pysysops · October 10, 2016 15:47
diff --git a/gistfile1.txt b/gistfile1.txt
 # This file is managed by Puppet. ANY MANUAL CHANGES WILL BE DESTROYED

 # Long log messages should be trimmed down to something reasonable (1500 characters)
 WLS_FORMAT_1 <%{DATA:wls_timestamp} o'clock %{DATA}> <%{WORD:severity}> <%{DATA:wls_topic}> <%{HOST:hostname}> <(%{WORD:server})?>( <(\[%{DATA:thread_status}\] )?ExecuteThread: '%{INT:thread_nr}' for queue: '%{DATA:thread_queue}'>)? (?<log_message>[\w\W]{0,2500})
 WLS_FORMAT_2 <%{DATA:wls_timestamp} o'clock %{DATA}> <%{WORD:severity}> <%{DATA:wls_topic}> <%{HOST:hostname}> <(%{WORD:server})?> (?<log_message>[\w\W]{0,2500})
 WLS_FORMAT_3 <%{DATA:wls_timestamp} o'clock %{DATA}> <%{WORD:severity}> <%{DATA:wls_topic}> <%{HOST:subsystem}>? (?<log_message>[\w\W]{0,2500})
 WLS_FORMAT_4 <%{DATA:wls_timestamp} o'clock %{DATA}> <%{WORD:severity}> <%{DATA:wls_topic}> (?<log_message>[\w\W]{0,2500})

 WLS_FORMAT %{WLS_FORMAT_1}|%{WLS_FORMAT_2}|%{WLS_FORMAT_3}|%{WLS_FORMAT_4}

 CAUSED_BY (?<caused_by>(Caused by\:[\w\W]{0,2500}))

 LOG4J_FORMAT_1 \[%{DATA:log_level}([\s]+)?\]([\s]+)?%{TIMESTAMP_ISO8601:timestamp}([\s]+)?-([\s]+)?(?<thread>[\d\w\.]+)([\s]+)?-([\s]+)?(?<log_message>[\w\W]{0,2500})
 LOG4J_FORMAT_2 \[?%{TIMESTAMP_ISO8601:timestamp}\]%{SPACE}%{WORD:log_level}%{SPACE}(?<thread>[\d\w\.]+)%{SPACE}-%{SPACE}(?<log_message>[\w\W]{0,2500})

 EXCEPTION [\w]+[\.]+[\w\.]+Exception

 CATALINA_FORMAT_1 %{DATA:log_time},%{NUMBER} %{WORD:log_level} %{DATA:class}%{SPACE}- \[%{DATA:thread}\] (?<log_message>[\w\W]{0,2500})
 CATALINA_FORMAT_2 \[%{DATA:thread}\]%{DATA:log_time},%{NUMBER}\[%{WORD:log_level}\]%{SPACE}- (?<log_message>[\w\W]{0,2500})

 CATALINA_FORMAT %{CATALINA_FORMAT_1}|%{CATALINA_FORMAT_2}

 HAPROXYTIME (?!<[0-9])%{HOUR}:%{MINUTE}(?::%{SECOND})(?![0-9])
 HAPROXYDATE %{MONTHDAY}/%{MONTH}/%{YEAR}:%{HAPROXYTIME}.%{INT}

 HAPROXYLOG %{IP:client}:%{INT:port} \[%{HAPROXYDATE:accept_date}\] %{NOTSPACE:frontend_name} %{NOTSPACE:backend_name}/%{NOTSPACE:server_name} %{INT:time_request}/%{INT:time_queue}/%{INT:time_backend_connect}/%{INT:time_backend_response}/%{NOTSPACE:time_duration} %{INT:http_status_code} %{NOTSPACE:bytes_read} %{NOTSPACE:captured_request_cookie} %{NOTSPACE:captured_response_cookie} %{NOTSPACE:termination_state} %{INT:actconn}/%{INT:feconn}/%{INT:beconn}/%{INT:srvconn}/%{NOTSPACE:retries} %{INT:srv_queue}/%{INT:backend_queue} \"(<BADREQ>|(%{WORD:http_verb} (%{URIPROTO:http_proto}://)?(?:%{USER:http_user}(?::[^@]*)?@)?(?:%{URIHOST:http_host})?(?:%{URIPATHPARAM:http_request})?( HTTP/%{NUMBER:http_version})?))?\"

