-
Notifications
You must be signed in to change notification settings - Fork 1
/
patterns.go
47 lines (43 loc) · 4.61 KB
/
patterns.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
package parser
import "fmt"
var patterns = map[string]string{
"GREEDYQUOTE": `[^"]*`,
"MODSECCLIENT": `\[client %{IPORHOST:[modsecurity-error][sourcehost]}\]`,
"MODSECPREFIX": `ModSecurity: %{NOTSPACE:[modsecurity-error][severity]}\. %{GREEDYDATA:[modsecurity-error][message]}`,
"MODSECRULEFILE": `\[file %{QUOTEDSTRING:[modsecurity-error][rulefile]}\]`,
"MODSECRULELINE": `\[line %{QUOTEDSTRING:[modsecurity-error][ruleline]}\]`,
"MODSECMATCHOFFSET": `\[offset %{QUOTEDSTRING:[modsecurity-error][matchoffset]}\]`,
"MODSECRULEID": `\[id \"%{NUMBER:[modsecurity-error][ruleid]:int}\"\]`,
"MODSECRULEREV": `\[rev %{QUOTEDSTRING:[modsecurity-error][rulerev]}\]`,
"MODSECSCOREERROR": `\"Inbound Anomaly Score Exceeded \(Total Inbound Score: %{NUMBER:[modsecurity-error][score]:int}%{GREEDYQUOTE:[modsecurity-error][rulemessage]}\"`,
"MODSECSCOREAUDIT": `\[msg \"Inbound Anomaly Score Exceeded \(Total Inbound Score: %{NUMBER:[app][audit_data][score]:int}%{GREEDYQUOTE:[app][audit_data][rulemessage]}\"\]`,
"MODSECRULEMSG": `%{MODSECSCOREAUDIT}`,
"MODSECRULEMSG2": `\[msg (?:%{MODSECSCOREERROR}|%{QUOTEDSTRING:[modsecurity-error][rulemessage]})\]`,
"MODSECRULEDATA": `\[data %{QUOTEDSTRING:[modsecurity-error][ruledata]}\]`,
"MODSECRULESEVERITY": `\[severity %{QUOTEDSTRING:[modsecurity-error][ruleseverity]}\]`,
"MODSECRULEVERSION": `\[ver %{QUOTEDSTRING:[modsecurity-error][ruleversion]}\]`,
"MODSECRULEMATURITY": `\[maturity %{QUOTEDSTRING:[modsecurity-error][rulematurity]}\]`,
"MODSECRULEACCURACY": `\[accuracy %{QUOTEDSTRING:[modsecurity-error][ruleaccuracy]}\]`,
"MODSECRULETAGS": `(?:\[tag %{QUOTEDSTRING:[modsecurity-error][ruletag0]}\] )?(?:\[tag %{QUOTEDSTRING:[modsecurity-error][ruletag1]}\] )?(?:\[tag %{QUOTEDSTRING:[modsecurity-error][ruletag2]}\] )?(?:\[tag %{QUOTEDSTRING:[modsecurity-error][ruletag3]}\] )?(?:\[tag %{QUOTEDSTRING:[modsecurity-error][ruletag4]}\] )?(?:\[tag %{QUOTEDSTRING:[modsecurity-error][ruletag5]}\] )?(?:\[tag %{QUOTEDSTRING:[modsecurity-error][ruletag6]}\] )?(?:\[tag %{QUOTEDSTRING:[modsecurity-error][ruletag7]}\] )?(?:\[tag %{QUOTEDSTRING:[modsecurity-error][ruletag8]}\] )?(?:\[tag %{QUOTEDSTRING:[modsecurity-error][ruletag9]}\] )?(?:\[tag %{QUOTEDSTRING}\] )*`,
"MODSECHOSTNAME": `\[hostname %{QUOTEDSTRING:[modsecurity-error][targethost]}\]`,
"MODSECURI": `\[uri %{QUOTEDSTRING:[modsecurity-error][targeturi]}\]`,
"MODSECUID": `\[unique_id %{QUOTEDSTRING:[modsecurity-error][uniqueid]}\]`,
"MODSECAPACHEERROR": `%{MODSECCLIENT} %{MODSECPREFIX} %{MODSECRULEFILE} %{MODSECRULELINE} (?:%{MODSECMATCHOFFSET} )?(?:%{MODSECRULEID} )?(?:%{MODSECRULEREV} )?(?:%{MODSECRULEMSG2} )?(?:%{MODSECRULEDATA} )?(?:%{MODSECRULESEVERITY} )?(?:%{MODSECRULEVERSION} )?(?:%{MODSECRULEMATURITY} )?(?:%{MODSECRULEACCURACY} )?%{MODSECRULETAGS}%{MODSECHOSTNAME} %{MODSECURI} %{MODSECUID}`,
"RTR": `%{HOSTNAME:hostname} - \[%{TIMESTAMP_ISO8601:timestamp}\] "%{WORD:verb} %{URIPATHPARAM:path} %{PROG:http_spec}" %{BASE10NUM:status:int} %{BASE10NUM:request_bytes_received:int} %{BASE10NUM:body_bytes_sent:int} "%{GREEDYQUOTE:referer}" "%{GREEDYQUOTE:http_user_agent}" "%{IPORHOST:src_host}:%{POSINT:src_port:int}" "%{IPORHOST:dst_host}:%{POSINT:dst_port:int}" x_forwarded_for:"%{GREEDYQUOTE:x_forwarded_for}" x_forwarded_proto:"%{GREEDYQUOTE:x_forwarded_proto}" vcap_request_id:"%{NOTSPACE:vcap_request_id}" response_time:%{NUMBER:response_time_sec:float} app_id:"%{NOTSPACE:app_id}" app_index:"%{BASE10NUM:app_index:int}"`,
"DATESTAMP_ALT": `%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR}`,
"DATESTAMP_TXT": `%{MONTHDAY}-%{MONTH}-%{YEAR} %{TIME}`,
}
var programPatterns = []string{
`%{TIME} \|\-%{LOGLEVEL:@level} in %{NOTSPACE:[app][logger]} - %{GREEDYDATA:@message}`,
`\[CONTAINER\]%{SPACE}%{NOTSPACE}%{SPACE}%{LOGLEVEL:@level}%{SPACE}%{GREEDYDATA:@message}`,
`%{TIME} %{NOTSPACE:[app][program]}%{SPACE}\|%{SPACE}%{HOSTNAME:[app][hostname]} - - \[%{HTTPDATE:[app][timestamp]}\] "%{WORD:[app][verb]} %{URIPATHPARAM:[app][path]} %{PROG:[app][http_spec]}" %{BASE10NUM:[app][status]:int} %{BASE10NUM:[app][request_bytes_received]:int} vcap_request_id=%{NOTSPACE:@request_id} %{GREEDYDATA:@message}`,
`%{TIME} %{NOTSPACE:[app][program]}%{SPACE}\|%{SPACE}\[%{DATESTAMP_ALT:[app][timestamp]}\] \[(core|mpm_event):%{WORD:@level}\] %{GREEDYDATA:@message}`,
`%{TIME} %{NOTSPACE:[app][program]}%{SPACE}\|%{SPACE}\[%{DATESTAMP_TXT:[app][timestamp]}\] %{LOGLEVEL:@level}: %{GREEDYDATA:@message}`,
}
func programPatternsToGrokPattern() map[string]string {
d := make(map[string]string)
for i, p := range programPatterns {
d[fmt.Sprintf("PG%d", i)] = p
}
return d
}