-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathiht_apache.json
More file actions
91 lines (91 loc) · 4.2 KB
/
iht_apache.json
File metadata and controls
91 lines (91 loc) · 4.2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
{
"iht_apache" : {
"title" : "IHT Apache",
"description" : "The default web access log format for servers like Apache but modified for IHT Spirit.",
"url" : "http://en.wikipedia.org/wiki/Common_Log_Format",
"multiline" : false,
"regex" : {
"ts-first-noquotes" : {
"pattern" : "^(?<timestamp>\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}(?:\\.\\d{3})?) (?<c_ip>[^ ]+) (?<cs_username>[^ ]+) (?<cs_method>[A-Z]+) (?<cs_uri_stem>[^ \\?]+)(?:\\?(?<cs_uri_query>[^ ]*))? (?:-1|\\d+) (?<sc_status>\\d+) \\d+\\s*(?<body>.*)"
},
"ts-first" : {
"pattern" : "^(?<timestamp>\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}(?:\\.\\d{3})?) (?<c_ip>[^ ]+) (?<cs_username>[^ ]+) (?<cs_method>[A-Z]+) \"(?<cs_uri_stem>[^ \\?]+)(?:\\?(?<cs_uri_query>[^ ]*))?\" (?:-1|\\d+) (?<sc_status>\\d+) \\d+\\s*(?<body>.*)"
},
"std" : {
"pattern" : "^(?<c_ip>[\\w\\.:\\-]+)\\s+[\\w\\.\\-]+\\s+(?<cs_username>\\S+)\\s+\\[(?<timestamp>[^\\]]+)\\] \"(?:\\-|(?<cs_method>\\w+) (?<cs_uri_stem>[^ \\?]+)(?:\\?(?<cs_uri_query>[^ ]*))? (?<cs_version>[\\w/\\.]+))\" (?<sc_status>\\d+) (?<sc_bytes>\\d+|-)(?: \"(?<cs_referer>[^\"]+)\" \"(?<cs_user_agent>[^\"]+)\")?\\s*(?<body>.*)"
},
"iht" : {
"pattern" : "^(?<c_ip>[\\w\\.:\\-]+)\\s+[\\w\\.\\-]+\\s+(?<cs_username>\\S+)\\s+\\[(?<timestamp>[^\\]]+)\\]/(?<duration>[0-9]+) \"(?:\\-|(?<cs_method>\\w+) (?<cs_uri_stem>[^ \\?]+)(?:\\?(?<cs_uri_query>[^ ]*))? (?<cs_version>[\\w/\\.]+))\" (?<sc_status>\\d+) (?<sc_bytes>\\d+|-)(?: \"(?<cs_referer>[^\"]+)\" uid:(?<iht_uid>.+) \"(?<cs_user_agent>[^\"]+)\")?\\s*(?<body>.*)"
},
"mod-std" : {
"module-format" : true,
"pattern" : "^(?<c_ip>[\\w\\.:\\-]+)\\s+[\\w\\.\\-]+\\s+(?<cs_username>\\S+)\\s+\"(?:\\-|(?<cs_method>\\w+) (?<cs_uri_stem>[^ \\?]+)(?:\\?(?<cs_uri_query>[^ ]*))? (?<cs_version>[\\w/\\.]+))\" (?<sc_status>\\d+) (?<sc_bytes>\\d+|-)(?: \"(?<cs_referer>[^\"]+)\" \"(?<cs_user_agent>[^\"]+)\")?\\s*(?<body>.*)"
}
},
"level-field": "sc_status",
"level" : {
"error" : "^[^123].*"
},
"opid-field" : "c_ip",
"value" : {
"c_ip" : {
"kind" : "string",
"collate" : "ipaddress",
"identifier" : true
},
"cs_username" : {
"kind" : "string",
"identifier" : true
},
"cs_method" : {
"kind" : "string",
"identifier" : true
},
"cs_uri_stem" : {
"kind" : "string",
"identifier" : true
},
"cs_uri_query" : {
"kind" : "string"
},
"cs_version" : {
"kind" : "string",
"identifier" : true
},
"sc_status" : {
"kind" : "integer",
"foreign-key" : true,
"rewriter" : ";SELECT :sc_status || ' (' || (SELECT message FROM http_status_codes WHERE status = :sc_status) || ') from iht_apache'"
},
"sc_bytes" : {
"kind" : "integer"
},
"duration" : {
"kind" : "integer"
},
"cs_referer" : {
"kind" : "string",
"identifier" : true
},
"cs_user_agent" : {
"kind" : "string",
"identifier" : true
},
"iht_uid" : {
"kind" : "integer",
"foreign-key" : true
},
"timestamp" : {
"kind" : "string"
}
},
"sample" : [
{
"line" : "10.112.72.172 - - [11/Feb/2013:06:43:36 +0000] \"GET /client/ HTTP/1.1\" 200 5778 \"-\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17\""
},
{
"line" : "10.1.10.51 - - [23/Dec/2014:21:20:35 +0000] \"POST /api/1/rest/foo/bar HTTP/1.1\" 200 - \"-\" \"-\" 293"
}
]
}
}