GUI editor to tame mod_security rules

⌈⌋ ⎇ branch:  modseccfg


Artifact [1c9872f112]

Download Hex Parsed

Artifact 1c9872f112b4020ed69a6b953852ee1eecb8ae2c95cf41204b98c5a97faac96e:

Wiki page [logfmt1/share] by mario 2020-12-16 15:18:01. 
D 2020-12-16T15:18:01.385
L logfmt1/share
N text/x-markdown
P 2f0f786c5caa2db317b83333512325913662350967b25ea5af96b1141fae32b9
U mario
W 22516
`*.fmt` placeholder definitions should got to `/usr/share/logfmt`. They take precedence over the ones bundles in the pip packge, or the builtins in `logfmt1.rulesdb`

## apache generic

| placeholder 	 | id 	 | regex 	 	 | grok/fmt-recursion 	 | description/reference 	 |
-------------------------------------------------------------------------------------------
| %a 	 | remote_addr 	 |  [\d.:a-f]+ 	 | - 	 | [???](https://duckduckgo.com/?q=remote_addr) |
| %{c}a 	 | remote_addr 	 |  [\d.:a-f]+ 	 | - 	 | [???](https://duckduckgo.com/?q=remote_addr) |
| %h 	 | remote_host 	 |  [\w\-.:]+ 	 | - 	 | [???](https://duckduckgo.com/?q=remote_host) |
| %{c}h 	 | remote_host 	 |  [\w\-.:]+ 	 | - 	 | [???](https://duckduckgo.com/?q=remote_host) |
| %A 	 | local_address 	 |  [\d.:a-f]+ 	 | - 	 | [???](https://duckduckgo.com/?q=local_address) |
| %u 	 | remote_user 	 |  [\-\w@.]+ 	 | - 	 | [???](https://duckduckgo.com/?q=remote_user) |
| %l 	 | remote_logname 	 |  [\w\-.:]+ 	 | - 	 | [???](https://duckduckgo.com/?q=remote_logname) |
| %t 	 | request_time 	 |  \[?(\d[\d:\w\s:./\-+,;]+)\]? 	 | - 	 | [???](https://duckduckgo.com/?q=request_time) |
| %{u}t 	 | request_time 	 |  \d+/\w+/\d+:\d+:\d+:\d+\.\d+\s\+\d+ 	 | - 	 | [???](https://duckduckgo.com/?q=request_time) |
| %{cu}t 	 | request_time 	 |  \d+-\w+-\d+\s\d+:\d+:\d+\.\d+ 	 | - 	 | [???](https://duckduckgo.com/?q=request_time) |
| %{msec_frac}t 	 | msec_frac 	 |  [\d.]+ 	 | - 	 | [???](https://duckduckgo.com/?q=msec_frac) |
| %{usec_frac}t 	 | usec_frac 	 |  [\d.]+ 	 | - 	 | [???](https://duckduckgo.com/?q=usec_frac) |
| %f 	 | request_file 	 |  [^\s"]+ 	 | - 	 | [???](https://duckduckgo.com/?q=request_file) |
| %b 	 | bytes_sent 	 |  \d+¦- 	 | - 	 | [???](https://duckduckgo.com/?q=bytes_sent) |
| %B 	 | bytes_sent 	 |  \d+¦- 	 | - 	 | [???](https://duckduckgo.com/?q=bytes_sent) |
| %O 	 | bytes_out 	 |  \d+ 	 | - 	 | [???](https://duckduckgo.com/?q=bytes_out) |
| %I 	 | bytes_in 	 |  \d+ 	 | - 	 | [???](https://duckduckgo.com/?q=bytes_in) |
| %S 	 | bytes_combined 	 |  \d+ 	 | - 	 | [???](https://duckduckgo.com/?q=bytes_combined) |
| %E 	 | apr_status 	 |  \w+ 	 | - 	 | [???](https://duckduckgo.com/?q=apr_status) |
| %M 	 | message 	 |  .+ 	 | - 	 | [???](https://duckduckgo.com/?q=message) |
| %L 	 | log_id 	 |  [\w\-\.]+ 	 | - 	 | [???](https://duckduckgo.com/?q=log_id) |
| %{c}L 	 | log_id 	 |  [\w\-\.]+ 	 | - 	 | [???](https://duckduckgo.com/?q=log_id) |
| %{C}L 	 | log_id 	 |  [\w\-\.]* 	 | - 	 | [???](https://duckduckgo.com/?q=log_id) |
| %V 	 | server_name 	 |  [\w\-\.]+ 	 | - 	 | [???](https://duckduckgo.com/?q=server_name) |
| %v 	 | virtual_host 	 |  [\w\-\.]+ 	 | - 	 | [???](https://duckduckgo.com/?q=virtual_host) |
| %p 	 | server_port 	 |  \d+ 	 | - 	 | [???](https://duckduckgo.com/?q=server_port) |
