|
Packit |
1422b7 |
# Some sample rules and strings matching them
|
|
Packit |
1422b7 |
|
|
Packit |
1422b7 |
# Prefix sample:
|
|
Packit |
1422b7 |
# myhostname: code=23
|
|
Packit |
1422b7 |
prefix=%host:char-to:\x3a%:
|
|
Packit |
1422b7 |
rule=prefixed_code:code=%code:number%
|
|
Packit |
1422b7 |
# myhostname: name=somename
|
|
Packit |
1422b7 |
rule=prefixed_name:name=%name:word%
|
|
Packit |
1422b7 |
# Reset prefix to default (empty value):
|
|
Packit |
1422b7 |
prefix=
|
|
Packit |
1422b7 |
|
|
Packit |
1422b7 |
# Quantity: 555
|
|
Packit |
1422b7 |
rule=tag1:Quantity: %N:number%
|
|
Packit |
1422b7 |
|
|
Packit |
1422b7 |
# Weight: 42kg
|
|
Packit |
1422b7 |
rule=tag2:Weight: %N:number%%unit:word%
|
|
Packit |
1422b7 |
annotate=tag2:+fat="free"
|
|
Packit |
1422b7 |
|
|
Packit |
1422b7 |
# %%
|
|
Packit |
1422b7 |
rule=tag3,percent:\x25%%
|
|
Packit |
1422b7 |
annotate=percent:+percent="100"
|
|
Packit |
1422b7 |
annotate=tag3:+whole="whale"
|
|
Packit |
1422b7 |
annotate=tag3:+part="wha"
|
|
Packit |
1422b7 |
|
|
Packit |
1422b7 |
# literal
|
|
Packit |
1422b7 |
rule=tag4,tag5,tag6,tag4:literal
|
|
Packit |
1422b7 |
annotate=tag4:+this="that"
|
|
Packit |
1422b7 |
|
|
Packit |
1422b7 |
# first field,second field,third field,fourth field
|
|
Packit |
1422b7 |
rule=csv:%r1:char-to:,%,%r2:char-to:,%,%r3:char-to:,%,%r4:rest%
|
|
Packit |
1422b7 |
|
|
Packit |
1422b7 |
# CSV: field1,,field3
|
|
Packit |
1422b7 |
rule=better-csv:CSV: %f1:char-sep:,%,%f2:char-sep:,%,%f3:char-sep:,%
|
|
Packit |
1422b7 |
|
|
Packit |
1422b7 |
# Snow White and the Seven Dwarfs
|
|
Packit |
1422b7 |
rule=tale:Snow White and %company:rest%
|
|
Packit |
1422b7 |
|
|
Packit |
1422b7 |
# iptables: SRC=192.168.1.134 DST=46.252.161.13 LEN=48 TOS=0x00 PREC=0x00
|
|
Packit |
1422b7 |
rule=ipt:iptables: %dummy:iptables%
|
|
Packit |
1422b7 |
|
|
Packit |
1422b7 |
# 2012-10-11 src=127.0.0.1 dst=88.111.222.19
|
|
Packit |
1422b7 |
rule=:%date:date-iso% src=%src:ipv4% dst=%dst:ipv4%
|
|
Packit |
1422b7 |
|
|
Packit |
1422b7 |
# Oct 29 09:47:08 server rsyslogd: rsyslogd's groupid changed to 103
|
|
Packit |
1422b7 |
rule=syslog:%date1:date-rfc3164% %host:word% %tag:char-to:\x3a%: %text:rest%
|
|
Packit |
1422b7 |
|
|
Packit |
1422b7 |
# Oct 29 09:47:08
|
|
Packit |
1422b7 |
rule=rfc3164:%date1:date-rfc3164%
|
|
Packit |
1422b7 |
|
|
Packit |
1422b7 |
# 1985-04-12T19:20:50.52-04:00
|
|
Packit |
1422b7 |
rule=rfc5424:%date1:date-rfc5424%
|
|
Packit |
1422b7 |
|
|
Packit |
1422b7 |
# 1985-04-12T19:20:50.52-04:00 testing 123
|
|
Packit |
1422b7 |
rule=rfc5424:%date1:date-rfc5424% %test:word% %test2:number%
|
|
Packit |
1422b7 |
|
|
Packit |
1422b7 |
# quoted_string="Contents of a quoted string cannot include quote marks"
|
|
Packit |
1422b7 |
rule=quote:quoted_string=%quote:quoted-string%
|
|
Packit |
1422b7 |
|
|
Packit |
1422b7 |
# tokenized words: aaa.org; bbb.com; ccc.net
|
|
Packit |
1422b7 |
rule=tokenized_words:tokenized words: %arr:tokenized:; :char-sep:\x3b%
|
|
Packit |
1422b7 |
|
|
Packit |
1422b7 |
# tokenized regex: aaa.org; bbb.com; ccc.net
|
|
Packit |
1422b7 |
rule=tokenized_regex:tokenized regex: %arr:tokenized:; :regex:[^; ]+%
|
|
Packit |
1422b7 |
|
|
Packit |
1422b7 |
# regex: abcdef
|
|
Packit |
1422b7 |
rule=regex:regex: %token:regex:abc.ef%
|
|
Packit |
1422b7 |
|
|
Packit |
1422b7 |
# host451
|
|
Packit |
1422b7 |
# generates { basename:"host", hostid:451 }
|
|
Packit |
1422b7 |
rule=:%basename:alpha%%hostid:number%
|