Patterns documentation
You will find here a generated documentation of all the patterns loaded by crowdsec.
They are sorted by pattern length, and are meant to be used in parsers, in the form %{PATTERN_NAME}
.
MONGO3_SEVERITY
Pattern :
\w
GREEDYDATA
Pattern :
.*
RAIL_ACTION
Pattern :
\w+
NOTSPACE
Pattern :
\S+
SPACE
Pattern :
\s*
DATA
Pattern :
.*?
JAVALOGMESSAGE
Pattern :
(.*)
NOTDQUOTE
Pattern :
[^"]*
DAY2
Pattern :
\d{2}
RAILS_CONSTROLLER
Pattern :
[^#]+
RUUID
Pattern :
\s{32}
SYSLOG5424PRINTASCII
Pattern :
[!-~]+
BACULA_JOB
Pattern :
%{USER}
BACULA_VERSION
Pattern :
%{USER}
CRON_ACTION
Pattern :
[A-Z ]+
BACULA_DEVICE
Pattern :
%{USER}
WORD
Pattern :
\b\w+\b
BACULA_VOLUME
Pattern :
%{USER}
TZ
Pattern :
[A-Z]{3}
MONGO3_COMPONENT
Pattern :
%{WORD}|-
NUMTZ
Pattern :
[+-]\d{4}
MINUTE
Pattern :
[0-5][0-9]
NAGIOS_TYPE_HOST_ALERT
Pattern :
HOST ALERT
NONNEGINT
Pattern :
\b[0-9]+\b
MONGO_WORDDASH
Pattern :
\b[\w-]+\b
USER
Pattern :
%{USERNAME}
BACULA_DEVICEPATH
Pattern :
%{UNIXPATH}
REDISLOG1
Pattern :
%{REDISLOG}
SYSLOGHOST
Pattern :
%{IPORHOST}
SYSLOG5424SD
Pattern :
\[%{DATA}\]+
NUMBER
Pattern :
%{BASE10NUM}
ISO8601_SECOND
Pattern :
%{SECOND}|60
MONTHNUM2
Pattern :
0[1-9]|1[0-2]
NGUSER
Pattern :
%{NGUSERNAME}
EXIM_PID
Pattern :
\[%{POSINT}\]
YEAR
Pattern :
(?:\d\d){1,2}
BACULA_HOST
Pattern :
[a-zA-Z0-9-]+
NAGIOS_TYPE_SERVICE_ALERT
Pattern :
SERVICE ALERT
MONTHNUM
Pattern :
0?[1-9]|1[0-2]
CISCO_XLATE_TYPE
Pattern :
static|dynamic
RAILS_CONTEXT
Pattern :
(?:%{DATA}\n)*
BACULA_LOG_ENDPRUNE
Pattern :
End auto prune.
USERNAME
Pattern :
[a-zA-Z0-9._-]+
POSINT
Pattern :
\b[1-9][0-9]*\b
QS
Pattern :
%{QUOTEDSTRING}
MODSECRULEVERS
Pattern :
\[ver "[^"]+"\]
INT
Pattern :
[+-]?(?:[0-9]+)
IP
Pattern :
%{IPV6}|%{IPV4}
NAGIOS_EC_ENABLE_SVC_CHECK
Pattern :
ENABLE_SVC_CHECK
NAGIOS_TYPE_EXTERNAL_COMMAND
Pattern :
EXTERNAL COMMAND
NAGIOS_EC_ENABLE_HOST_CHECK
Pattern :
ENABLE_HOST_CHECK
NAGIOS_TYPE_HOST_NOTIFICATION
Pattern :
HOST NOTIFICATION
NAGIOS_EC_DISABLE_SVC_CHECK
Pattern :
DISABLE_SVC_CHECK
IPORHOST
Pattern :
%{IP}|%{HOSTNAME}
DATESTAMP
Pattern :
%{DATE}[- ]%{TIME}
NAGIOS_EC_DISABLE_HOST_CHECK
Pattern :
DISABLE_HOST_CHECK
NAGIOS_TYPE_HOST_EVENT_HANDLER
Pattern :
HOST EVENT HANDLER
NAGIOS_TYPE_CURRENT_HOST_STATE
Pattern :
CURRENT HOST STATE
NAGIOS_TYPE_PASSIVE_HOST_CHECK
Pattern :
PASSIVE HOST CHECK
HOUR
Pattern :
2[0123]|[01]?[0-9]
NAGIOS_TYPE_HOST_FLAPPING_ALERT
Pattern :
HOST FLAPPING ALERT
NGUSERNAME
Pattern :
[a-zA-Z\.\@\-\+_%]+
NAGIOS_TYPE_HOST_DOWNTIME_ALERT
Pattern :
HOST DOWNTIME ALERT
BACULA_LOG_BEGIN_PRUNE_FILES
Pattern :
Begin pruning Files.