| %{local}p 	 | server_port 	 |  \d+ 	 | - 	 | [???](https://duckduckgo.com/?q=server_port) |
| %{canonical}p 	 | canonical_port 	 |  [\w.]+ 	 | - 	 | [???](https://duckduckgo.com/?q=canonical_port) |
| %{remote}p 	 | remote_port 	 |  \d+ 	 | - 	 | [???](https://duckduckgo.com/?q=remote_port) |
| %P 	 | pid 	 |  \d+ 	 | - 	 | [???](https://duckduckgo.com/?q=pid) |
| %{g}T 	 | tid 	 |  \d+ 	 | - 	 | [???](https://duckduckgo.com/?q=tid) |
| %{tid}P 	 | tid 	 |  \d+ 	 | - 	 | [???](https://duckduckgo.com/?q=tid) |
| %{pid}P 	 | pid 	 |  \d+ 	 | - 	 | [???](https://duckduckgo.com/?q=pid) |
| %{hextid}P 	 | tid 	 |  \w+ 	 | - 	 | [???](https://duckduckgo.com/?q=tid) |
| %{hexpid}P 	 | pid 	 |  \w+ 	 | - 	 | [???](https://duckduckgo.com/?q=pid) |
| %H 	 | request_protocol 	 |  [\w/\d.]+ 	 | - 	 | [???](https://duckduckgo.com/?q=request_protocol) |
| %m 	 | request_method 	 |  [\w.]+ 	 | - 	 | [???](https://duckduckgo.com/?q=request_method) |
| %q 	 | request_query 	 |  \??\S* 	 | - 	 | [???](https://duckduckgo.com/?q=request_query) |
| %F 	 | file_line 	 |  [/\w\-.:(\d)]+ 	 | - 	 | [???](https://duckduckgo.com/?q=file_line) |
| %X 	 | connection_status 	 |  [Xx+\-.\d]+ 	 | - 	 | [???](https://duckduckgo.com/?q=connection_status) |
| %k 	 | keepalives 	 |  \d+ 	 | - 	 | [???](https://duckduckgo.com/?q=keepalives) |
| %r 	 | request_line 	 |  (?<request_method>\w+) (?<request_path>\S+) (?<request_protocol>[\w/\d.]+) 	 | - 	 | [???](https://duckduckgo.com/?q=request_line) |
| %D 	 | request_duration_microseconds 	 |  \d+ 	 | - 	 | [???](https://duckduckgo.com/?q=request_duration_microseconds) |
| %T 	 | request_duration_scaled 	 |  [\d.]+ 	 | - 	 | [???](https://duckduckgo.com/?q=request_duration_scaled) |
| %{s}T 	 | request_duration_seconds 	 |  \d+ 	 | - 	 | [???](https://duckduckgo.com/?q=request_duration_seconds) |
| %{us}T 	 | request_duration_microseconds 	 |  \d+ 	 | - 	 | [???](https://duckduckgo.com/?q=request_duration_microseconds) |
| %{ms}T 	 | request_duration_milliseconds 	 |  \d+ 	 | - 	 | [???](https://duckduckgo.com/?q=request_duration_milliseconds) |
| %U 	 | request_uri 	 |  \S+(?<!") 	 | - 	 | [???](https://duckduckgo.com/?q=request_uri) |
| %s 	 | status 	 |  \d+ 	 | - 	 | [???](https://duckduckgo.com/?q=status) |
| %>s 	 | status 	 |  -¦\d\d\d 	 | - 	 | [???](https://duckduckgo.com/?q=status) |
| %R 	 | handler 	 |  [\w:.\-]+ 	 | - 	 | [???](https://duckduckgo.com/?q=handler) |
| %^FU 	 | ttfu 	 |  -¦\d+ 	 | - 	 | [???](https://duckduckgo.com/?q=ttfu) |
| %^FB 	 | ttfb 	 |  -¦\d+ 	 | - 	 | [???](https://duckduckgo.com/?q=ttfb) |
| %^ĴS 	 | json 	 |  \{(?:[\w:,\s\[\]]+¦"(?:[^\\"]+¦\\.)*")\} 	 | - 	 | [???](https://duckduckgo.com/?q=json) |
| %{Referer}i 	 | referer 	 |  [^"]* 	 | - 	 | [???](https://duckduckgo.com/?q=referer) |
| %{User-Agent}i 	 | user_agent 	 |  (?:[^"]+¦\\")* 	 | - 	 | [???](https://duckduckgo.com/?q=user_agent) |
| %\{([^{}]+)\}t 	 | request_time 	 |  None 	 | strftime 	 | [???](https://duckduckgo.com/?q=request_time) |
| %[<>]?\{([\w\-]+)\}[Conexic] 	 | $1 	 |  \S+ 	 | None 	 | [???](https://duckduckgo.com/?q=$1) |
| %\{([\w\-]+)\}\^t[io] 	 | $1 	 |  \S+ 	 | None 	 | [???](https://duckduckgo.com/?q=$1) |


