GUI editor to tame mod_security rules

⌈⌋ ⎇ branch:  modseccfg


Update of "logfmt1/share"

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview

Artifact ID: 960ffb536c9a4c35dacf8746ea9e150173d3fad3e4e8148f3e7b3152fdd83188
Page Name:logfmt1/share
Date: 2020-12-16 15:20:49
Original User: mario
Mimetype:text/x-markdown
Parent: 1c9872f112b4020ed69a6b953852ee1eecb8ae2c95cf41204b98c5a97faac96e (diff)
Next c2bbcf7ed1477278d254b4b7827d9de7bf37c995bd6bceca82897881475eb315
Content

*.fmt placeholder definitions should got to /usr/share/logfmt. They take precedence over the ones bundles in the pip packge, or the builtins in logfmt1.rulesdb

apache generic

placeholder id regex grok/fmt-recursion description/reference
%a remote_addr [\d.:a-f]+ - mod_log_config.c/log_io.c
%{c}a remote_addr [\d.:a-f]+ - mod_log_config.c/log_io.c
%h remote_host [\w\-.:]+ - mod_log_config.c/log_io.c
%{c}h remote_host [\w\-.:]+ - mod_log_config.c/log_io.c
%A local_address [\d.:a-f]+ - mod_log_config.c/log_io.c
%u remote_user [\-\w@.]+ - mod_log_config.c/log_io.c
%l remote_logname [\w\-.:]+ - mod_log_config.c/log_io.c
%t request_time \[?(\d[\d:\w\s:./\-+,;]+)\]? - mod_log_config.c/log_io.c
%{u}t request_time \d+/\w+/\d+:\d+:\d+:\d+\.\d+\s\+\d+ - mod_log_config.c/log_io.c
%{cu}t request_time \d+-\w+-\d+\s\d+:\d+:\d+\.\d+ - mod_log_config.c/log_io.c
%{msec_frac}t msec_frac [\d.]+ - mod_log_config.c/log_io.c
%{usec_frac}t usec_frac [\d.]+ - mod_log_config.c/log_io.c
%f request_file [^\s"]+ - mod_log_config.c/log_io.c
%b bytes_sent \d+¦- - mod_log_config.c/log_io.c
%B bytes_sent \d+¦- - mod_log_config.c/log_io.c
%O bytes_out \d+ - mod_log_config.c/log_io.c
%I bytes_in \d+ - mod_log_config.c/log_io.c
%S bytes_combined \d+ - mod_log_config.c/log_io.c
%E apr_status \w+ - mod_log_config.c/log_io.c
%M message .+ - mod_log_config.c/log_io.c
%L log_id [\w\-\.]+ - mod_log_config.c/log_io.c
%{c}L log_id [\w\-\.]+ - mod_log_config.c/log_io.c
%{C}L log_id [\w\-\.]* - mod_log_config.c/log_io.c
%V server_name [\w\-\.]+ - mod_log_config.c/log_io.c
%v virtual_host [\w\-\.]+ - mod_log_config.c/log_io.c
%p server_port \d+ - mod_log_config.c/log_io.c
%{local}p server_port \d+ - mod_log_config.c/log_io.c
%{canonical}p canonical_port [\w.]+ - mod_log_config.c/log_io.c
%{remote}p remote_port \d+ - mod_log_config.c/log_io.c
%P pid \d+ - mod_log_config.c/log_io.c
%{g}T tid \d+ - mod_log_config.c/log_io.c
%{tid}P tid \d+ - mod_log_config.c/log_io.c
%{pid}P pid \d+ - mod_log_config.c/log_io.c
%{hextid}P tid \w+ - mod_log_config.c/log_io.c
%{hexpid}P pid \w+ - mod_log_config.c/log_io.c
%H request_protocol [\w/\d.]+ - mod_log_config.c/log_io.c
%m request_method [\w.]+ - mod_log_config.c/log_io.c
%q request_query \??\S* - mod_log_config.c/log_io.c
%F file_line [/\w\-.:(\d)]+ - mod_log_config.c/log_io.c
%X connection_status [Xx+\-.\d]+ - mod_log_config.c/log_io.c
%k keepalives \d+ - mod_log_config.c/log_io.c
%r request_line (?<request_method>\w+) (?<request_path>\S+) (?<request_protocol>[\w/\d.]+) - mod_log_config.c/log_io.c
%D request_duration_microseconds \d+ - mod_log_config.c/log_io.c
%T request_duration_scaled [\d.]+ - mod_log_config.c/log_io.c
%{s}T request_duration_seconds \d+ - mod_log_config.c/log_io.c
%{us}T request_duration_microseconds \d+ - mod_log_config.c/log_io.c
%{ms}T request_duration_milliseconds \d+ - mod_log_config.c/log_io.c
%U request_uri \S+(?<!") - mod_log_config.c/log_io.c
%s status \d+ - mod_log_config.c/log_io.c
%>s status -¦\d\d\d - mod_log_config.c/log_io.c
%R handler [\w:.\-]+ - mod_log_config.c/log_io.c
%^FU ttfu -¦\d+ - mod_log_config.c/log_io.c
%^FB ttfb -¦\d+ - mod_log_config.c/log_io.c
%^ĴS json \{(?:[\w:,\s\[\]]+¦"(?:[^\\"]+¦\\.)*")\} - mod_log_config.c/log_io.c
%{Referer}i referer [^"]* - mod_log_config.c/log_io.c
%{User-Agent}i user_agent (?:[^"]+¦\\")* - mod_log_config.c/log_io.c
%{(misref+)}t request_time None strftime mod_log_config.c/log_io.c
%[<>]?{([w-]+)}[Conexic] $1 \S+ None mod_log_config.c/log_io.c
%{([w-]+)}^t[io] $1 \S+ None mod_log_config.c/log_io.c