 CREDITCARDNUMBER \b(3[47]\d{2}([ -]?)(?!(\d)\3{5}|123456|234567|345678)\d{6}\2(?!(\d)\4{4})\d{5}|((4\d|5[1-5]|65)\d{2}|6011)([ -]?)(?!(\d)\8{3}|1234|3456|5678)\d{4}\7(?!(\d)\9{3})\d{4}\7\d{4})\b


 XMLGATEWAY_1 <%{POSINT:priority}>%{SYSLOGTIMESTAMP:log_timestamp} %{IPORHOST:log_source} %{WORD:log_type}: %{WORD:access}  %{WORD:session}  %{WORD:code}  %{WORD:log_level}  %{IPORHOST:clientip} %{WORD:verb} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion} %{NUMBER:status} (?:%{NUMBER:bytes}|-) %{IPORHOST:host_header} %{NUMBER} %{NUMBER} (?:%{NUMBER:timing}|-)
 XMLGATEWAY_2 <%{POSINT:priority}>%{SYSLOGTIMESTAMP:log_timestamp} %{WORD:log_type}: %{WORD:access}  %{WORD:session}  %{WORD:code}  %{WORD:log_level}  %{IPORHOST:clientip} %{WORD:verb} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion} %{NUMBER:status} (?:%{NUMBER:bytes}|-) %{IPORHOST:host_header}
 XMLGATEWAY_3 <%{POSINT:priority}>%{SYSLOGTIMESTAMP:log_timestamp} %{IPORHOST:log_source} %{WORD:log_type}: %{WORD:access}  %{WORD:session}  %{WORD:code}  %{WORD:log_level}  %{GREEDYDATA:logmessage}
 XMLGATEWAY_4 <%{POSINT:priority}>%{SYSLOGTIMESTAMP:log_timestamp} %{WORD:log_type}: %{WORD:access}  %{WORD:session}  %{WORD:code}  %{WORD:log_level}  %{GREEDYDATA:logmessage}
 XMLGATEWAY %{XMLGATEWAY_1}|%{XMLGATEWAY_2}|%{XMLGATEWAY_3}|%{XMLGATEWAY_4}
	# This file is managed by Puppet. ANY MANUAL CHANGES WILL BE DESTROYED

	# Long log messages should be trimmed down to something reasonable (1500 characters)
	WLS_FORMAT_1 <%{DATA:wls_timestamp} o'clock %{DATA}> <%{WORD:severity}> <%{DATA:wls_topic}> <%{HOST:hostname}> <(%{WORD:server})?>( <(\[%{DATA:thread_status}\] )?ExecuteThread: '%{INT:thread_nr}' for queue: '%{DATA:thread_queue}'>)? (?<log_message>[\w\W]{0,2500})
	WLS_FORMAT_2 <%{DATA:wls_timestamp} o'clock %{DATA}> <%{WORD:severity}> <%{DATA:wls_topic}> <%{HOST:hostname}> <(%{WORD:server})?> (?<log_message>[\w\W]{0,2500})
	WLS_FORMAT_3 <%{DATA:wls_timestamp} o'clock %{DATA}> <%{WORD:severity}> <%{DATA:wls_topic}> <%{HOST:subsystem}>? (?<log_message>[\w\W]{0,2500})
	WLS_FORMAT_4 <%{DATA:wls_timestamp} o'clock %{DATA}> <%{WORD:severity}> <%{DATA:wls_topic}> (?<log_message>[\w\W]{0,2500})

	WLS_FORMAT %{WLS_FORMAT_1}\|%{WLS_FORMAT_2}\|%{WLS_FORMAT_3}\|%{WLS_FORMAT_4}

	CAUSED_BY (?<caused_by>(Caused by\:[\w\W]{0,2500}))

	LOG4J_FORMAT_1 \[%{DATA:log_level}([\s]+)?\]([\s]+)?%{TIMESTAMP_ISO8601:timestamp}([\s]+)?-([\s]+)?(?<thread>[\d\w\.]+)([\s]+)?-([\s]+)?(?<log_message>[\w\W]{0,2500})
	LOG4J_FORMAT_2 \[?%{TIMESTAMP_ISO8601:timestamp}\]%{SPACE}%{WORD:log_level}%{SPACE}(?<thread>[\d\w\.]+)%{SPACE}-%{SPACE}(?<log_message>[\w\W]{0,2500})

