1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
|
# Parser: no_year
# ===============
# the given format don't contain the Year, this is a common
# case on old Syslog implementations.
#
[PARSER]
Name no_year
Format regex
Regex ^(?<key001>[^ ]*) (?<key002>[^ ]*) (?<time>.+)$
Time_Key time
Time_Format %b %d %H:%M:%S
Time_Keep On
# Parser: no_year_N
# =================
# Just for compatibility, check a string with no year but including Nanoseconds.
#
[PARSER]
Name no_year_N
Format regex
Regex ^(?<key001>[^ ]*) (?<key002>[^ ]*) (?<time>.+)$
Time_Key time
Time_Format %b %d %H:%M:%S.%L
Time_Keep On
# Parser: no_year_NC
# =================
# Just for compatibility, check a string with no year but including Nanoseconds with comma as fractional separator.
#
[PARSER]
Name no_year_NC
Format regex
Regex ^(?<key001>[^ ]*) (?<key002>[^ ]*) (?<time>.+)$
Time_Key time
Time_Format %b %d %H:%M:%S,%L
Time_Keep On
# Parser: no_year_TZ
# =================
# Time string with no year and including timezone
#
[PARSER]
Name no_year_TZ
Format regex
Regex ^(?<key001>[^ ]*) (?<key002>[^ ]*) (?<time>.+)$
Time_Key time
Time_Format %b %d %H:%M:%S %z
Time_Keep On
# Parser: no_year_N_TZ
# ====================
# Time string with no year, nanoseconds and timezone
#
[PARSER]
Name no_year_N_TZ
Format regex
Regex ^(?<key001>[^ ]*) (?<key002>[^ ]*) (?<time>.+)$
Time_Key time
Time_Format %b %d %H:%M:%S.%L %z
Time_Keep On
# Parser: no_year_NC_TZ
# ====================
# Time string with no year, nanoseconds and timezone with comma as fractional separator.
#
[PARSER]
Name no_year_NC_TZ
Format regex
Regex ^(?<key001>[^ ]*) (?<key002>[^ ]*) (?<time>.+)$
Time_Key time
Time_Format %b %d %H:%M:%S,%L %z
Time_Keep On
# Parser: default_UTC
# ===================
# Time string with timezone in UTC
#
[PARSER]
Name default_UTC
Format regex
Regex ^(?<key001>[^ ]*) (?<key002>[^ ]*) (?<time>.+)$
Time_Key time
Time_Format %m/%d/%Y %H:%M:%S
Time_Keep On
# Parser: default_UTC_Z
# =====================
# Time string with timezone in UTC and ending Z
#
[PARSER]
Name default_UTC_Z
Format regex
Regex ^(?<key001>[^ ]*) (?<key002>[^ ]*) (?<time>.+)$
Time_Key time
Time_Format %m/%d/%Y %H:%M:%SZ
Time_Keep On
# Parser: default_UTC_N_Z
# =======================
# Time string with timezone in UTC, nanoseconds and ending Z
#
[PARSER]
Name default_UTC_N_Z
Format regex
Regex ^(?<key001>[^ ]*) (?<key002>[^ ]*) (?<time>.+)$
Time_Key time
Time_Format %m/%d/%Y %H:%M:%S.%LZ
Time_Keep On
# Parser: default_UTC_NC_Z
# =======================
# Time string with timezone in UTC, nanoseconds with comma as fractional separator and ending Z
#
[PARSER]
Name default_UTC_NC_Z
Format regex
Regex ^(?<key001>[^ ]*) (?<key002>[^ ]*) (?<time>.+)$
Time_Key time
Time_Format %m/%d/%Y %H:%M:%S,%LZ
Time_Keep On
# Parser: generic_TZ
# ==================
# Generic date with timezone
#
[PARSER]
Name generic_TZ
Format regex
Regex ^(?<key001>[^ ]*) (?<key002>[^ ]*) (?<time>.+)$
Time_Key time
Time_Format %m/%d/%Y %H:%M:%S %z
Time_Keep On
# Parser: generic
# ===============
# Generic date
#
[PARSER]
Name generic
Format regex
Regex ^(?<key001>[^ ]*) (?<key002>[^ ]*) (?<time>.+)$
Time_Key time
Time_Format %m/%d/%Y %H:%M:%S
Time_Keep On
# Parser: generic_N
# ===============
# Generic date with nanoseconds
#
[PARSER]
Name generic_N
Format regex
Regex ^(?<key001>[^ ]*) (?<key002>[^ ]*) (?<time>.+)$
Time_Key time
Time_Format %m/%d/%Y %H:%M:%S.%L
Time_Keep On
# Parser: generic_NC
# ===============
# Generic date with nanoseconds with comma as fractional separator
#
[PARSER]
Name generic_NC
Format regex
Regex ^(?<key001>[^ ]*) (?<key002>[^ ]*) (?<time>.+)$
Time_Key time
Time_Format %m/%d/%Y %H:%M:%S,%L
Time_Keep On
# Parser: generic_N_TZ
# ====================
# Generic date with nanoseconds and timezone
#
[PARSER]
Name generic_N_TZ
Format regex
Regex ^(?<key001>[^ ]*) (?<key002>[^ ]*) (?<time>.+)$
Time_Key time
Time_Format %m/%d/%Y %H:%M:%S.%L %z
Time_Keep On
# Parser: generic_NC_TZ
# ====================
# Generic date with nanoseconds with comma as fractional separator and timezone
#
[PARSER]
Name generic_NC_TZ
Format regex
Regex ^(?<key001>[^ ]*) (?<key002>[^ ]*) (?<time>.+)$
Time_Key time
Time_Format %m/%d/%Y %H:%M:%S,%L %z
Time_Keep On
# Parser: generic_NL_TZ
# ====================
# Generic date with nanoseconds with colon as fractional separator and timezone
#
[PARSER]
Name generic_NL_TZ
Format regex
Regex ^(?<key001>[^ ]*) (?<key002>[^ ]*) (?<time>.+)$
Time_Key time
Time_Format %m/%d/%Y %H:%M:%S:%L %z
Time_Keep On
# Parser: apache_error
# ====================
# Apache error log time format
#
[PARSER]
Name apache_error
Format regex
Regex ^(?<key001>[^ ]*) (?<key002>[^ ]*) (?<time>.+)$
Time_Key time
Time_Format %a %b %d %H:%M:%S.%L %Y
Time_Keep On
# Parser: mysql_quoted_stuff
# ====================
# Apache error log time format
#
[PARSER]
Name mysql_quoted_stuff
Format regex
Regex ^(?<time>.*?),(?<key001>.*)$
Time_Key time
Time_Format %Y-%M-%S %H:%M:%S
Time_Keep On
Decode_Field_As mysql_quoted key001
|