192 |
- |
1 |
# Generic configuration items (to be used as interpolations) in other
|
|
|
2 |
# filters or actions configurations
|
|
|
3 |
#
|
|
|
4 |
|
|
|
5 |
[INCLUDES]
|
|
|
6 |
|
|
|
7 |
# Load customizations if any available
|
|
|
8 |
after = common.local
|
|
|
9 |
|
|
|
10 |
|
|
|
11 |
[DEFAULT]
|
|
|
12 |
|
|
|
13 |
# Type of log-file resp. log-format (file, short, journal, rfc542):
|
|
|
14 |
logtype = file
|
|
|
15 |
|
|
|
16 |
# Daemon definition is to be specialized (if needed) in .conf file
|
|
|
17 |
_daemon = \S*
|
|
|
18 |
|
|
|
19 |
#
|
|
|
20 |
# Shortcuts for easier comprehension of the failregex
|
|
|
21 |
#
|
|
|
22 |
# PID.
|
|
|
23 |
# EXAMPLES: [123]
|
|
|
24 |
__pid_re = (?:\[\d+\])
|
|
|
25 |
|
|
|
26 |
# Daemon name (with optional source_file:line or whatever)
|
|
|
27 |
# EXAMPLES: pam_rhosts_auth, [sshd], pop(pam_unix)
|
|
|
28 |
__daemon_re = [\[\(]?%(_daemon)s(?:\(\S+\))?[\]\)]?:?
|
|
|
29 |
|
|
|
30 |
# extra daemon info
|
|
|
31 |
# EXAMPLE: [ID 800047 auth.info]
|
|
|
32 |
__daemon_extra_re = \[ID \d+ \S+\]
|
|
|
33 |
|
|
|
34 |
# Combinations of daemon name and PID
|
|
|
35 |
# EXAMPLES: sshd[31607], pop(pam_unix)[4920]
|
|
|
36 |
__daemon_combs_re = (?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:?)
|
|
|
37 |
|
|
|
38 |
# Some messages have a kernel prefix with a timestamp
|
|
|
39 |
# EXAMPLES: kernel: [769570.846956]
|
|
|
40 |
__kernel_prefix = kernel:\s?\[ *\d+\.\d+\]:?
|
|
|
41 |
|
|
|
42 |
__hostname = \S+
|
|
|
43 |
|
|
|
44 |
# A MD5 hex
|
|
|
45 |
# EXAMPLES: 07:06:27:55:b0:e3:0c:3c:5a:28:2d:7c:7e:4c:77:5f
|
|
|
46 |
__md5hex = (?:[\da-f]{2}:){15}[\da-f]{2}
|
|
|
47 |
|
|
|
48 |
# bsdverbose is where syslogd is started with -v or -vv and results in <4.3> or
|
|
|
49 |
# <auth.info> appearing before the host as per testcases/files/logs/bsd/*.
|
|
|
50 |
__bsd_syslog_verbose = <[^.]+\.[^.]+>
|
|
|
51 |
|
|
|
52 |
__vserver = @vserver_\S+
|
|
|
53 |
|
|
|
54 |
__date_ambit = (?:\[\])
|
|
|
55 |
|
|
|
56 |
# Common line prefixes (beginnings) which could be used in filters
|
|
|
57 |
#
|
|
|
58 |
# [bsdverbose]? [hostname] [vserver tag] daemon_id spaces
|
|
|
59 |
#
|
|
|
60 |
# This can be optional (for instance if we match named native log files)
|
|
|
61 |
__prefix_line = <lt_<logtype>/__prefix_line>
|
|
|
62 |
|
|
|
63 |
# PAM authentication mechanism check for failures, e.g.: pam_unix, pam_sss,
|
|
|
64 |
# pam_ldap
|
|
|
65 |
__pam_auth = pam_unix
|
|
|
66 |
|
|
|
67 |
# standardly all formats using prefix have line-begin anchored date:
|
|
|
68 |
datepattern = <lt_<logtype>/datepattern>
|
|
|
69 |
|
|
|
70 |
[lt_file]
|
|
|
71 |
# Common line prefixes for logtype "file":
|
|
|
72 |
__prefix_line = %(__date_ambit)s?\s*(?:%(__bsd_syslog_verbose)s\s+)?(?:%(__hostname)s\s+)?(?:%(__kernel_prefix)s\s+)?(?:%(__vserver)s\s+)?(?:%(__daemon_combs_re)s\s+)?(?:%(__daemon_extra_re)s\s+)?
|
|
|
73 |
datepattern = {^LN-BEG}
|
|
|
74 |
|
|
|
75 |
[lt_short]
|
|
|
76 |
# Common (short) line prefix for logtype "journal" (corresponds output of formatJournalEntry):
|
|
|
77 |
__prefix_line = \s*(?:%(__hostname)s\s+)?(?:%(_daemon)s%(__pid_re)s?:?\s+)?(?:%(__kernel_prefix)s\s+)?
|
|
|
78 |
datepattern = %(lt_file/datepattern)s
|
|
|
79 |
[lt_journal]
|
|
|
80 |
__prefix_line = %(lt_short/__prefix_line)s
|
|
|
81 |
datepattern = %(lt_short/datepattern)s
|
|
|
82 |
|
|
|
83 |
[lt_rfc5424]
|
|
|
84 |
# RFC 5424 log-format, see gh-2309:
|
|
|
85 |
#__prefix_line = \s*<__hostname> <__daemon_re> \d+ \S+ \S+\s+
|
|
|
86 |
__prefix_line = \s*<__hostname> <__daemon_re> \d+ \S+ (?:[^\[\]\s]+|(?:\[(?:[^\]"]*|"[^"]*")*\])+)\s+
|
|
|
87 |
datepattern = ^<\d+>\d+\s+{DATE}
|
|
|
88 |
|
|
|
89 |
# Author: Yaroslav Halchenko, Sergey G. Brester (aka sebres)
|