WARNING
=======
This file is somewhat obsolete, for current information look at doc/
directory.
Basic syntax
============
Each line in rulebase file is evaluated separately.
Lines starting with '#' are commentaries.
Empty lines are just skipped, they can be inserted for readability.
If the line starts with 'rule=', then it contains a rule. This line has
following format:
rule=[<tag1>[,<tag2>...]]:<match description>
Everything before a colon is treated as comma-separated list of tags, which
will be attached to a match. After the colon, match description should be
given. It consists of string literals and field selectors. String literals
should match exactly. Field selector has this format:
%<field name>:<field type>[:<extra data>]%
Percent sign is used to enclose field selector. If you need to match literal
'%', it can be written as '%%' or '\x25'.
Behaviour of field selector depends on its type, which is decribed below.
If field name is set to '-', this field is matched but not saved.
Several rules can have a common prefix. You can set it once with this syntax:
prefix=<prefix match description>
Every following rule will be treated as an addition to this prefix.
Prefix can be reset to default (empty value) by the line:
prefix=
Tags of the matched rule are attached to the message and can be used to
annotate it. Annotation allows to add fixed fields to the message.
Syntax is as following:
annotate=<tag>:+<field name>="<field value>"
Field value should always be enclosed in double quote marks.
There can be multiple annotations for the same tag.
Field types
===========
Field type: 'number'
Matches: One or more decimal digits.
Extra data: Not used
Example: %field_name:number%
Field type: 'word'
Matches: One or more characters, up to the next space (\x20), or
up to end of line.
Extra data: Not used
Example: %field_name:word%
Field type: 'alpha'
Matches: One or more alphabetic characters, up to the next
whitespace, punctuation, decimal digit or ctrl.
Extra data: Not used
Example: %field_name:alpha%
Field type: 'char-to'
Matches: One or more characters, up to the next character given in
extra data.
Extra data: One character (can be escaped)
Example: %field_name:char-to:,%
%field_name:char-to:\x25%
Field type: 'char-sep'
Matches: Zero or more characters, up to the next character given in
extra data, or up to end of line.
Extra data: One character (can be escaped)
Example: %field_name:char-sep:,%
%field_name:char-sep:\x25%
Field type: 'rest'
Matches: Zero or more characters till end of line.
Extra data: Not used
Example: %field_name:rest%
Notes: Should be always at end of the rule.
Field type: 'quoted-string'
Matches: Zero or more characters, surrounded by double quote marks.
Extra data: Not used
Example: %field_name:quoted-string%
Notes: Quote marks are stripped from the match.
Field type: 'date-iso'
Matches: Date of format 'YYYY-MM-DD'.
Extra data: Not used
Example: %field-name:date-iso%
Field type: 'time-24hr'
Matches: Time of format 'HH:MM:SS', where HH is 00..23.
Extra data: Not used
Example: %field_name:time-24hr%
Field type: 'time-12hr'
Matches: Time of format 'HH:MM:SS', where HH is 00..12.
Extra data: Not used
Example: %field_name:time-12hr%
Field type: 'ipv4'
Matches: IPv4 address, in dot-decimal notation (AAA.BBB.CCC.DDD).
Extra data: Not used
Example: %field_name:ipv4%
Field type: 'date-rfc3164'
Matches: Valid date/time in RFC3164 format, i.e.: 'Oct 29 09:47:08'
Extra data: Not used
Example: %field_name:date-rfc3164%
Notes: This parser implements several quirks to match malformed
timestamps from some devices.
Field type: 'date-rfc5424'
Matches: Valid date/time in RFC5424 format, i.e.:
'1985-04-12T19:20:50.52-04:00'
Extra data: Not used
Example: %field_name:date-rfc5424%
Notes: Slightly different formats are allowed.
Field type: 'iptables'
Matches: Name=value pairs, separated by spaces, as in Netfilter log
messages.
Extra data: Not used
Example: %-:iptables%
Notes: Name of the selector is not used; names from the line are
used instead. This selector always matches everything till
end of the line. Cannot match zero characters.
Examples
========
Look at sample.rulebase for example rules and matching lines.