ioc32 · January 27, 2016 15:27
diff --git a/logstash bind9 patterns b/logstash bind9 patterns
 PORT [0-9]+
 BIND_TIME %{MONTHDAY}-%{MONTH}-%{YEAR} %{TIME}
 ZONE [0-9a-zA-Z.-]+
 DNS_ZONE %{ZONE:zone}/%{DATA:class}/%{DATA:view}
 STR [a-zA-Z\-]+

 XFR_START1 zone %{DNS_ZONE}: %{DATA:daemon_status}\.
 XFR_START2 client %{IP:client_ip}[@#]+%{PORT:client_port} \(%{ZONE}\): view %{DATA:view}: transfer of \'%{DATA:zone}/%{DATA:class}\': %{DATA:daemon_status} (?:\(serial %{PORT:serial}\)|\(serial %{PORT:serial_old} -> %{PORT:serial}\))
 XFR_START (?:%{XFR_START1}|%{XFR_START2})
 XFR_SERIAL zone %{DNS_ZONE}: %{DATA:daemon_status} serial %{POSINT:serial}
 XFR_NOTIFY zone %{DNS_ZONE}: %{DATA:daemon_status} notifies \(serial %{POSINT:serial}\)
 XFR_NOTIFY_FRM zone %{DNS_ZONE}: notify from %{IP:client_ip}[@#]+%{PORT:client_port}: (?:zone is %{DATA:daemon_status}|serial %{PORT:serial}|%{DATA:daemon_status})
 XFR_END client %{IP:client_ip}[@#]+%{PORT:client_port}(?:/key %{ZONE:tsig_key})? \(%{DATA}\): view %{DATA:view}: transfer of \'%{DATA:zone}/%{DATA:class}\': %{GREEDYDATA:daemon_status}

 NOTIFY_RX client %{IP:master_ip}[@#]+%{PORT:master_port}: view %{DATA:view}: %{DATA:daemon_status} for zone \'%{DATA:zone}\'(: %{GREEDYDATA:notify_info})?
 NOTIFY_RX_KEY client %{IP:master_ip}[@#]+%{PORT:master_port}(?:/key %{DATA}): view %{DATA:view}: %{DATA:daemon_status} for zone \'%{DATA:zone}\': TSIG \'%{DATA:tsig_key}\'
 NOTIFY_OLD zone %{DNS_ZONE}: serial number \(%{PORT:serial_received}\) received from master %{IP:master_ip}[@#]+%{PORT:master_port} < ours \(%{PORT:serial}\)

 ERR_XFR_BAD zone %{DNS_ZONE}: %{DATA:dns_label}/%{ZONE:dns_rr}: %{DATA:error_status} \(check-names\)
 ERR_REFRESH_UNEXPECTED_RCODE zone %{DNS_ZONE}: refresh: %{DATA:error_status} \(%{DATA:refresh_rcode}\) from master %{IP:master_ip}[#@]+%{PORT:master_port} \(source\ %{IP:client_ip}[#@]%{PORT:client_port}\)
 ERR_REFUSED_NOTIFY zone %{DNS_ZONE}: %{DATA:error_status}: %{IP:master_ip}[@#]+%{PORT:master_port}
 ERR_NONAUTH_REFRESH_ANS zone %{DNS_ZONE}: refresh: %{DATA:error_status} from master %{IP:master_ip}[#@]+%{PORT:master_port} \(source %{IP:client_ip}[@#]+%{PORT:client_port}\)
 ERR_REFRESH_LIMIT zone %{DNS_ZONE}: refresh: %{DATA:error_status} %{IP:master_ip}[@#]%{PORT:master_port} exceeded \(source %{IP:client_ip}[@#]+%{PORT:client_port}\)
 ERR_TCP_QUOTA client %{IP:client_ip}[@#]+%{PORT:client_port}: no more TCP clients: %{DATA:error_status}
 ERR_REFRESH_CANCEL zone %{DNS_ZONE}: refresh: failure trying master %{IP:master_ip}[@#]+%{PORT:master_port} \(source %{IP:client_ip}[@#]%{PORT:client_port}\): %{GREEDYDATA:error_status}
 ERR_XFR_UNREACH zone %{DNS_ZONE}: got_transfer_quota: %{DATA:error_status} as master %{IP:master_ip}[@#]+%{PORT:master_port} \(source %{IP:client_ip}[@#]+%{PORT:client_port}\) is unreachable \(cached\)
 ERR_XFR_BAD_REQUEST client %{IP:client_ip}[@#]+%{PORT:client_port} \(%{DATA}\): view %{DATA:view}: %{DATA:error_status}: \'%{ZONE:zone}/%{DATA:class}\': %{DATA:xfr_err_reason} \(%{DATA:rcode}\)