NAGIOS_TYPE_SERVICE_NOTIFICATION
Pattern :
SERVICE NOTIFICATION
JAVAFILE
Pattern :
(?:[A-Za-z0-9_. -]+)
HOSTPORT
Pattern :
%{IPORHOST}:%{POSINT}
NAGIOS_TYPE_CURRENT_SERVICE_STATE
Pattern :
CURRENT SERVICE STATE
NAGIOS_TYPE_PASSIVE_SERVICE_CHECK
Pattern :
PASSIVE SERVICE CHECK
NAGIOS_TYPE_SERVICE_EVENT_HANDLER
Pattern :
SERVICE EVENT HANDLER
NAGIOS_TYPE_TIMEPERIOD_TRANSITION
Pattern :
TIMEPERIOD TRANSITION
EXIM_FLAGS
Pattern :
(<=|[-=>*]>|[*]{2}|==)
NAGIOS_TYPE_SERVICE_DOWNTIME_ALERT
Pattern :
SERVICE DOWNTIME ALERT
SSHD_CORRUPT_MAC
Pattern :
Corrupted MAC on input
NAGIOS_EC_SCHEDULE_HOST_DOWNTIME
Pattern :
SCHEDULE_HOST_DOWNTIME
PATH
Pattern :
%{UNIXPATH}|%{WINPATH}
EXIM_SUBJECT
Pattern :
(T=%{QS:exim_subject})
NAGIOS_TYPE_SERVICE_FLAPPING_ALERT
Pattern :
SERVICE FLAPPING ALERT
BACULA_LOG_NOPRUNE_JOBS
Pattern :
No Jobs found to prune.
HTTPDUSER
Pattern :
%{EMAILADDRESS}|%{USER}
BACULA_CAPACITY
Pattern :
%{INT}{1,3}(,%{INT}{3})*
EXIM_PROTOCOL
Pattern :
(P=%{NOTSPACE:protocol})
NAGIOS_EC_ENABLE_SVC_NOTIFICATIONS
Pattern :
ENABLE_SVC_NOTIFICATIONS
URIPROTO
Pattern :
[A-Za-z]+(\+[A-Za-z+]+)?
BACULA_LOG_NOPRUNE_FILES
Pattern :
No Files found to prune.
NAGIOS_EC_SCHEDULE_SERVICE_DOWNTIME
Pattern :
SCHEDULE_SERVICE_DOWNTIME
MONGO_QUERY
Pattern :
\{ \{ .* \} ntoreturn: \}
PROG
Pattern :
[\x21-\x5a\x5c\x5e-\x7e]+
NAGIOS_EC_DISABLE_SVC_NOTIFICATIONS
Pattern :
DISABLE_SVC_NOTIFICATIONS
NAGIOS_EC_PROCESS_HOST_CHECK_RESULT
Pattern :
PROCESS_HOST_CHECK_RESULT
BACULA_LOG_VSS
Pattern :
(Generate )?VSS (Writer)?
NAGIOS_EC_ENABLE_HOST_NOTIFICATIONS
Pattern :
ENABLE_HOST_NOTIFICATIONS
UNIXPATH
Pattern :
(/([\w_%!$@:.,~-]+|\\.)*)+
EMAILLOCALPART
Pattern :
[a-zA-Z][a-zA-Z0-9_.+-=:]+
URIPATHPARAM
Pattern :
%{URIPATH}(?:%{URIPARAM})?
KITCHEN
Pattern :
\d{1,2}:\d{2}(AM|PM|am|pm)
NAGIOS_EC_DISABLE_HOST_NOTIFICATIONS
Pattern :
DISABLE_HOST_NOTIFICATIONS
NAGIOSTIME
Pattern :
\[%{NUMBER:nagios_epoch}\]
RUBY_LOGLEVEL
Pattern :
DEBUG|FATAL|ERROR|WARN|INFO
TIME
Pattern :
%{HOUR}:%{MINUTE}:%{SECOND}
JAVATHREAD
Pattern :
(?:[A-Z]{2}-Processor[\d]+)
EXIM_MSG_SIZE
Pattern :
(S=%{NUMBER:exim_msg_size})
REDISTIMESTAMP
Pattern :
%{MONTHDAY} %{MONTH} %{TIME}
NAGIOS_EC_PROCESS_SERVICE_CHECK_RESULT
Pattern :
PROCESS_SERVICE_CHECK_RESULT
BASE16NUM
Pattern :
[+-]?(?:0x)?(?:[0-9A-Fa-f]+)
ISO8601_TIMEZONE
Pattern :
Z|[+-]%{HOUR}(?::?%{MINUTE})
MODSECRULEID
Pattern :
\[id %{QUOTEDSTRING:ruleid}\]
SYSLOGTIMESTAMP
Pattern :
%{MONTH} +%{MONTHDAY} %{TIME}
SSHD_PACKET_CORRUPT
Pattern :
Disconnecting: Packet corrupt
SYSLOG5424PRI
Pattern :
<%{NONNEGINT:syslog5424_pri}>
EMAILADDRESS
Pattern :
%{EMAILLOCALPART}@%{HOSTNAME}
NAGIOS_EC_ENABLE_HOST_SVC_NOTIFICATIONS
Pattern :
ENABLE_HOST_SVC_NOTIFICATIONS
NAGIOS_EC_DISABLE_HOST_SVC_NOTIFICATIONS
Pattern :
DISABLE_HOST_SVC_NOTIFICATIONS
URIHOST
Pattern :
%{IPORHOST}(?::%{POSINT:port})?