strftime

placeholder id regex grok/fmt-recursion description/reference
%a tm_wday \w+ - strftime(3)
%A tm_wday \w+ - strftime(3)
%b tm_mon \w+ - strftime(3)
%B tm_mon \w+ - strftime(3)
%c tm_dt [-:/.\w\d]+ - strftime(3)
%C tm_cent \d\d - strftime(3)
%d tm_mday \d\d - strftime(3)
%D tm_mdy \d+/\d+/\d+ - strftime(3)
%e tm_mday [\d\s]\d - strftime(3)
%F tm_date \d\d\d\d-\d\d-\d\d - strftime(3)
%G tm_wyear \d\d\d\d - strftime(3)
%g tm_wyearnc \d\d - strftime(3)
%h tm_mon \w+ - strftime(3)
%H tm_hour \d\d - strftime(3)
%I tm_hour \d\d - strftime(3)
%j tm_yday \d\d\d - strftime(3)
%k tm_hour \d\d - strftime(3)
%l tm_hour [\d\s]\d - strftime(3)
%m tm_mon \d\d - strftime(3)
%M tm_min \d\d - strftime(3)
%n newline \n - strftime(3)
%p tm_ampm AM¦PM - strftime(3)
%P tm_ampm am¦pm - strftime(3)
%r tm_time \d\d:\d\d:\d\d [AMPM]{2} - strftime(3)
%R tm_time \d\d:\d\d - strftime(3)
%s tm_epoch \d+ - strftime(3)
%S tm_sec \d\d - strftime(3)
%t tab \t - strftime(3)
%T tm_time \d\d:\d\d:\d\d - strftime(3)
%u tm_wday [1-7] - strftime(3)
%U tm_yday [0-5]\d¦5[0123] - strftime(3)
%V tm_yday \d\d - strftime(3)
%w tm_wday [0-6] - strftime(3)
%W tm_yday \d\d - strftime(3)
%x tm_ldate [-./\d]+ - strftime(3)
%X tm_ltime [:.\d]+ - strftime(3)
%y tm_year \d\d - strftime(3)
%Y tm_year \d\d\d\d - strftime(3)
%z tm_tz [-+]\d\d\d\d - strftime(3)
%Z tm_tz \w+ - strftime(3)
%+ tm_date [-/:. \w\d]+ - strftime(3)
%% percent % - strftime(3)

