\\w)*) MAC=(?:(?(?:[0-9a-f]{2}:){5}[0-9a-f]{2})(?::(?[^\\s]+)))? SRC=(?(?:[\\d\\.])+) DST=(?(?:[\\d\\.])+) LEN=(?(?:\\d+)) TOS=(?0x(?:[0-9A-F])+) PREC=(?0x(?:[0-9A-F])+) TTL=(?\\d+) ID=(?\\d+) (?(?:DF) )?PROTO=(?(?!TCP|UDP)(?:\\w+))(?.*)$" + }, + "kernel-other": { + "pattern": "^(?[A-Z][a-z]{2}\\s+\\d+\\s+\\d+:\\d+:\\d+) (?[^\\s]+) (?\\w+)\\.(?\\w+) (?kernel): (?:\\[(?:\\s*(?\\d+\\.\\d+))\\]\\s)?(?!IN|ALIEN BLOCK)(?[^\\[].*)$" + }, + "dnsmasq-dhcp": { + "pattern": "^(?[A-Z][a-z]{2}\\s+\\d+\\s+\\d+:\\d+:\\d+) (?[^\\s]+) (?\\w+)\\.(?\\w+) (?dnsmasq-dhcp[A-Za-z0-9\\.\\-]*)(?:\\[(?\\d+)\\])?: (?DHCP[^(]+)(?:\$(?[^)]*)\$) (?:(?(?:\\d{1,3}\\.){3}\\d{1,3}) )?(?(?:[0-9a-f]{2}:)+[0-9a-f]{2})(?: (?.*))?$" + }, + "other": { + "pattern": "^(?[A-Z][a-z]{2}\\s+\\d+\\s+\\d+:\\d+:\\d+) (?[^\\s]+) (?\\w+)\\.(?\\w+) (?(?!kernel|dnsmasq-dhcp)[A-Za-z0-9\\.\\-]*)(?:\\[(?\\d+)\\])?: (?:\\[apply-config\\])?(?:\\[(?:\\s*(?\\d+\\.\\d+))\\]\\s)?(?.*)$" + } + }, + "level-field": "level", + "level": { + "critical": "emerg", + "error": "err", + "warning": "warn", + "info": "notice" + }, + "opid-field": "ID", + "multiline": false, + "module-field": "module", + "timestamp-format": [ + "%b %d %H:%M:%S" + ], + "value": { + "level": { + "kind": "string", + "identifier": true + }, + "facility": { + "kind": "string", + "identifier": false + }, + "module": { + "kind": "string", + "identifier": false + }, + "ellapsed": { + "kind": "float", + "identifier": false, + "hidden": true + }, + "rule_name": { + "kind": "string", + "identifier": true + }, + "host": { + "kind": "string", + "identifier": true, + "hidden": true + }, + "dhcp_op": { + "kind": "string", + "identifier": true + }, + "dhcp_mac": { + "kind": "string", + "identifier": true + }, + "dhcp_iface": { + "kind": "string" + }, + "dhcp_ip": { + "kind": "string", + "collate": "ipaddress", + "identifier": true + }, + "ID": { + "kind": "integer", + "identifier": true + }, + "IP_IN": { + "kind": "string", + "identifier": false + }, + "IP_OUT": { + "kind": "string", + "identifier": false + }, + "MAC": { + "kind": "string", + "identifier": true, + "hidden": true + }, + "MAC_SRC": { + "kind": "string", + "identifier": false, + "hidden": true + }, + "SRC": { + "kind": "string", + "collate": "ipaddress", + "identifier": true + }, + "SPT": { + "kind": "integer", + "identifier": true + }, + "DST": { + "kind": "string", + "collate": "ipaddress", + "identifier": true + }, + "DPT": { + "kind": "integer", + "identifier": true + }, + "LEN": { + "kind": "integer" + }, + "TOS": { + "kind": "string", + "hidden": true + }, + "PREC": { + "kind": "string", + "hidden": true + }, + "TTL": { + "kind": "integer", + "hidden": true + }, + "PROTO": { + "kind": "string", + "identifier": true + }, + "LEN_UDP": { + "kind": "integer" + }, + "WINDOW": { + "kind": "integer", + "hidden": true + }, + "RES": { + "kind": "string", + "hidden": true + }, + "SYN": { + "kind": "string", + "hidden": true + }, + "URGP": { + "kind": "integer", + "hidden": true + }, + "body": { + "kind": "string" + } + }, + "sample": [ + { + "line": "Mar 2 23:24:28 UDM-Pro user.warn kernel: [1293979.679369] IN=br46 OUT= MAC=24:5a:4c:a2:b1:0b:74:7a:90:9f:e4:ff:08:00 SRC=192.168.46.5 DST=8.8.8.8 LEN=68 TOS=0x00 PREC=0x00 TTL=255 ID=34103 DF PROTO=UDP SPT=65450 DPT=53 LEN=48" + }, + { + "line": "Mar 2 23:24:28 UDM-Pro user.warn kernel: [ 979.679369] [DNAT-br46-udp]IN=br46 OUT= MAC=24:5a:4c:a2:b1:0b:74:7a:90:9f:e4:ff:08:00 SRC=192.168.46.5 DST=8.8.8.8 LEN=68 TOS=0x00 PREC=0x00 TTL=255 ID=34103 DF PROTO=UDP SPT=65450 DPT=53 LEN=48" + }, + { + "line": "Mar 2 23:00:01 UDM-Pro user.warn kernel: [1293512.217894] [FW-A-LAN_LOCAL_U-2013]IN=br96 OUT= MAC=24:5a:4c:a2:b1:0b:24:5e:be:46:df:c8:08:00 SRC=192.168.96.10 DST=192.168.16.1 LEN=40 TOS=0x00 PREC=0x20 TTL=64 ID=44654 DF PROTO=TCP SPT=55144 DPT=22 WINDOW=837 RES=0x00 ACK URGP=0" + }, + { + "line": "Mar 4 19:25:13 UDM-Pro user.warn kernel: [ 1170.826385] ALIEN BLOCK: IN=eth8 OUT= MAC=24:5a:4c:a2:b1:09:48:2c:d0:ab:93:3f:08:00 SRC=185.128.41.50 DST=192.168.10.2 LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=51242 PROTO=TCP SPT=56958 DPT=7001 WINDOW=1024 RES=0x00 SYN URGP=0" + }, + { + "line": "Mar 2 23:27:40 UDM-Pro authpriv.notice dropbear[29787]: Pubkey auth succeeded for 'root' with key sha1!! 0e:16:76:2b:89:b3:c0:c7:14:a4:00:be:8f:9b:38:9a:12:fd:20:48 from 192.168.96.27:56718" + }, + { + "line": "Mar 4 19:26:07 UDM-Pro user.warn kernel: [ 1225.134675] conntrack: generic helper won't handle protocol 47. Please consider loading the specific helper module." + }, + { + "line": "Mar 4 19:39:06 UDM-Pro user.notice syswrapper: [apply-config] using fast apply" + }, + { + "line": "Feb 27 23:59:39 UDM-Pro user.notice dpi-flow-stats: ubnt-dpi-util: fingerprint_overrides API failed with HTTP -1" + }, + { + "line": "Mar 4 19:09:18 UDM-Pro user.notice getsig.sh: alien enabled, starting update." + }, + { + "line": "Mar 4 19:22:19 UDM-Pro daemon.info dnsmasq-dhcp[7431]: DHCPREQUEST(br96) 192.168.96.31 a0:57:e3:00:78:9e" + }, + { + "line": "Mar 6 22:38:20 UDM-Pro user.warn kernel: [ 6509.503966] [FW-A-LAN_LOCAL_U-2147483647]IN=br96 OUT= MAC= SRC=192.168.96.1 DST=233.89.188.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2" + }, + { + "line": "Feb 28 14:25:54 UDM-Pro daemon.err mcad: mcad[2910]: ace_reporter.reporter_fail(): initial contact failed #6, url=http://localhost:8080/inform, rc=7" + } + ] + } +} -- cgit v1.2.3