	EXCEPTION [\w]+[\.]+[\w\.]+Exception

	CATALINA_FORMAT_1 %{DATA:log_time},%{NUMBER} %{WORD:log_level} %{DATA:class}%{SPACE}- \[%{DATA:thread}\] (?<log_message>[\w\W]{0,2500})
	CATALINA_FORMAT_2 \[%{DATA:thread}\]%{DATA:log_time},%{NUMBER}\[%{WORD:log_level}\]%{SPACE}- (?<log_message>[\w\W]{0,2500})

	CATALINA_FORMAT %{CATALINA_FORMAT_1}\|%{CATALINA_FORMAT_2}

	HAPROXYTIME (?!<[0-9])%{HOUR}:%{MINUTE}(?::%{SECOND})(?![0-9])
	HAPROXYDATE %{MONTHDAY}/%{MONTH}/%{YEAR}:%{HAPROXYTIME}.%{INT}

	HAPROXYLOG %{IP:client}:%{INT:port} \[%{HAPROXYDATE:accept_date}\] %{NOTSPACE:frontend_name} %{NOTSPACE:backend_name}/%{NOTSPACE:server_name} %{INT:time_request}/%{INT:time_queue}/%{INT:time_backend_connect}/%{INT:time_backend_response}/%{NOTSPACE:time_duration} %{INT:http_status_code} %{NOTSPACE:bytes_read} %{NOTSPACE:captured_request_cookie} %{NOTSPACE:captured_response_cookie} %{NOTSPACE:termination_state} %{INT:actconn}/%{INT:feconn}/%{INT:beconn}/%{INT:srvconn}/%{NOTSPACE:retries} %{INT:srv_queue}/%{INT:backend_queue} \"(<BADREQ>\|(%{WORD:http_verb} (%{URIPROTO:http_proto}://)?(?:%{USER:http_user}(?::[^@]*)?@)?(?:%{URIHOST:http_host})?(?:%{URIPATHPARAM:http_request})?( HTTP/%{NUMBER:http_version})?))?\"

	CREDITCARDNUMBER \b(3[47]\d{2}([ -]?)(?!(\d)\3{5}\|123456\|234567\|345678)\d{6}\2(?!(\d)\4{4})\d{5}\|((4\d\|5[1-5]\|65)\d{2}\|6011)([ -]?)(?!(\d)\8{3}\|1234\|3456\|5678)\d{4}\7(?!(\d)\9{3})\d{4}\7\d{4})\b


	XMLGATEWAY_1 <%{POSINT:priority}>%{SYSLOGTIMESTAMP:log_timestamp} %{IPORHOST:log_source} %{WORD:log_type}: %{WORD:access} %{WORD:session} %{WORD:code} %{WORD:log_level} %{IPORHOST:clientip} %{WORD:verb} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion} %{NUMBER:status} (?:%{NUMBER:bytes}\|-) %{IPORHOST:host_header} %{NUMBER} %{NUMBER} (?:%{NUMBER:timing}\|-)
	XMLGATEWAY_2 <%{POSINT:priority}>%{SYSLOGTIMESTAMP:log_timestamp} %{WORD:log_type}: %{WORD:access} %{WORD:session} %{WORD:code} %{WORD:log_level} %{IPORHOST:clientip} %{WORD:verb} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion} %{NUMBER:status} (?:%{NUMBER:bytes}\|-) %{IPORHOST:host_header}
	XMLGATEWAY_3 <%{POSINT:priority}>%{SYSLOGTIMESTAMP:log_timestamp} %{IPORHOST:log_source} %{WORD:log_type}: %{WORD:access} %{WORD:session} %{WORD:code} %{WORD:log_level} %{GREEDYDATA:logmessage}
	XMLGATEWAY_4 <%{POSINT:priority}>%{SYSLOGTIMESTAMP:log_timestamp} %{WORD:log_type}: %{WORD:access} %{WORD:session} %{WORD:code} %{WORD:log_level} %{GREEDYDATA:logmessage}
	XMLGATEWAY %{XMLGATEWAY_1}\|%{XMLGATEWAY_2}\|%{XMLGATEWAY_3}\|%{XMLGATEWAY_4}