grok

placeholder id regex grok/fmt-recursion description/reference
%{GROK:((?:misref+ {misref+})+)} None grok grok formats
%{USERNAME:([w.-]+)} $1 [a-zA-Z0-9._-]+ USERNAME grok formats
%{USER:([w.-]+)} $1 [a-zA-Z0-9._-]+ USER grok formats
%{INT:([w.-]+)} $1 (?:[+-]?(?:[0-9]+)) INT grok formats
%{BASE10NUM:([w.-]+)} $1 (?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)¦(?… BASE10NUM grok formats
%{NUMBER:([w.-]+)} $1 (?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)… NUMBER grok formats
%{BASE16NUM:([w.-]+)} $1 (?<![0-9A-Fa-f])(?:[+-]?(?:0x)?(?:[0-9A-Fa-f]+)) BASE16NUM grok formats
%{BASE16FLOAT:([w.-]+)} $1 (?<![0-9A-Fa-f.])(?:[+-]?(?:0x)?(?:(?:[0-9A-Fa-f]… BASE16FLOAT grok formats
%{POSINT:([w.-]+)} $1 (?:[1-9][0-9]*) POSINT grok formats
%{NONNEGINT:([w.-]+)} $1 (?:[0-9]+) NONNEGINT grok formats
%{WORD:([w.-]+)} $1 \w+ WORD grok formats
%{NOTSPACE:([w.-]+)} $1 \S+ NOTSPACE grok formats
%{SPACE:([w.-]+)} $1 \s* SPACE grok formats
%{DATA:([w.-]+)} $1 .*? DATA grok formats
%{GREEDYDATA:([w.-]+)} $1 .* GREEDYDATA grok formats
%{QUOTEDSTRING:([w.-]+)} $1 (?>(?<!\)(?>"(?>\.¦[^\"]+)+"¦""¦(?>'(?>\.¦[^\']+)+… QUOTEDSTRING grok formats
%{UUID:([w.-]+)} $1 [A-Fa-f0-9]{8}-(?:[A-Fa-f0-9]{4}-){3}[A-Fa-f0-9]{1… UUID grok formats
%{MAC:([w.-]+)} $1 (?:(?:(?:[A-Fa-f0-9]{4}\.){2}[A-Fa-f0-9]{4})¦(?:(?… MAC grok formats
%{CISCOMAC:([w.-]+)} $1 (?:(?:[A-Fa-f0-9]{4}\.){2}[A-Fa-f0-9]{4}) CISCOMAC grok formats
%{WINDOWSMAC:([w.-]+)} $1 (?:(?:[A-Fa-f0-9]{2}-){5}[A-Fa-f0-9]{2}) WINDOWSMAC grok formats
%{COMMONMAC:([w.-]+)} $1 (?:(?:[A-Fa-f0-9]{2}:){5}[A-Fa-f0-9]{2}) COMMONMAC grok formats
%{IPV6:([w.-]+)} $1 ((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}¦:))¦(([0… IPV6 grok formats
%{IPV4:([w.-]+)} $1 (?<![0-9])(?:(?:25[0-5]¦2[0-4][0-9]¦[0-1]?[0-9]{1,… IPV4 grok formats
%{IP:([w.-]+)} $1 (?:((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}¦:))¦(… IP grok formats
%{HOSTNAME:([w.-]+)} $1 (?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\.(?:[0-9A-Za… HOSTNAME grok formats
%{HOST:([w.-]+)} $1 (?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\.(?:[0-9A-Za… HOST grok formats
%{IPORHOST:([w.-]+)} $1 (?:(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\.(?:[0-9A… IPORHOST grok formats
%{HOSTPORT:([w.-]+)} $1 (?:(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\.(?:[0-9A… HOSTPORT grok formats
%{PATH:([w.-]+)} $1 (?:(?>/(?>[\w_%!$@:.,-]+¦\.)*)+¦(?>[A-Za-z]+:¦\)(?… PATH grok formats
%{UNIXPATH:([w.-]+)} $1 (?>/(?>[\w_%!$@:.,-]+¦\.)*)+ UNIXPATH grok formats
%{TTY:([w.-]+)} $1 (?:/dev/(pts¦tty([pq])?)(\w+)?/?(?:[0-9]+)) TTY grok formats
%{WINPATH:([w.-]+)} $1 (?>[A-Za-z]+:¦\)(?:\[^\?*]*)+ WINPATH grok formats
%{URIPROTO:([w.-]+)} $1 [A-Za-z]+(\+[A-Za-z+]+)? URIPROTO grok formats
%{URIHOST:([w.-]+)} $1 (?:(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\.(?:[0-9A… URIHOST grok formats
%{URIPATH:([w.-]+)} $1 (?:/[A-Za-z0-9$.+!*'(){},~:;=@#%_\-]*)+ URIPATH grok formats
%{URIPARAM:([w.-]+)} $1 \?[A-Za-z0-9$.+!*'¦(){},~@#%&/=:;_?\-\[\]]* URIPARAM grok formats
