fluent-bit/conf/parsers_extra.conf


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172

# Extra set of common parsers

[PARSER]
    # http://rubular.com/r/cCVd1HLCAO
    Name crowbar
    Format regex
    Regex ^.*\[(?<log_time>[^ ][-.\d\+:]+T[:\d]*)([^\]])*?\]\s+?(?<severity>[^ ]\w+)([\s-]*):?\s+(?<message>.*)
    Time_Format %Y-%m-%dT%H:%M:%S
    Time_Keep Off
    Time_Key log_time

[PARSER]
    # http://rubular.com/r/frDgnElXW9 
    Name chefclient
    Format regex
    Regex ^\[(?<log_time>[^ ][-.\d\+:]+T[:\d]*)([^\]])*?\]\s+(?<severity>[^ ]\w+):\s+(?<message>.*)$
    Time_Format %Y-%m-%dT%H:%M:%S
    Time_Keep Off
    Time_Key log_time

[PARSER]
    Name mysql_error
    Format regex
    #Regex ^(?<log_time>[^ +][ -:0-9TZ]+|[[:upper:]][[:lower:]]{2})(\+\d+:\d+[TZ]*){0,1}\s*(?<myid>[^ ]\d+)\s+\[(?<severity>[^ ]\w+)\](\s+(?<subsystem>[^ ]\w+):){0,1}\s+(?<message>.*)$
    Regex ^(?<log_time>[^ +][-\d]+[\ T]*[:\dZ]+)\s*(?<myid>[^ ]\d+)\s+\[(?<severity>[^ ]\w+)\](\s+(?<subsystem>[^ ]\w+):){0,1}\s+(?<message>.*)$
    Time_Format %Y-%m-%d %H:%M:%S
    Time_Keep   Off
    Time_Key log_time

[PARSER]
    Name mysql_slow
    Format regex
    Regex ^# User\@Host:\s+(?<user>[^\@][\w\[\]]+)[@\s]+(?<dbhost>[^ ][-.\w]+)\s+(\[(?<dbhost_address>[.\d]+)\]){0,1}\s+(?<message>.*)$

[PARSER]
    Name pacemaker
    Format regex
    Regex ^\s*(?<log_time>[^ ]* {1,2}[^ ]* [^ ]*) \[(?<pid>\d+)\] (?<node>[\-\w]*)\s*(?<component>\w*):\s+(?<severity>\w+):\s+(?<message>.*)$
    #Time_Format %Y-%m-%dT%H:%M:%S
    Time_Format %b %d %H:%M:%S
    Time_Keep   Off
    Time_Key log_time
    #Types pid:integer

[PARSER]
    Name rabbitmq
    Format regex
    Regex ^=(?<severity>[^ ]\w+)\s+REPORT[=\s]*(?<log_time>[^ =][-:.\d\w]+)[\s=]+(?<message>.*)$
    Time_Format %d-%b-%Y::%H:%M:%S
    Time_Keep   Off
    Time_Key log_time

[PARSER]
    Name http_statement
    Format regex
    Regex ^.*((?<req_method>GET|POST|PUT|DELETE|CONNECT|OPTIONS|HEAD[^ ]\w+)\s*(?<req_path>[^ ][-._?=%&\/[:alnum:]]*)\s*(?<req_protocol>[^ ][.\/\dHTFSP]+){0,1})(['"\s]*){0,1}((\s*status:\s*(?<req_status>[^ ]\d+)){0,1}(\s*len:\ (?<req_len>[^ ]\d+)){0,1}(\s*time:\s*(?<req_log_time>[^ ][.\d]+)){0,1}(\s*microversion:\s*(?<req_mver>[^ ][.\d]+)){0,1}){0,1}$

[PARSER]
    Name universal
    Format regex
    Regex ^(?<message>.*)$

[PARSER]
    Name uuid
    Format regex
    Regex (?<uuid>[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12})
#UUID v1 :
#/^[0-9A-F]{8}-[0-9A-F]{4}-[1][0-9A-F]{3}-[89AB][0-9A-F]{3}-[0-9A-F]{12}$/i
#UUID v2 :
#/^[0-9A-F]{8}-[0-9A-F]{4}-[2][0-9A-F]{3}-[89AB][0-9A-F]{3}-[0-9A-F]{12}$/i
#UUID v3 :
#/^[0-9A-F]{8}-[0-9A-F]{4}-[3][0-9A-F]{3}-[89AB][0-9A-F]{3}-[0-9A-F]{12}$/i
#UUID v4 :
#/^[0-9A-F]{8}-[0-9A-F]{4}-[4][0-9A-F]{3}-[89AB][0-9A-F]{3}-[0-9A-F]{12}$/i
#UUID v5 :
#/^[0-9A-F]{8}-[0-9A-F]{4}-[5][0-9A-F]{3}-[89AB][0-9A-F]{3}-[0-9A-F]{12}$/i

