USERNAME [a-zA-Z0-9_-]+ USER %{USERNAME} INT (?:[+-]?(?:[0-9]+)) BASE10NUM (?<![0-9.+-])(?>?(?:(?:[0-9]+(?:.+)?)|(?:.[0-9]+))) NUMBER (?:%{BASE10NUM}) BASE16NUM (?<![0-9A-Fa-f])(?:?(?:0x)?(?:+)) BASE16FLOAT b(?0x)?(?:(?:+(?:.[0-9A-Fa-f]*)?)|(?:.+)))b

POSINT b(?:[0-9]+)b WORD bw+b NOTSPACE S+ DATA .*? GREEDYDATA .* #QUOTEDSTRING (?:(?<!\)(?:“(?:\.|[^\”])*“|(?:'(?:\.|[^\'])*')|(?:`(?:\.|[^\`])*`))) QUOTEDSTRING (?:(?<!\)(?:”(?>[^\“]+|\.)*”)|(?:'(?>[^\']+|\.)*')|(?:`(?>[^\`]+|\.)*`))

# Networking MAC (?:%CISCOMAC}|%{WINDOWSMAC}|%{COMMONMAC}) CISCOMAC (?:(?:[A-Fa-f0-9]{4}.){2}[A-Fa-f0-9]{4}) WINDOWSMAC (?:(?:[A-Fa-f0-9]{2}-){5}[A-Fa-f0-9]{2}) COMMONMAC (?:(?:[A-Fa-f0-9]{2}:){5{2}) IP (?<![0-9])(?:(?:25|2[0-9]|?[0-9]{1,2})[.](?:25|2[0-9]|?[0-9]{1,2})[.](?:25|2[0-9]|?[0-9]{1,2})[.](?:25|2[0-9]|?[0-9]{1,2}))(?![0-9]) HOSTNAME b(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:.(?:[0-9A-Za-z]{0,62}))*(.?|b) HOST %{HOSTNAME} IPORHOST (?:%{HOSTNAME}|%{IP}) HOSTPORT (?:%{IPORHOST=~/./}:%{POSINT})

# paths PATH (?:%{UNIXPATH}|%{WINPATH}) UNIXPATH (?:/(?:[w_%!$@:.,-]+|\.)*)+ #UNIXPATH (?<![w/])(?:/[^/s?])+ LINUXTTY (?:/dev/pts/%{POSINT}) BSDTTY (?:/dev/tty[a-z0-9]) TTY (?:%{BSDTTY}|%{LINUXTTY}) WINPATH (?:[A-Za-z]+:|\)(?:\[^\?])+ URIPROTO [A-Za-z]+(++)? URIHOST %{IPORHOST}(?::%{POSINT:port})? # uripath comes loosely from RFC1738, but mostly from what Firefox # doesn't turn into %XX URIPATH (?:/[A-Za-z0-9$.+!*'(),~:#%_-]*)+ #URIPARAM ?(?:[A-Za-z0-9]+(?:=(?:*))?(?:&(?:[A-Za-z0-9]+(?:=(?:*))?)?)*)? URIPARAM ?[A-Za-z0-9$.+!*'(),~#%&/=:;_-]* URIPATHPARAM %{URIPATH}(?:%{URIPARAM})? URI %{URIPROTO}://(?:%{USER}(?::[^@]*)?@)?(?:%{URIHOST})?(?:%{URIPATHPARAM})?

# Months: January, Feb, 3, 03, 12, December MONTH b(?:[Jj]an(?:uary)?|[Ff]eb(?:ruary)?|[Mm]ar(?:ch)?|[Aa]pr(?:il)?|[Mm]ay|[Jj]un(?:e)?|[Jj]ul(?:y)?|[Aa]ug(?:ust)?|[Ss]ep(?:tember)?|[Oo]ct(?:ober)?|[Nn]ov(?:ember)?|[Dd]ec(?:ember)?)b MONTHNUM (?:0?|1) MONTHDAY (?:3|[1-2]?|0?)

# Days: Monday, Tue, Thu, etc… DAY (?:[Mm]on(?:day)?|[Tt]ue(?:sday)?|[Ww]ed(?:nesday)?|[Tt]hu(?:rsday)?|[Ff]ri(?:day)?|[Ss]at(?:urday)?|un(?:day)?)

# Years? YEAR [0-9]+ # Time: HH:MM:SS #TIME d{2}:d{2}(?::d{2}(?:.d+)?)? # I’m still on the fence about using grok to perform the time match, # since it’s probably slower. # TIME %{POSINT<24}:%{POSINT<60}(?::%{POSINT<60}(?:\.%{POSINT})?)? HOUR (?:2[0123]|[01][0-9]) MINUTE (?:[0-5][0-9]) # '60' is a leap second in most time standards and thus is valid. SECOND (?:(?:[0-5][0-9]|60)(?:[.,][0-9]+)?) TIME (?MONTHDAY%YEAR} DATE_EU %{YEAR%MONTHNUM%{MONTHDAY} ISO8601_TIMEZONE (?:Z|%{HOUR}(?::?%{MINUTE})) ISO8601_SECOND (?:%{SECOND}|60) TIMESTAMP_ISO8601 %{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?%{ISO8601_TIMEZONE}? DATE %{DATE_US}|%{DATE_EU} DATESTAMP %{DATE}[- ]%{TIME} TZ (?:[PMCE]T) DATESTAMP_RFC822 %{DAY} %{MONTH} %{MONTHDAY} %{YEAR} %{TIME} %{TZ} DATESTAMP_OTHER %{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{TZ} %{YEAR}

# Syslog Dates: Month Day HH:MM:SS SYSLOGTIMESTAMP %{MONTH} +%{MONTHDAY} %{TIME} PROG (?:[w._/-]+) SYSLOGPROG %{PROG:program}(?:[%{POSINT:pid}])? SYSLOGHOST %{IPORHOST} SYSLOGFACILITY <%{POSINT:facility}.%{POSINT:priority}> HTTPDATE %{MONTHDAY}/%{MONTH}/%{YEAR}:%{TIME} %{INT:ZONE}

# Shortcuts QS %{QUOTEDSTRING}

# Log formats SYSLOGBASE %{SYSLOGTIMESTAMP:timestamp} (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource} %{SYSLOGPROG}: COMBINEDAPACHELOG %{IPORHOST:clientip} %{USER:ident} %{USER:auth} [%{HTTPDATE:timestamp}] “%{WORD:verb} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion}” %{NUMBER:response} (?:%{NUMBER:bytes}|-) “(?:%{URI:referrer}|-)” %{QS:agent}