 DAEMON_RELOAD %{DATA:daemon_status} succeeded
 DAEMON_NEW_ZONE any %{GREEDYDATA:daemon_status}
 DAEMON_DEL_CACHE master %{IP:master_ip}[@#]+%{PORT:master_port} \(source %{IP:client_ip}[@#]+%{PORT:client_port}\) %{GREEDYDATA:daemon_status}
 DAEMON_UPDATE client %{IP:client_ip}[@#]+%{PORT:client_port}: view %{DATA:view}: updating zone \'%{ZONE:zone}/%{DATA:class}\': (?:%{DATA:daemon_status} at %{GREEDYDATA:updated_rr}|update failed: %{DATA:daemon_status} \(%{DATA:rcode}\))

 DAEMON_MSG (?:%{DAEMON_RELOAD}|%{DAEMON_NEW_ZONE}|%{DAEMON_DEL_CACHE}|%{DAEMON_UPDATE})
 XFR_MSG (?:%{XFR_START}|%{XFR_SERIAL}|%{XFR_NOTIFY}|%{XFR_NOTIFY_FRM}|%{XFR_END})
 ERR_MSG (?:%{ERR_REFRESH_UNEXPECTED_RCODE}|%{ERR_XFR_BAD}|%{ERR_REFUSED_NOTIFY}|%{ERR_NONAUTH_REFRESH_ANS}|%{ERR_REFRESH_LIMIT}|%{ERR_TCP_QUOTA}|%{ERR_REFRESH_CANCEL}|%{ERR_XFR_UNREACH}|%{ERR_XFR_BAD_REQUEST})
 NOTIFY_MSG (?:%{NOTIFY_RX}|%{NOTIFY_RX_KEY}|%{NOTIFY_OLD})

 BIND_MSG %{BIND_TIME:timestamp} %{STR:logclass}: %{GREEDYDATA:bind_log}
	PORT [0-9]+
	BIND_TIME %{MONTHDAY}-%{MONTH}-%{YEAR} %{TIME}
	ZONE [0-9a-zA-Z.-]+
	DNS_ZONE %{ZONE:zone}/%{DATA:class}/%{DATA:view}
	STR [a-zA-Z\-]+

	XFR_START1 zone %{DNS_ZONE}: %{DATA:daemon_status}\.
	XFR_START2 client %{IP:client_ip}[@#]+%{PORT:client_port} \(%{ZONE}\): view %{DATA:view}: transfer of \'%{DATA:zone}/%{DATA:class}\': %{DATA:daemon_status} (?:\(serial %{PORT:serial}\)\|\(serial %{PORT:serial_old} -> %{PORT:serial}\))
	XFR_START (?:%{XFR_START1}\|%{XFR_START2})
	XFR_SERIAL zone %{DNS_ZONE}: %{DATA:daemon_status} serial %{POSINT:serial}
	XFR_NOTIFY zone %{DNS_ZONE}: %{DATA:daemon_status} notifies \(serial %{POSINT:serial}\)
	XFR_NOTIFY_FRM zone %{DNS_ZONE}: notify from %{IP:client_ip}[@#]+%{PORT:client_port}: (?:zone is %{DATA:daemon_status}\|serial %{PORT:serial}\|%{DATA:daemon_status})
	XFR_END client %{IP:client_ip}[@#]+%{PORT:client_port}(?:/key %{ZONE:tsig_key})? \(%{DATA}\): view %{DATA:view}: transfer of \'%{DATA:zone}/%{DATA:class}\': %{GREEDYDATA:daemon_status}

	NOTIFY_RX client %{IP:master_ip}[@#]+%{PORT:master_port}: view %{DATA:view}: %{DATA:daemon_status} for zone \'%{DATA:zone}\'(: %{GREEDYDATA:notify_info})?
	NOTIFY_RX_KEY client %{IP:master_ip}[@#]+%{PORT:master_port}(?:/key %{DATA}): view %{DATA:view}: %{DATA:daemon_status} for zone \'%{DATA:zone}\': TSIG \'%{DATA:tsig_key}\'
	NOTIFY_OLD zone %{DNS_ZONE}: serial number \(%{PORT:serial_received}\) received from master %{IP:master_ip}[@#]+%{PORT:master_port} < ours \(%{PORT:serial}\)