## strftime

| placeholder 	 | id 	 | regex 	 	 | grok/fmt-recursion 	 | description/reference 	 |
-------------------------------------------------------------------------------------------
| %a 	 | tm_wday 	 |  \w+ 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_wday) |
| %A 	 | tm_wday 	 |  \w+ 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_wday) |
| %b 	 | tm_mon 	 |  \w+ 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_mon) |
| %B 	 | tm_mon 	 |  \w+ 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_mon) |
| %c 	 | tm_dt 	 |  [-:/.\w\d]+ 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_dt) |
| %C 	 | tm_cent 	 |  \d\d 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_cent) |
| %d 	 | tm_mday 	 |  \d\d 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_mday) |
| %D 	 | tm_mdy 	 |  \d+/\d+/\d+ 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_mdy) |
| %e 	 | tm_mday 	 |  [\d\s]\d 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_mday) |
| %F 	 | tm_date 	 |  \d\d\d\d-\d\d-\d\d 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_date) |
| %G 	 | tm_wyear 	 |  \d\d\d\d 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_wyear) |
| %g 	 | tm_wyearnc 	 |  \d\d 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_wyearnc) |
| %h 	 | tm_mon 	 |  \w+ 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_mon) |
| %H 	 | tm_hour 	 |  \d\d 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_hour) |
| %I 	 | tm_hour 	 |  \d\d 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_hour) |
| %j 	 | tm_yday 	 |  \d\d\d 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_yday) |
| %k 	 | tm_hour 	 |  \d\d 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_hour) |
| %l 	 | tm_hour 	 |  [\d\s]\d 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_hour) |
| %m 	 | tm_mon 	 |  \d\d 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_mon) |
| %M 	 | tm_min 	 |  \d\d 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_min) |
| %n 	 | newline 	 |  \n 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=newline) |
| %p 	 | tm_ampm 	 |  AM¦PM 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_ampm) |
| %P 	 | tm_ampm 	 |  am¦pm 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_ampm) |
| %r 	 | tm_time 	 |  \d\d:\d\d:\d\d [AMPM]{2} 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_time) |
| %R 	 | tm_time 	 |  \d\d:\d\d 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_time) |
| %s 	 | tm_epoch 	 |  \d+ 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_epoch) |
| %S 	 | tm_sec 	 |  \d\d 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_sec) |
| %t 	 | tab 	 |  \t 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tab) |
| %T 	 | tm_time 	 |  \d\d:\d\d:\d\d 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_time) |
| %u 	 | tm_wday 	 |  [1-7] 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_wday) |
| %U 	 | tm_yday 	 |  [0-5]\d¦5[0123] 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_yday) |
| %V 	 | tm_yday 	 |  \d\d 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_yday) |
| %w 	 | tm_wday 	 |  [0-6] 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_wday) |
| %W 	 | tm_yday 	 |  \d\d 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_yday) |
| %x 	 | tm_ldate 	 |  [-./\d]+ 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_ldate) |
| %X 	 | tm_ltime 	 |  [:.\d]+ 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_ltime) |
| %y 	 | tm_year 	 |  \d\d 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_year) |
| %Y 	 | tm_year 	 |  \d\d\d\d 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_year) |
| %z 	 | tm_tz 	 |  [-+]\d\d\d\d 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_tz) |
| %Z 	 | tm_tz 	 |  \w+ 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_tz) |
| %+ 	 | tm_date 	 |  [-/:. \w\d]+ 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=tm_date) |
| %% 	 | percent 	 |  % 	 | - 	 | [strftime(3)](https://www.man7.org/linux/man-pages/man3/strftime.3.html#:~:text=percent) |


