From f45df32c63d3692afc270bd8d0a85cc50bc59234 Mon Sep 17 00:00:00 2001 From: Anthony Date: Mon, 21 Apr 2025 12:49:51 +0200 Subject: [PATCH 1/3] [format] fixed syslog regex --- src/formats/syslog_log.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/formats/syslog_log.json b/src/formats/syslog_log.json index 2aa84a291be..5e12e529782 100644 --- a/src/formats/syslog_log.json +++ b/src/formats/syslog_log.json @@ -6,7 +6,7 @@ "url": "http://en.wikipedia.org/wiki/Syslog", "regex": { "std": { - "pattern": "^(?(?:\\S{3,8}\\s+\\d{1,2} \\d{2}:\\d{2}:\\d{2}|\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}(?:\\.\\d{3,6})?(?:Z|(?:\\+|-)\\d{2}:\\d{2})))(?: (?[a-zA-Z0-9:][^ ]+[a-zA-Z0-9]))?(?: \\[CLOUDINIT\\])?(?:(?: syslogd [\\d\\.]+|(?: (?(?(?:[^\\[:]+|[^ :]+))(?:\\[(?\\d+)\\](?: \\([^\\)]+\\))?)?))):\\s*(?.*)$|:?(?:(?: ---)? last message repeated \\d+ times?(?: ---)?))" + "pattern": "^(?(?:\\S{3,8}\\s+\\d{1,2} \\d{2}:\\d{2}:\\d{2}|\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}(?:\\.\\d{3,6})?(?:Z|(?:\\+|-)\\d{2}:\\d{2})))(?: (?[a-zA-Z0-9:][^ ]+[a-zA-Z0-9]))?(?: \\[CLOUDINIT\\])?(?:(?: syslogd [\\d\\.]+|(?: (?(?(?:[^\\[:]+|[^ :]+))(?:\\[(?[\\d\\.]+)\\](?: \\([^\\)]+\\))?)?))):?\\s*(?.*)$|:?(?:(?: ---)? last message repeated \\d+ times?(?: ---)?))" }, "rfc5424": { "pattern": "^<(?\\d+)>(?\\d+) (?\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}(?:\\.\\d{6})?(?:[^ ]+)?) (?[^ ]+|-) (?(?[^ ]+|-) (?[^ ]+|-) (?[^ ]+|-)) (?\\[(?:[^\\]\"]|\"(?:\\.|[^\"])+\")*\\]|-|)\\s+(?.*)" From f06acb56d847d61d2364f95f45883dab7b154aa1 Mon Sep 17 00:00:00 2001 From: Anthony Date: Mon, 28 Apr 2025 10:30:55 +0200 Subject: [PATCH 2/3] [format] added sample line to syslog --- src/formats/syslog_log.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/formats/syslog_log.json b/src/formats/syslog_log.json index 5e12e529782..fc82c09870f 100644 --- a/src/formats/syslog_log.json +++ b/src/formats/syslog_log.json @@ -6,7 +6,7 @@ "url": "http://en.wikipedia.org/wiki/Syslog", "regex": { "std": { - "pattern": "^(?(?:\\S{3,8}\\s+\\d{1,2} \\d{2}:\\d{2}:\\d{2}|\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}(?:\\.\\d{3,6})?(?:Z|(?:\\+|-)\\d{2}:\\d{2})))(?: (?[a-zA-Z0-9:][^ ]+[a-zA-Z0-9]))?(?: \\[CLOUDINIT\\])?(?:(?: syslogd [\\d\\.]+|(?: (?(?(?:[^\\[:]+|[^ :]+))(?:\\[(?[\\d\\.]+)\\](?: \\([^\\)]+\\))?)?))):?\\s*(?.*)$|:?(?:(?: ---)? last message repeated \\d+ times?(?: ---)?))" + "pattern": "^(?(?:\\S{3,8}\\s+\\d{1,2} \\d{2}:\\d{2}:\\d{2}|\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}(?:\\.\\d{3,6})?(?:Z|(?:\\+|-)\\d{2}:\\d{2})))(?: (?[a-zA-Z0-9:][^ ]+[a-zA-Z0-9]))?(?: \\[CLOUDINIT\\])?(?:(?: syslogd [\\d\\.]+|(?: (?(?(?:[^\\[:]+|[^ :]+))(?:\\[(?\\d+)\\](?: \\([^\\)]+\\))?)?))):?\\s*(?.*)$|:?(?:(?: ---)? last message repeated \\d+ times?(?: ---)?))" }, "rfc5424": { "pattern": "^<(?\\d+)>(?\\d+) (?\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}(?:\\.\\d{6})?(?:[^ ]+)?) (?[^ ]+|-) (?(?[^ ]+|-) (?[^ ]+|-) (?[^ ]+|-)) (?\\[(?:[^\\]\"]|\"(?:\\.|[^\"])+\")*\\]|-|)\\s+(?.*)" From 3001b1e6772b650272ece8670557c1fb9407a5bb Mon Sep 17 00:00:00 2001 From: Anthony Date: Mon, 28 Apr 2025 10:31:31 +0200 Subject: [PATCH 3/3] [format] added sample line to syslog --- src/formats/syslog_log.json | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/formats/syslog_log.json b/src/formats/syslog_log.json index fc82c09870f..4204af1ce63 100644 --- a/src/formats/syslog_log.json +++ b/src/formats/syslog_log.json @@ -96,6 +96,9 @@ }, { "line": "Jan 4 10:23:26 Tims-MacBook-Air Setup Assistant[1173]: Creating connection" + }, + { + "line": "2025-04-15T17:36:24.135033+02:00 myhostname sshd[730594] Disconnected from authenticating user root 218.92.0.111 port 37632 [preauth]" } ] }