Created
July 1, 2014 12:25
-
-
Save kangguru/d16e5be90fa13cf745d8 to your computer and use it in GitHub Desktop.
graylog2 extractors
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "extractors": [ | |
| { | |
| "condition_type": "string", | |
| "condition_value": "sudo:", | |
| "converters": [], | |
| "cursor_strategy": "copy", | |
| "extractor_config": { | |
| "regex_value": "sudo:\\s+(\\S+)\\s+:" | |
| }, | |
| "extractor_type": "regex", | |
| "order": 0, | |
| "source_field": "message", | |
| "target_field": "sudo_executor", | |
| "title": "Sudo Executor" | |
| }, | |
| { | |
| "condition_type": "string", | |
| "condition_value": "sudo:", | |
| "converters": [], | |
| "cursor_strategy": "copy", | |
| "extractor_config": { | |
| "regex_value": "sudo:.+COMMAND=(.+);?" | |
| }, | |
| "extractor_type": "regex", | |
| "order": 0, | |
| "source_field": "message", | |
| "target_field": "sudo_command", | |
| "title": "Sudo Command" | |
| }, | |
| { | |
| "condition_type": "string", | |
| "condition_value": "sudo:", | |
| "converters": [], | |
| "cursor_strategy": "copy", | |
| "extractor_config": { | |
| "regex_value": "sudo:.+USER=(\\S+)" | |
| }, | |
| "extractor_type": "regex", | |
| "order": 0, | |
| "source_field": "message", | |
| "target_field": "sudo_command_user", | |
| "title": "Sudo Command User" | |
| }, | |
| { | |
| "condition_type": "none", | |
| "condition_value": "", | |
| "converters": [ | |
| { | |
| "config": {}, | |
| "type": "syslog_pri_level" | |
| } | |
| ], | |
| "cursor_strategy": "copy", | |
| "extractor_config": { | |
| "regex_value": "\\d <(.+)>" | |
| }, | |
| "extractor_type": "regex", | |
| "order": 0, | |
| "source_field": "message", | |
| "target_field": "level", | |
| "title": "Level/Severity" | |
| }, | |
| { | |
| "condition_type": "none", | |
| "condition_value": "", | |
| "converters": [ | |
| { | |
| "config": {}, | |
| "type": "syslog_pri_facility" | |
| } | |
| ], | |
| "cursor_strategy": "copy", | |
| "extractor_config": { | |
| "regex_value": "\\d <(.+)>" | |
| }, | |
| "extractor_type": "regex", | |
| "order": 0, | |
| "source_field": "message", | |
| "target_field": "facility", | |
| "title": "Facility" | |
| }, | |
| { | |
| "condition_type": "string", | |
| "condition_value": "method=", | |
| "converters": [ | |
| { | |
| "config": {}, | |
| "type": "lowercase" | |
| } | |
| ], | |
| "cursor_strategy": "copy", | |
| "extractor_config": { | |
| "regex_value": "method=(.+?)(\\s|$)" | |
| }, | |
| "extractor_type": "regex", | |
| "order": 0, | |
| "source_field": "message", | |
| "target_field": "http_method", | |
| "title": "HTTP method" | |
| }, | |
| { | |
| "condition_type": "string", | |
| "condition_value": "path=", | |
| "converters": [], | |
| "cursor_strategy": "copy", | |
| "extractor_config": { | |
| "regex_value": "path=(.+?)(\\s|$)" | |
| }, | |
| "extractor_type": "regex", | |
| "order": 0, | |
| "source_field": "message", | |
| "target_field": "path", | |
| "title": "Path" | |
| }, | |
| { | |
| "condition_type": "none", | |
| "condition_value": "", | |
| "converters": [ | |
| { | |
| "config": {}, | |
| "type": "numeric" | |
| } | |
| ], | |
| "cursor_strategy": "copy", | |
| "extractor_config": { | |
| "regex_value": "view=(.+?)(\\s|$)" | |
| }, | |
| "extractor_type": "regex", | |
| "order": 0, | |
| "source_field": "message", | |
| "target_field": "view_duration", | |
| "title": "View duration" | |
| }, | |
| { | |
| "condition_type": "none", | |
| "condition_value": "", | |
| "converters": [ | |
| { | |
| "config": {}, | |
| "type": "numeric" | |
| } | |
| ], | |
| "cursor_strategy": "copy", | |
| "extractor_config": { | |
| "regex_value": "db=(.+?)(\\s|$)" | |
| }, | |
| "extractor_type": "regex", | |
| "order": 0, | |
| "source_field": "message", | |
| "target_field": "db_duration", | |
| "title": "DB Duration" | |
| }, | |
| { | |
| "condition_type": "string", | |
| "condition_value": "duration", | |