	ERR_XFR_BAD zone %{DNS_ZONE}: %{DATA:dns_label}/%{ZONE:dns_rr}: %{DATA:error_status} \(check-names\)
	ERR_REFRESH_UNEXPECTED_RCODE zone %{DNS_ZONE}: refresh: %{DATA:error_status} \(%{DATA:refresh_rcode}\) from master %{IP:master_ip}[#@]+%{PORT:master_port} \(source\ %{IP:client_ip}[#@]%{PORT:client_port}\)
	ERR_REFUSED_NOTIFY zone %{DNS_ZONE}: %{DATA:error_status}: %{IP:master_ip}[@#]+%{PORT:master_port}
	ERR_NONAUTH_REFRESH_ANS zone %{DNS_ZONE}: refresh: %{DATA:error_status} from master %{IP:master_ip}[#@]+%{PORT:master_port} \(source %{IP:client_ip}[@#]+%{PORT:client_port}\)
	ERR_REFRESH_LIMIT zone %{DNS_ZONE}: refresh: %{DATA:error_status} %{IP:master_ip}[@#]%{PORT:master_port} exceeded \(source %{IP:client_ip}[@#]+%{PORT:client_port}\)
	ERR_TCP_QUOTA client %{IP:client_ip}[@#]+%{PORT:client_port}: no more TCP clients: %{DATA:error_status}
	ERR_REFRESH_CANCEL zone %{DNS_ZONE}: refresh: failure trying master %{IP:master_ip}[@#]+%{PORT:master_port} \(source %{IP:client_ip}[@#]%{PORT:client_port}\): %{GREEDYDATA:error_status}
	ERR_XFR_UNREACH zone %{DNS_ZONE}: got_transfer_quota: %{DATA:error_status} as master %{IP:master_ip}[@#]+%{PORT:master_port} \(source %{IP:client_ip}[@#]+%{PORT:client_port}\) is unreachable \(cached\)
	ERR_XFR_BAD_REQUEST client %{IP:client_ip}[@#]+%{PORT:client_port} \(%{DATA}\): view %{DATA:view}: %{DATA:error_status}: \'%{ZONE:zone}/%{DATA:class}\': %{DATA:xfr_err_reason} \(%{DATA:rcode}\)

	DAEMON_RELOAD %{DATA:daemon_status} succeeded
	DAEMON_NEW_ZONE any %{GREEDYDATA:daemon_status}
	DAEMON_DEL_CACHE master %{IP:master_ip}[@#]+%{PORT:master_port} \(source %{IP:client_ip}[@#]+%{PORT:client_port}\) %{GREEDYDATA:daemon_status}
	DAEMON_UPDATE client %{IP:client_ip}[@#]+%{PORT:client_port}: view %{DATA:view}: updating zone \'%{ZONE:zone}/%{DATA:class}\': (?:%{DATA:daemon_status} at %{GREEDYDATA:updated_rr}\|update failed: %{DATA:daemon_status} \(%{DATA:rcode}\))

	DAEMON_MSG (?:%{DAEMON_RELOAD}\|%{DAEMON_NEW_ZONE}\|%{DAEMON_DEL_CACHE}\|%{DAEMON_UPDATE})
	XFR_MSG (?:%{XFR_START}\|%{XFR_SERIAL}\|%{XFR_NOTIFY}\|%{XFR_NOTIFY_FRM}\|%{XFR_END})
	ERR_MSG (?:%{ERR_REFRESH_UNEXPECTED_RCODE}\|%{ERR_XFR_BAD}\|%{ERR_REFUSED_NOTIFY}\|%{ERR_NONAUTH_REFRESH_ANS}\|%{ERR_REFRESH_LIMIT}\|%{ERR_TCP_QUOTA}\|%{ERR_REFRESH_CANCEL}\|%{ERR_XFR_UNREACH}\|%{ERR_XFR_BAD_REQUEST})
	NOTIFY_MSG (?:%{NOTIFY_RX}\|%{NOTIFY_RX_KEY}\|%{NOTIFY_OLD})

	BIND_MSG %{BIND_TIME:timestamp} %{STR:logclass}: %{GREEDYDATA:bind_log}