## grok

| placeholder 	 | id 	 | regex 	 	 | grok/fmt-recursion 	 | description/reference 	 |
-------------------------------------------------------------------------------------------
| %\{GROK:((?:[^{}]+|\{[^{}]+\})+)\} 	 |  	 |  None 	 | grok 	 | [grok formats](https://duckduckgo.com/?q=grok+format+) |
| %{USERNAME:([\w.\-]+)} 	 | $1 	 |  [a-zA-Z0-9._-]+ 	 | USERNAME 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{USER:([\w.\-]+)} 	 | $1 	 |  [a-zA-Z0-9._-]+ 	 | USER 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{INT:([\w.\-]+)} 	 | $1 	 |  (?:[+-]?(?:[0-9]+)) 	 | INT 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{BASE10NUM:([\w.\-]+)} 	 | $1 	 |  (?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)¦(?… 	 | BASE10NUM 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{NUMBER:([\w.\-]+)} 	 | $1 	 |  (?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)… 	 | NUMBER 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{BASE16NUM:([\w.\-]+)} 	 | $1 	 |  (?<![0-9A-Fa-f])(?:[+-]?(?:0x)?(?:[0-9A-Fa-f]+)) 	 | BASE16NUM 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{BASE16FLOAT:([\w.\-]+)} 	 | $1 	 |  (?<![0-9A-Fa-f.])(?:[+-]?(?:0x)?(?:(?:[0-9A-Fa-f]… 	 | BASE16FLOAT 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{POSINT:([\w.\-]+)} 	 | $1 	 |  (?:[1-9][0-9]*) 	 | POSINT 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{NONNEGINT:([\w.\-]+)} 	 | $1 	 |  (?:[0-9]+) 	 | NONNEGINT 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{WORD:([\w.\-]+)} 	 | $1 	 |  \w+ 	 | WORD 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{NOTSPACE:([\w.\-]+)} 	 | $1 	 |  \S+ 	 | NOTSPACE 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{SPACE:([\w.\-]+)} 	 | $1 	 |  \s* 	 | SPACE 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{DATA:([\w.\-]+)} 	 | $1 	 |  .*? 	 | DATA 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{GREEDYDATA:([\w.\-]+)} 	 | $1 	 |  .* 	 | GREEDYDATA 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{QUOTEDSTRING:([\w.\-]+)} 	 | $1 	 |  (?>(?<!\)(?>"(?>\.¦[^\"]+)+"¦""¦(?>'(?>\.¦[^\']+)+… 	 | QUOTEDSTRING 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{UUID:([\w.\-]+)} 	 | $1 	 |  [A-Fa-f0-9]{8}-(?:[A-Fa-f0-9]{4}-){3}[A-Fa-f0-9]{1… 	 | UUID 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{MAC:([\w.\-]+)} 	 | $1 	 |  (?:(?:(?:[A-Fa-f0-9]{4}\.){2}[A-Fa-f0-9]{4})¦(?:(?… 	 | MAC 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{CISCOMAC:([\w.\-]+)} 	 | $1 	 |  (?:(?:[A-Fa-f0-9]{4}\.){2}[A-Fa-f0-9]{4}) 	 | CISCOMAC 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{WINDOWSMAC:([\w.\-]+)} 	 | $1 	 |  (?:(?:[A-Fa-f0-9]{2}-){5}[A-Fa-f0-9]{2}) 	 | WINDOWSMAC 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{COMMONMAC:([\w.\-]+)} 	 | $1 	 |  (?:(?:[A-Fa-f0-9]{2}:){5}[A-Fa-f0-9]{2}) 	 | COMMONMAC 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{IPV6:([\w.\-]+)} 	 | $1 	 |  ((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}¦:))¦(([0… 	 | IPV6 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{IPV4:([\w.\-]+)} 	 | $1 	 |  (?<![0-9])(?:(?:25[0-5]¦2[0-4][0-9]¦[0-1]?[0-9]{1,… 	 | IPV4 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{IP:([\w.\-]+)} 	 | $1 	 |  (?:((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}¦:))¦(… 	 | IP 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{HOSTNAME:([\w.