| "converters": [ | |
| { | |
| "config": {}, | |
| "type": "numeric" | |
| } | |
| ], | |
| "cursor_strategy": "copy", | |
| "extractor_config": { | |
| "regex_value": "duration=(.+?)(\\s|$)" | |
| }, | |
| "extractor_type": "regex", | |
| "order": 0, | |
| "source_field": "message", | |
| "target_field": "request_duration", | |
| "title": "Request duration" | |
| }, | |
| { | |
| "condition_type": "regex", | |
| "condition_value": "\\[([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})\\]", | |
| "converters": [], | |
| "cursor_strategy": "copy", | |
| "extractor_config": { | |
| "regex_value": "\\[([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})\\]" | |
| }, | |
| "extractor_type": "regex", | |
| "order": 0, | |
| "source_field": "message", | |
| "target_field": "request_id", | |
| "title": "Request ID" | |
| }, | |
| { | |
| "condition_type": "regex", | |
| "condition_value": "^\\S+\\s+nginx:", | |
| "converters": [], | |
| "cursor_strategy": "copy", | |
| "extractor_config": { | |
| "regex_value": "nginx:\\s+(\\S+)" | |
| }, | |
| "extractor_type": "regex", | |
| "order": 0, | |
| "source_field": "message", | |
| "target_field": "remote_addr", | |
| "title": "Remote Address" | |
| }, | |
| { | |
| "condition_type": "regex", | |
| "condition_value": "^\\S+\\s+nginx:", | |
| "converters": [], | |
| "cursor_strategy": "copy", | |
| "extractor_config": { | |
| "regex_value": "nginx: \\S+ - (\\S+)" | |
| }, | |
| "extractor_type": "regex", | |
| "order": 1, | |
| "source_field": "message", | |
| "target_field": "remote_user", | |
| "title": "Remote User" | |
| }, | |
| { | |
| "condition_type": "regex", | |
| "condition_value": "^\\S+\\s+nginx:", | |
| "converters": [ | |
| { | |
| "config": { | |
| "date_format": "dd/MMM/YYYY:HH:mm:ss Z" | |
| }, | |
| "type": "date" | |
| } | |
| ], | |
| "cursor_strategy": "copy", | |
| "extractor_config": { | |
| "regex_value": "nginx:.+?\\[(.+?)\\]" | |
| }, | |
| "extractor_type": "regex", | |
| "order": 2, | |
| "source_field": "message", | |
| "target_field": "timestamp", | |
| "title": "Request Timestamp" | |
| }, | |
| { | |
| "condition_type": "regex", | |
| "condition_value": "^\\S+\\s+nginx:", | |
| "converters": [], | |
| "cursor_strategy": "copy", | |
| "extractor_config": { | |
| "regex_value": "nginx:.+\\[.+\\] \"(\\S+)" | |
| }, | |
| "extractor_type": "regex", | |
| "order": 3, | |
| "source_field": "message", | |
| "target_field": "request_verb", | |
| "title": "Request Verb" | |
| }, | |
| { | |
| "condition_type": "regex", | |
| "condition_value": "^\\S+\\s+nginx:", | |
| "converters": [ | |
| { | |
| "config": {}, | |
| "type": "numeric" | |
| } | |
| ], | |
| "cursor_strategy": "copy", | |
| "extractor_config": { | |
| "regex_value": "nginx:.+?\"\\S+ (\\S+).+\"" | |
| }, | |
| "extractor_type": "regex", | |
| "order": 4, | |
| "source_field": "message", | |
| "target_field": "request_path", | |
| "title": "Request Path" | |
| }, | |
| { | |
| "condition_type": "regex", | |
| "condition_value": "^\\S+\\s+nginx:", | |
| "converters": [], | |
| "cursor_strategy": "copy", | |
| "extractor_config": { | |
| "regex_value": "nginx:.+HTTP/(\\S+)\"" | |
| }, | |
| "extractor_type": "regex", | |
| "order": 5, | |
| "source_field": "message", | |
| "target_field": "http_version", | |
| "title": "HTTP Version" | |
| }, | |
| { | |
| "condition_type": "regex", | |
| "condition_value": "^\\S+\\s+nginx:", | |
| "converters": [ | |
| { | |
| "config": {}, | |
| "type": "numeric" | |
| } | |
| ], | |
| "cursor_strategy": "copy", | |
| "extractor_config": { | |
| "regex_value": "nginx:.+?HTTP/\\S+\" (\\d+)" | |
| }, | |
| "extractor_type": "regex", | |
| "order": 6, | |
| "source_field": "message", | |
| "target_field": "response_status", | |
| "title": "Response Status" | |
| }, | |
| { | |
| "condition_type": "regex", | |
| "condition_value": "^\\S+\\s+nginx:", | |
| "converters": [ | |