%{URIPATHPARAM:([w.-]+)} $1 (?:/[A-Za-z0-9$.+!*'(){},~:;=@#%_\-]*)+(?:\?[A-Za-… URIPATHPARAM grok formats
%{URI:([w.-]+)} $1 [A-Za-z]+(\+[A-Za-z+]+)?://(?:[a-zA-Z0-9._-]+(?::[… URI grok formats
%{MONTH:([w.-]+)} $1 (?:Jan(?:uary)?¦Feb(?:ruary)?¦Mar(?:ch)?¦Apr(?:il… MONTH grok formats
%{MONTHNUM:([w.-]+)} $1 (?:0?[1-9]¦1[0-2]) MONTHNUM grok formats
%{MONTHNUM2:([w.-]+)} $1 (?:0[1-9]¦1[0-2]) MONTHNUM2 grok formats
%{MONTHDAY:([w.-]+)} $1 (?:(?:0[1-9])¦(?:[12][0-9])¦(?:3[01])¦[1-9]) MONTHDAY grok formats
%{DAY:([w.-]+)} $1 (?:Mon(?:day)?¦Tue(?:sday)?¦Wed(?:nesday)?¦Thu(?:r… DAY grok formats
%{YEAR:([w.-]+)} $1 (?>\d\d){1,2} YEAR grok formats
%{HOUR:([w.-]+)} $1 (?:2[0123]¦[01]?[0-9]) HOUR grok formats
%{MINUTE:([w.-]+)} $1 (?:[0-5][0-9]) MINUTE grok formats
%{SECOND:([w.-]+)} $1 (?:(?:[0-5]?[0-9]¦60)(?:[:.,][0-9]+)?) SECOND grok formats
%{TIME:([w.-]+)} $1 (?!<[0-9])(?:2[0123]¦[01]?[0-9]):(?:[0-5][0-9])(?:… TIME grok formats
%{DATE_US:([w.-]+)} $1 (?:0?[1-9]¦1[0-2])[/-](?:(?:0[1-9])¦(?:[12][0-9])¦… DATE_US grok formats
%{DATE_EU:([w.-]+)} $1 (?:(?:0[1-9])¦(?:[12][0-9])¦(?:3[01])¦[1-9])[./-](… DATE_EU grok formats
%{ISO8601_TIMEZONE:([w.-]+)} $1 (?:Z¦[+-](?:2[0123]¦[01]?[0-9])(?::?(?:[0-5][0-9])… ISO8601_TIMEZONE grok formats
%{ISO8601_SECOND:([w.-]+)} $1 (?:(?:(?:[0-5]?[0-9]¦60)(?:[:.,][0-9]+)?)¦60) ISO8601_SECOND grok formats
%{TIMESTAMP_ISO8601:([w.-]+)} $1 (?>\d\d){1,2}-(?:0?[1-9]¦1[0-2])-(?:(?:0[1-9])¦(?:… TIMESTAMP_ISO8601 grok formats
%{DATE:([w.-]+)} $1 (?:0?[1-9]¦1[0-2])[/-](?:(?:0[1-9])¦(?:[12][0-9])¦… DATE grok formats
%{DATESTAMP:([w.-]+)} $1 (?:0?[1-9]¦1[0-2])[/-](?:(?:0[1-9])¦(?:[12][0-9])¦… DATESTAMP grok formats
%{TZ:([w.-]+)} $1 (?:[PMCE][SD]T¦UTC) TZ grok formats
%{DATESTAMP_RFC822:([w.-]+)} $1 (?:Mon(?:day)?¦Tue(?:sday)?¦Wed(?:nesday)?¦Thu(?:r… DATESTAMP_RFC822 grok formats
%{DATESTAMP_RFC2822:([w.-]+)} $1 (?:Mon(?:day)?¦Tue(?:sday)?¦Wed(?:nesday)?¦Thu(?:r… DATESTAMP_RFC2822 grok formats
%{DATESTAMP_OTHER:([w.-]+)} $1 (?:Mon(?:day)?¦Tue(?:sday)?¦Wed(?:nesday)?¦Thu(?:r… DATESTAMP_OTHER grok formats
%{DATESTAMP_EVENTLOG:([w.-]+)} $1 (?>\d\d){1,2}(?:0[1-9]¦1[0-2])(?:(?:0[1-9])¦(?:[12… DATESTAMP_EVENTLOG grok formats
%{SYSLOGTIMESTAMP:([w.-]+)} $1 (?:Jan(?:uary)?¦Feb(?:ruary)?¦Mar(?:ch)?¦Apr(?:il… SYSLOGTIMESTAMP grok formats
%{PROG:([w.-]+)} $1 (?:[\w._/%-]+) PROG grok formats
%{SYSLOGPROG:([w.-]+)} $1 (?<program>(?:[\w._/%-]+))(?:\[(?<pid>(?:[1-9][0-… SYSLOGPROG grok formats
%{SYSLOGHOST:([w.-]+)} $1 (?:(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\.(?:[0-9A… SYSLOGHOST grok formats
%{SYSLOGFACILITY:([w.-]+)} $1 <(?<facility>(?:[0-9]+)).(?<priority>(?:[0-9]+)… SYSLOGFACILITY grok formats
%{HTTPDATE:([w.-]+)} $1 (?:(?:0[1-9])¦(?:[12][0-9])¦(?:3[01])¦[1-9])/(?:J… HTTPDATE grok formats
%{QS:([w.-]+)} $1 (?>(?<!\)(?>"(?>\.¦[^\"]+)+"¦""¦(?>'(?>\.¦[^\']+)+… QS grok formats
%{LOGLEVEL:([w.-]+)} $1 ([Aa]lert¦ALERT¦[Tt]race¦TRACE¦[Dd]ebug¦DEBUG¦[Nn]… LOGLEVEL grok formats

  1. ^ a b c Misreference