# Parse IP Tables rules - this one regex should capture pretty much any IP Tables rule and split it into the various fields
[PARSER]
    Name iptables
    Format regex
    Regex \[(?<rule_chain>\w*)-(?<rule_name>\w*)-(?<accept_or_drop>\w*)\]IN=(?<in_interface>[\w.]+)? OUT=(?<out_interface>[\w.]+)? MAC=(?<mac_address>[\w:]+)? SRC=(?<source>(?:[0-9]{1,3}\.){3}[0-9]{1,3}) DST=(?<dest>(?:[0-9]{1,3}\.){3}[0-9]{1,3}) LEN=(?<pkt_len>\d+) TOS=(?<pkt_tos>[\w\d]+) PREC=(?<pkt_prec>[\w\d]+) TTL=(?<pkt_ttl>\d+) ID=(?<pkt_id>\d+)\s?(?<pkg_frg>[A-Z\s].?)\s?PROTO=(?<protocol>[\w\d]+) (SPT=(?<source_port>.*) DPT=(?<dest_port>.*) (LEN=(?<proto_pkt_len>\w+)?)?(WINDOW=(?<proto_window_size>\d+) RES=(?<pkt_res>\w+)? (?<pkt_type>\w+)\s((?<pkt_flag>\w+)?)\s?URGP=(?<pkg_urgency>\d))? )?(TYPE=(?<pkt_icmp_type>\d+) CODE=(?<pkt_icmp_code>\d+) ID=(?<pkt_icmp_id>\d+) SEQ=(?<pkt_icmp_seq>\d+) )?$
    Types source_port:integer,dest_port:integer,pkt_ttl:integer,pkt_tos:integer,pkt_len:integer

# Various parsers for Couchbase Server logs

[PARSER]
    Name         couchbase_json_log_nanoseconds
    Format       json
    Time_Key     timestamp
    Time_Format  %Y-%m-%dT%H:%M:%S.%L
    Time_Keep    On 
    # Do not remove the time field from the output we ship

[PARSER]
    Name         couchbase_rebalance_report
    Format       json
    Time_Key     timestamp
    Time_Format  %Y-%m-%dT%H:%M:%SZ
    Time_Keep    On 

# The level may have optional brackets around it
[PARSER]
    Name         couchbase_simple_log
    Format       regex
    Regex        ^(?<timestamp>\d+-\d+-\d+T\d+:\d+:\d+\.\d+(\+|-)\d+:\d+)\s+\[(?<level>\w+)\](?<message>.*)$
    Time_Key     timestamp
    Time_Format  %Y-%m-%dT%H:%M:%S.%L%z
    Time_Keep    On

[PARSER]
    Name         couchbase_simple_log_space_separated
    Format       regex
    Regex        ^(?<timestamp>\d+-\d+-\d+T\d+:\d+:\d+\.\d+(\+|-)\d+:\d+)\s+(?<level>\w+)\s+(?<message>.*)$
    Time_Key     timestamp
    Time_Format  %Y-%m-%dT%H:%M:%S.%L%z
    Time_Keep    On

# Slight change in time format to use Z at end instead of offset:
# 2021-03-09T17:32:02.136Z INFO ...
# https://rubular.com/r/EpG3M1dHb5AnTC
[PARSER]
    Name         couchbase_simple_log_utc
    Format       regex
    Regex        ^(?<timestamp>\d+-\d+-\d+T\d+:\d+:\d+\.\d+Z)\s+(?<level>\w+)(?<message>.*)$
    Time_Key     timestamp
    Time_Format  %Y-%m-%dT%H:%M:%S.%LZ
    Time_Keep    On

# Cope with two different log formats, e.g.:
# 2021/03/09 17:32:15 cbauth: ...
# 2021-03-09T17:32:15.303+00:00 [INFO] ...
# https://rubular.com/r/XUt7xQqEJnrF2M
[PARSER]
    Name         couchbase_simple_log_mixed
    Format       regex
    Regex        ^(?<timestamp>\d+(-|/)\d+(-|/)\d+(T|\s+)\d+:\d+:\d+(\.\d+(\+|-)\d+:\d+|))\s+((\[)?(?<level>\w+)(\]|:))(?<message>.*)$
    Time_Key     timestamp
    Time_Keep    On
# We cannot parse the time as different formats directly, it could be done downstream and/or left as current time

[PARSER]
    Name         couchbase_erlang_multiline
    Format       regex
    # For some reason this cannot parse an ending close bracket ] followed by a new line immediately
    #Regex        \[(?<logger>\w+):(?<level>\w+),(?<timestamp>\d+-\d+-\d+T\d+:\d+:\d+.\d+Z),.*\](?<message>.*)$
    Regex        \[(?<logger>\w+):(?<level>\w+),(?<timestamp>\d+-\d+-\d+T\d+:\d+:\d+.\d+Z),(?<message>.*)$
    Time_Key     timestamp
    Time_Format  %Y-%m-%dT%H:%M:%S.%L   
    Time_Keep    On

# 2021-03-09T17:32:25.339+00:00 INFO CBAS.bootstrap.AnalyticsNCApplication [main] ...
# https://rubular.com/r/9jh1oKtXBN5GEV
# Can include an exception stack trace or a thread dump as well but ignoring these for now
[PARSER]
    Name         couchbase_java_multiline
    Format       regex
    Regex        ^(?<timestamp>\d+-\d+-\d+T\d+:\d+:\d+\.\d+(\+|-)\d+:\d+)\s+(?<level>\w+)\s+(?<class>.*)\s+\[(?<thread>.*)\]\s+(?<message>.*)$
    Time_Key     timestamp
    Time_Format  %Y-%m-%dT%H:%M:%S.%L%z
    Time_Keep    On

# A slight modification of the usual Apache/Apache2 parsers
[PARSER]
    Name         couchbase_http
    Format       regex
    Regex        ^(?<host>[^ ]*) [^ ]* (?<user>[^ ]*) \[(?<timestamp>[^\]]*)\] "(?<method>\S+)(?: +(?<path>[^ ]*) +\S*)?" (?<code>[^ ]*) (?<size>[^ ]*) - (?<client>.*)$
    Time_Key     timestamp
    Time_Format %d/%b/%Y:%H:%M:%S %z
    Time_Keep    On

# End of Couchbase Server parsers