\-]+)} 	 | $1 	 |  (?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\.(?:[0-9A-Za… 	 | HOSTNAME 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{HOST:([\w.\-]+)} 	 | $1 	 |  (?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\.(?:[0-9A-Za… 	 | HOST 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{IPORHOST:([\w.\-]+)} 	 | $1 	 |  (?:(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\.(?:[0-9A… 	 | IPORHOST 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{HOSTPORT:([\w.\-]+)} 	 | $1 	 |  (?:(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\.(?:[0-9A… 	 | HOSTPORT 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{PATH:([\w.\-]+)} 	 | $1 	 |  (?:(?>/(?>[\w_%!$@:.,-]+¦\.)*)+¦(?>[A-Za-z]+:¦\)(?… 	 | PATH 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{UNIXPATH:([\w.\-]+)} 	 | $1 	 |  (?>/(?>[\w_%!$@:.,-]+¦\.)*)+ 	 | UNIXPATH 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{TTY:([\w.\-]+)} 	 | $1 	 |  (?:/dev/(pts¦tty([pq])?)(\w+)?/?(?:[0-9]+)) 	 | TTY 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{WINPATH:([\w.\-]+)} 	 | $1 	 |  (?>[A-Za-z]+:¦\)(?:\[^\?*]*)+ 	 | WINPATH 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{URIPROTO:([\w.\-]+)} 	 | $1 	 |  [A-Za-z]+(\+[A-Za-z+]+)? 	 | URIPROTO 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{URIHOST:([\w.\-]+)} 	 | $1 	 |  (?:(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\.(?:[0-9A… 	 | URIHOST 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{URIPATH:([\w.\-]+)} 	 | $1 	 |  (?:/[A-Za-z0-9$.+!*'(){},~:;=@#%_\-]*)+ 	 | URIPATH 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{URIPARAM:([\w.\-]+)} 	 | $1 	 |  \?[A-Za-z0-9$.+!*'¦(){},~@#%&/=:;_?\-\[\]]* 	 | URIPARAM 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{URIPATHPARAM:([\w.\-]+)} 	 | $1 	 |  (?:/[A-Za-z0-9$.+!*'(){},~:;=@#%_\-]*)+(?:\?[A-Za-… 	 | URIPATHPARAM 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{URI:([\w.\-]+)} 	 | $1 	 |  [A-Za-z]+(\+[A-Za-z+]+)?://(?:[a-zA-Z0-9._-]+(?::[… 	 | URI 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{MONTH:([\w.\-]+)} 	 | $1 	 |  (?:Jan(?:uary)?¦Feb(?:ruary)?¦Mar(?:ch)?¦Apr(?:il… 	 | MONTH 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{MONTHNUM:([\w.\-]+)} 	 | $1 	 |  (?:0?[1-9]¦1[0-2]) 	 | MONTHNUM 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{MONTHNUM2:([\w.\-]+)} 	 | $1 	 |  (?:0[1-9]¦1[0-2]) 	 | MONTHNUM2 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{MONTHDAY:([\w.\-]+)} 	 | $1 	 |  (?:(?:0[1-9])¦(?:[12][0-9])¦(?:3[01])¦[1-9]) 	 | MONTHDAY 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{DAY:([\w.\-]+)} 	 | $1 	 |  (?:Mon(?:day)?¦Tue(?:sday)?¦Wed(?:nesday)?¦Thu(?:r… 	 | DAY 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{YEAR:([\w.\-]+)} 	 | $1 	 |  (?>\d\d){1,2} 	 | YEAR 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{HOUR:([\w.\-]+)} 	 | $1 	 |  (?:2[0123]¦[01]?[0-9]) 	 | HOUR 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{MINUTE:([\w.\-]+)} 	 | $1 	 |  (?:[0-5][0-9]) 	 | MINUTE 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{SECOND:([\w.\-]+)} 	 | $1 	 |  (?:(?:[0-5]?[0-9]¦60)(?:[:.,][0-9]+)?) 	 | SECOND 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{TIME:([\w.\-]+)} 	 | $1 	 |  (?!<[0-9])(?:2[0123]¦[01]?[0-9]):(?:[0-5][0-9])(?:… 	 | TIME 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{DATE_US:([\w.\-]+)} 	 | $1 	 |  (?:0?[1-9]¦1[0-2])[/-](?:(?:0[1-9])¦(?:[12][0-9])¦… 	 | DATE_US 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{DATE_EU:([\w.\-]+)} 	 | $1 	 |  (?:(?:0[1-9])¦(?:[12][0-9])¦(?:3[01])¦[1-9])[./-](… 	 | DATE_EU 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{ISO8601_TIMEZONE:([\w.\-]+)} 	 | $1 	 |  (?:Z¦[+-](?:2[0123]¦[01]?[0-9])(?::?(?:[0-5][0-9])… 	 | ISO8601_TIMEZONE 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{ISO8601_SECOND:([\w.\-]+)} 	 | $1 	 |  (?:(?:(?:[0-5]?[0-9]¦60)(?:[:.,][0-9]+)?)¦60) 	 | ISO8601_SECOND 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{TIMESTAMP_ISO8601:([\w.\-]+)} 	 | $1 	 |  (?>\d\d){1,2}-(?:0?[1-9]¦1[0-2])-(?:(?:0[1-9])¦(?:… 	 | TIMESTAMP_ISO8601 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{DATE:([\w.\-]+)} 	 | $1 	 |  (?:0?[1-9]¦1[0-2])[/-](?:(?:0[1-9])¦(?:[12][0-9])¦… 	 | DATE 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{DATESTAMP:([\w.\-]+)} 	 | $1 	 |  (?:0?[1-9]¦1[0-2])[/-](?:(?:0[1-9])¦(?:[12][0-9])¦… 	 | DATESTAMP 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{TZ:([\w.\-]+)} 	 | $1 	 |  (?:[PMCE][SD]T¦UTC) 	 | TZ 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{DATESTAMP_RFC822:([\w.\-]+)} 	 | $1 	 |  (?:Mon(?:day)?¦Tue(?:sday)?¦Wed(?:nesday)?¦Thu(?:r… 	 | DATESTAMP_RFC822 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{DATESTAMP_RFC2822:([\w.\-]+)} 	 | $1 	 |  (?:Mon(?:day)?¦Tue(?:sday)?¦Wed(?:nesday)?¦Thu(?:r… 	 | DATESTAMP_RFC2822 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{DATESTAMP_OTHER:([\w.\-]+)} 	 | $1 	 |  (?:Mon(?:day)?¦Tue(?:sday)?¦Wed(?:nesday)?¦Thu(?:r… 	 | DATESTAMP_OTHER 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{DATESTAMP_EVENTLOG:([\w.\-]+)} 	 | $1 	 |  (?>\d\d){1,2}(?:0[1-9]¦1[0-2])(?:(?:0[1-9])¦(?:[12… 	 | DATESTAMP_EVENTLOG 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{SYSLOGTIMESTAMP:([\w.\-]+)} 	 | $1 	 |  (?:Jan(?:uary)?¦Feb(?:ruary)?¦Mar(?:ch)?¦Apr(?:il… 	 | SYSLOGTIMESTAMP 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{PROG:([\w.\-]+)} 	 | $1 	 |  (?:[\w._/%-]+) 	 | PROG 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{SYSLOGPROG:([\w.\-]+)} 	 | $1 	 |  (?<program>(?:[\w._/%-]+))(?:\[(?<pid>(?:[1-9][0-… 	 | SYSLOGPROG 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{SYSLOGHOST:([\w.\-]+)} 	 | $1 	 |  (?:(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\.(?:[0-9A… 	 | SYSLOGHOST 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{SYSLOGFACILITY:([\w.\-]+)} 	 | $1 	 |  <(?<facility>(?:[0-9]+)).(?<priority>(?:[0-9]+)… 	 | SYSLOGFACILITY 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{HTTPDATE:([\w.\-]+)} 	 | $1 	 |  (?:(?:0[1-9])¦(?:[12][0-9])¦(?:3[01])¦[1-9])/(?:J… 	 | HTTPDATE 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{QS:([\w.\-]+)} 	 | $1 	 |  (?>(?<!\)(?>"(?>\.¦[^\"]+)+"¦""¦(?>'(?>\.¦[^\']+)+… 	 | QS 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |
| %{LOGLEVEL:([\w.\-]+)} 	 | $1 	 |  ([Aa]lert¦ALERT¦[Tt]race¦TRACE¦[Dd]ebug¦DEBUG¦[Nn]… 	 | LOGLEVEL 	 | [grok formats](https://duckduckgo.com/?q=grok+format+$1) |

Z 470ed870218948de265b31a9f4957ea3