| { | |
| "config": {}, | |
| "type": "numeric" | |
| } | |
| ], | |
| "cursor_strategy": "copy", | |
| "extractor_config": { | |
| "regex_value": "nginx:.+?HTTP/\\S+\" \\d+ (\\d+)" | |
| }, | |
| "extractor_type": "regex", | |
| "order": 7, | |
| "source_field": "message", | |
| "target_field": "response_bytes", | |
| "title": "Response Bytes" | |
| }, | |
| { | |
| "condition_type": "regex", | |
| "condition_value": "^\\S+\\s+nginx:", | |
| "converters": [], | |
| "cursor_strategy": "copy", | |
| "extractor_config": { | |
| "regex_value": "nginx:.+?HTTP/\\S+\" \\d+ \\d+ \"(.+?)\"" | |
| }, | |
| "extractor_type": "regex", | |
| "order": 9, | |
| "source_field": "message", | |
| "target_field": "http_referer", | |
| "title": "HTTP Referer" | |
| }, | |
| { | |
| "condition_type": "regex", | |
| "condition_value": "^\\S+\\s+nginx:", | |
| "converters": [], | |
| "cursor_strategy": "copy", | |
| "extractor_config": { | |
| "regex_value": "nginx:.+?HTTP/\\S+\" \\d+ \\d+ \".+?\" \"(.+?)\"" | |
| }, | |
| "extractor_type": "regex", | |
| "order": 8, | |
| "source_field": "message", | |
| "target_field": "http_user_agent", | |
| "title": "HTTP User Agent" | |
| }, | |
| { | |
| "condition_type": "regex", | |
| "condition_value": ".+connection=.+", | |
| "converters": [ | |
| { | |
| "config": {}, | |
| "type": "numeric" | |
| } | |
| ], | |
| "cursor_strategy": "copy", | |
| "extractor_config": { | |
| "regex_value": "connection=(.+?)\\|" | |
| }, | |
| "extractor_type": "regex", | |
| "order": 10, | |
| "source_field": "message", | |
| "target_field": "connection_id", | |
| "title": "Connection ID" | |
| }, | |
| { | |
| "condition_type": "regex", | |
| "condition_value": ".+connection_requests=.+", | |
| "converters": [ | |
| { | |
| "config": {}, | |
| "type": "numeric" | |
| } | |
| ], | |
| "cursor_strategy": "copy", | |
| "extractor_config": { | |
| "regex_value": "connection_requests=(.+?)\\|" | |
| }, | |
| "extractor_type": "regex", | |
| "order": 11, | |
| "source_field": "message", | |
| "target_field": "connection_requests", | |
| "title": "Connection requests" | |
| }, | |
| { | |
| "condition_type": "regex", | |
| "condition_value": ".+millis=.+", | |
| "converters": [ | |
| { | |
| "config": {}, | |
| "type": "numeric" | |
| } | |
| ], | |
| "cursor_strategy": "copy", | |
| "extractor_config": { | |
| "regex_value": "millis=(.+?)>" | |
| }, | |
| "extractor_type": "regex", | |
| "order": 12, | |
| "source_field": "message", | |
| "target_field": "millis", | |
| "title": "Response time" | |
| }, | |
| { | |
| "condition_type": "regex", | |
| "condition_value": "^\\S+\\s+nginx:", | |
| "converters": [], | |
| "cursor_strategy": "copy", | |
| "extractor_config": { | |
| "regex_value": "nginx:.+?\\\"(\\S+.+HTTP\\/\\S+)\\\" \\d+" | |
| }, | |
| "extractor_type": "regex", | |
| "order": 13, | |
| "source_field": "message", | |
| "target_field": "message", | |
| "title": "Message" | |
| }, | |
| { | |
| "condition_type": "regex", | |
| "condition_value": "\\[(\\b(?:\\d{1,3}\\.){3}\\d{1,3}\\b)\\]", | |
| "converters": [], | |
| "cursor_strategy": "copy", | |
| "extractor_config": { | |
| "regex_value": "\\[(\\b(?:\\d{1,3}\\.){3}\\d{1,3}\\b)\\]" | |
| }, | |
| "extractor_type": "regex", | |
| "order": 0, | |
| "source_field": "message", | |
| "target_field": "remote_addr", | |
| "title": "Remote Address" | |
| }, | |
| { | |
| "condition_type": "string", | |
| "condition_value": "status=", | |
| "converters": [ | |
| { | |
| "config": {}, | |
| "type": "numeric" | |
| } | |
| ], | |
| "cursor_strategy": "copy", | |
| "extractor_config": { | |
| "regex_value": "status=(.+?)(\\s|$)" | |
| }, | |
| "extractor_type": "regex", | |
| "order": 0, | |
| "source_field": "message", | |
| "target_field": "response_status", | |
| "title": "Response Status" | |
| } | |
| ], | |
| "version": "0.20.3" | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment