Blob Blame History Raw
WARNING
=======

This file is somewhat obsolete, for current information look at doc/
directory.

Basic syntax
============

Each line in rulebase file is evaluated separately.
Lines starting with '#' are commentaries.
Empty lines are just skipped, they can be inserted for readability.
If the line starts with 'rule=', then it contains a rule. This line has
following format:

	rule=[<tag1>[,<tag2>...]]:<match description>
	
Everything before a colon is treated as comma-separated list of tags, which
will be attached to a match. After the colon, match description should be
given. It consists of string literals and field selectors. String literals
should match exactly. Field selector has this format:

	%<field name>:<field type>[:<extra data>]%

Percent sign is used to enclose field selector. If you need to match literal
'%', it can be written as '%%' or '\x25'.

Behaviour of field selector depends on its type, which is decribed below.

If field name is set to '-', this field is matched but not saved.

Several rules can have a common prefix. You can set it once with this syntax:

	prefix=<prefix match description>
	
Every following rule will be treated as an addition to this prefix.

Prefix can be reset to default (empty value) by the line:

	prefix=

Tags of the matched rule are attached to the message and can be used to
annotate it. Annotation allows to add fixed fields to the message.
Syntax is as following:

	annotate=<tag>:+<field name>="<field value>"

Field value should always be enclosed in double quote marks.

There can be multiple annotations for the same tag.

Field types
===========

Field type:		'number'
Matches:		One or more decimal digits.
Extra data:		Not used
Example:		%field_name:number%

Field type:		'word'
Matches:		One or more characters, up to the next space (\x20), or
				up to end of line.
Extra data:		Not used
Example:		%field_name:word%

Field type:		'alpha'
Matches:		One or more alphabetic characters, up to the next
				whitespace, punctuation, decimal digit or ctrl.
Extra data:		Not used
Example:		%field_name:alpha%

Field type:		'char-to'
Matches:		One or more characters, up to the next character given in
				extra data.
Extra data:		One character (can be escaped)
Example:		%field_name:char-to:,%
				%field_name:char-to:\x25%

Field type:		'char-sep'
Matches:		Zero or more characters, up to the next character given in
				extra data, or up to end of line.
Extra data:		One character (can be escaped)
Example:		%field_name:char-sep:,%
				%field_name:char-sep:\x25%

Field type:		'rest'
Matches:		Zero or more characters till end of line.
Extra data:		Not used
Example:		%field_name:rest%
Notes:			Should be always at end of the rule.

Field type:		'quoted-string'
Matches:		Zero or more characters, surrounded by double quote marks.
Extra data:		Not used
Example:		%field_name:quoted-string%
Notes:			Quote marks are stripped from the match.

Field type:		'date-iso'
Matches:		Date of format 'YYYY-MM-DD'.
Extra data:		Not used
Example:		%field-name:date-iso%

Field type:		'time-24hr'
Matches:		Time of format 'HH:MM:SS', where HH is 00..23.
Extra data:		Not used
Example:		%field_name:time-24hr%

Field type:		'time-12hr'
Matches:		Time of format 'HH:MM:SS', where HH is 00..12.
Extra data:		Not used
Example:		%field_name:time-12hr%

Field type:		'ipv4'
Matches:		IPv4 address, in dot-decimal notation (AAA.BBB.CCC.DDD).
Extra data:		Not used
Example:		%field_name:ipv4%

Field type:		'date-rfc3164'
Matches:		Valid date/time in RFC3164 format, i.e.: 'Oct 29 09:47:08'
Extra data:		Not used
Example:		%field_name:date-rfc3164%
Notes:			This parser implements several quirks to match malformed
				timestamps from some devices.

Field type:		'date-rfc5424'
Matches:		Valid date/time in RFC5424 format, i.e.:
				'1985-04-12T19:20:50.52-04:00'
Extra data:		Not used
Example:		%field_name:date-rfc5424%
Notes:			Slightly different formats are allowed.

Field type:		'iptables'
Matches:		Name=value pairs, separated by spaces, as in Netfilter log
				messages.
Extra data:		Not used
Example:		%-:iptables%
Notes:			Name of the selector is not used; names from the line are 
				used instead. This selector always matches everything till 
				end of the line. Cannot match zero characters.

Examples
========

Look at sample.rulebase for example rules and matching lines.