EXIM_HEADER_ID
Pattern :
(id=%{NOTSPACE:exim_header_id})
SSHD_TUNN_TIMEOUT
Pattern :
Timeout, client not responding.
MODSECRULEREV
Pattern :
\[rev %{QUOTEDSTRING:rulerev}\]
MCOLLECTIVEAUDIT
Pattern :
%{TIMESTAMP_ISO8601:timestamp}:
DATE
Pattern :
%{DATE_US}|%{DATE_EU}|%{DATE_X}
CISCOTAG
Pattern :
[A-Z0-9]+-%{INT}-(?:[A-Z0-9_]+)
WINPATH
Pattern :
(?:[A-Za-z]+:|\\)(?:\\[^\\?*]*)+
DATE_X
Pattern :
%{YEAR}/%{MONTHNUM2}/%{MONTHDAY}
SSHD_INIT
Pattern :
%{SSHD_LISTEN}|%{SSHD_TERMINATE}
HAPROXYCAPTUREDREQUESTHEADERS
Pattern :
%{DATA:captured_request_headers}
CISCO_INTERVAL
Pattern :
first hit|%{INT}-second interval
MODSECRULEFILE
Pattern :
\[file %{QUOTEDSTRING:rulefile}\]
MODSECURI
Pattern :
\[uri ["']%{DATA:targeturi}["']\]
HAPROXYCAPTUREDRESPONSEHEADERS
Pattern :
%{DATA:captured_response_headers}
MODSECRULELINE
Pattern :
\[line %{QUOTEDSTRING:ruleline}\]
MODSECRULEDATA
Pattern :
\[data %{QUOTEDSTRING:ruledata}\]
CISCO_DIRECTION
Pattern :
Inbound|inbound|Outbound|outbound
BACULA_LOG_CANCELLING
Pattern :
Cancelling duplicate JobId=%{INT}.
SECOND
Pattern :
(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?
MODSECRULEMSG
Pattern :
\[msg %{QUOTEDSTRING:rulemessage}\]
SSHD_TUNN_ERR3
Pattern :
error: bind: Address already in use
BACULA_LOG_STARTRESTORE
Pattern :
Start Restore Job %{BACULA_JOB:job}
SYSLOGLINE
Pattern :
%{SYSLOGBASE2} %{GREEDYDATA:message}
COMMONMAC
Pattern :
(?:[A-Fa-f0-9]{2}:){5}[A-Fa-f0-9]{2}
WINDOWSMAC
Pattern :
(?:[A-Fa-f0-9]{2}-){5}[A-Fa-f0-9]{2}
SYSLOGPROG
Pattern :
%{PROG:program}(?:\[%{POSINT:pid}\])?
JAVAMETHOD
Pattern :
(?:(<init>)|[a-zA-Z$_][a-zA-Z$_0-9]*)
DATE_US
Pattern :
%{MONTHNUM}[/-]%{MONTHDAY}[/-]%{YEAR}
CISCOMAC
Pattern :
(?:[A-Fa-f0-9]{4}\.){2}[A-Fa-f0-9]{4}
ELB_URIPATHPARAM
Pattern :
%{URIPATH:path}(?:%{URIPARAM:params})?
MAC
Pattern :
%{CISCOMAC}|%{WINDOWSMAC}|%{COMMONMAC}
MODSECUID
Pattern :
\[unique_id %{QUOTEDSTRING:uniqueid}\]
BACULA_LOG_NOPRIOR
Pattern :
No prior Full backup Job record found.
BACULA_TIMESTAMP
Pattern :
%{MONTHDAY}-%{MONTH} %{HOUR}:%{MINUTE}
MODSECMATCHOFFSET
Pattern :
\[offset %{QUOTEDSTRING:matchoffset}\]
DATE_EU
Pattern :
%{MONTHDAY}[./-]%{MONTHNUM}[./-]%{YEAR}
MODSECHOSTNAME
Pattern :
\[hostname ['"]%{DATA:targethost}["']\]
URIPATH
Pattern :
(?:/[A-Za-z0-9$.+!*'(){},~:;=@#%_\-]*)+
TTY
Pattern :
/dev/(pts|tty([pq])?)(\w+)?/?(?:[0-9]+)
HTTPD_ERRORLOG
Pattern :
%{HTTPD20_ERRORLOG}|%{HTTPD24_ERRORLOG}
MONTHDAY
Pattern :
(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9]
BACULA_LOG_USEDEVICE
Pattern :
Using Device \"%{BACULA_DEVICE:device}\"
MODSECRULESEVERITY
Pattern :
\[severity ["']%{WORD:ruleseverity}["']\]
ANSIC
Pattern :
%{DAY} %{MONTH} [_123]\d %{TIME} %{YEAR}"