Custom

# Allow alternate timestamps for syslog entries
FULLSYSLOGTIMESTAMP %{SYSLOGTIMESTAMP:default_syslog_timestamp}|%{TIMESTAMP_ISO8601}

# Grok patterns for iptables:
ETHTYPE (?:(?:[A-Fa-f0-9]{2}):(?:[A-Fa-f0-9]{2}))
NETFILTERMAC %{COMMONMAC:destination_mac}:%{COMMONMAC:source_mac}:%{ETHTYPE:eth_type}
IPTABLES (?:%{GREEDYDATA:label}: )?(?:IN=(%{WORD:input_interface})? OUT=(%{WORD:output_interface})?) (?:MAC=(?:%{NETFILTERMAC})? )?SRC=%{IP:source_ip} DST=%{IP:destination_ip}.*TTL=%{INT:ttl}?.*PROTO=%{WORD:protocol}?.*SPT=%{INT:source_port}?.*DPT=%{INT:destination_port}?

# Sendmail SMTP Queue IDs
# version indicated is latest version where format is used. See the O'Reilly Sendmail "Bat Book" for QID makeup by version.
SENDMAIL_QID_85 [A-Z~][A-Z][0-9]+
SENDMAIL_QID_89 [A-X]%{SENDMAIL_QID_85}
SENDMAIL_QID_814 [0-9A-Za-x]{7,8}[0-9]+
SENDMAIL_QID %{SENDMAIL_QID_85}|%{SENDMAIL_QID_89}|%{SENDMAIL_QID_814}

# Unixtime with milliseconds
UNIX_MSEC (?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]{3})?)|(?:\.[0-9]+)))

# SSH Authentication key ID
SSH_KEYID (?:(?:[A-Fa-f0-9]{2}:)*[A-Fa-f0-9]{2})

# custom HOSTNAME, adding an underscore (including at the start of a token)
HOSTNAME \b(?:[0-9A-Za-z_][0-9A-Za-z\-_]{0,62})(?:\.(?:[0-9A-Za-z_][0-9A-Za-z\-_]{0,62}))*(\.?|\b)

# customized HOSTNAME and IPORHOST for PassiveDNS entries, which may use a bare '.' as a hostname and a forward slash (needed for some reverse DNS lookups such as 135.128/27.224.16.206.in-addr.arpa)
PDNS_HOSTNAME (?:%{HOSTNAME}|\.\/)
PDNS_IPORHOST (?:%{IP}|%{PDNS_HOSTNAME})
PDNS_ANSWER (?:%{PDNS_IPORHOST}|%{NOTPIPE})

# Email addresses
EMAILADDRESSLOCALPART [a-zA-Zа-яА-Я][a-zA-Zа-яА-Я0-9_.+-=:]+
EMAILADDRESS %{EMAILADDRESSLOCALPART}@%{HOSTNAME}

# Custom URI path, to accommodate "OPTIONS * HTTP/1.0" requests
URIPATH_CUSTOM %{URIPATH}|\*

# custom HTTPD common format (should flow to the combined format) to allow email address as the username, separate out query string from stub request
HTTPDUSER %{EMAILADDRESS}|%{WORD}[/\\]%{USER}|%{USER}
COMMONAPACHELOG_CUSTOM %{IPORHOST:source_ip} %{HTTPDUSER:ident} %{HTTPDUSER:username} \[%{HTTPDATE:timestamp}\] "(?:%{WORD:request_method} (?:%{WORD:protocol}://)?(?:%{HOSTNAME:hostname}(?::%{POSINT:destination_port})?)?(?:%{URIPATH_CUSTOM:request})?(?:\?%{NOTSPACE:query_string})?(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" %{NUMBER:response_code} (?:%{NUMBER:destination_bytes}|-)
COMMONPROXYLOG_CUSTOM %{COMMONAPACHELOG_CUSTOM} %{WORD:proxy_cachestatus}:%{WORD:proxy_hierarchystatus}
COMBINEDAPACHELOG_CUSTOM (?:%{COMMONAPACHELOG_CUSTOM}) %{QS:referrer} %{QS:useragent}
COMBINEDPROXYLOG_CUSTOM %{COMBINEDAPACHELOG_CUSTOM} %{WORD:proxy_cachestatus}:%{WORD:proxy_hierarchystatus}

# hours:minutes:seconds, to allow any number of hours
HMS (?:[0-9]+):%{MINUTE}(?::%{SECOND})(?![0-9])

# anything but an equal sign
NOTEQUAL [^=]+

# anything but a colon
NOTCOLON [^:]+

# anything but a pipe
NOTPIPE [^|]+

# guid
GUID [0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}

# S3 Bucket Name hash
AWSACCOUNTID (?:[0-9a-fA-f]{64}|[0-9]{12}|arn:%{NOTSPACE}|-)