Exception during filter {:event=>#<LogStash::Event:0x6a32edbe @data={"@source"=>"file://ufo/home/wwwlogs/api.xxx.com.log", "@tags"=>[], "@fields"=>{"client_ip"=>["1.1.1.1"], "ident"=>["-"], "auth"=>["-"], "timestamp"=>["01/Mar/2013:17:45:48 +0800"], "verb"=>["POST"], "request"=>["/v1/"], "http_version"=>["1.1"], "domain"=>["api.xxx.com"], "response"=>["200"], "bytes"=>["57"], "referrer"=>["-"]}, "@timestamp"=>"2013-03-01T09:45:49.098Z", "@source_host"=>"ufo", "@source_path"=>"/home/wwwlogs/api.xxx.com.log", "@message"=>"1.1.1.1 - - [01/Mar/2013:17:45:48 +0800] \"POST /v1/ HTTP/1.1\" api.xxx.com 200 57 \"-\" \"Dalvik/1.4.0 (Linux; U; Android 2.3.7; Nexus One Build/MIUI)\" \"-\" \"10.1.3.7:80\" \"200\" - \"application/json-rpc\" \"0.009\" > 0.316", "@type"=>"nginx-access"}, @cancelled=false>, :exception=>#<NoMethodError: undefined method `include?' for nil:NilClass>, :backtrace=>["file:/usr/local/logstash/logstash-1.1.5-monolithic.jar!/logstash/filters/grok.rb:189:in `filter'", "jar:file:/usr/local/logstash/logstash-1.1.5-monolithic.jar!/gems/jls-grok-0.10.8/lib/grok/pure/match.rb:25:in `each_capture'", "org/jruby/RubyArray.java:1612:in `each'", "jar:file:/usr/local/logstash/logstash-1.1.5-monolithic.jar!/gems/jls-grok-0.10.8/lib/grok/pure/match.rb:21:in `each_capture'", "file:/usr/local/logstash/logstash-1.1.5-monolithic.jar!/logstash/filters/grok.rb:186:in `filter'", "org/jruby/RubyArray.java:1612:in `each'", "file:/usr/local/logstash/logstash-1.1.5-monolithic.jar!/logstash/filters/grok.rb:172:in `filter'", "org/jruby/RubyHash.java:1192:in `each'", "file:/usr/local/logstash/logstash-1.1.5-monolithic.jar!/logstash/filters/grok.rb:163:in `filter'", "file:/usr/local/logstash/logstash-1.1.5-monolithic.jar!/logstash/filters/base.rb:88:in `execute'", "file:/usr/local/logstash/logstash-1.1.5-monolithic.jar!/logstash/filterworker.rb:58:in `filter'", "org/jruby/RubyArray.java:1612:in `each'", "file:/usr/local/logstash/logstash-1.1.5-monolithic.jar!/logstash/filterworker.rb:48:in `filter'", "org/jruby/RubyArray.java:1612:in `each'", "file:/usr/local/logstash/logstash-1.1.5-monolithic.jar!/logstash/filterworker.rb:47:in `filter'", "file:/usr/local/logstash/logstash-1.1.5-monolithic.jar!/logstash/filterworker.rb:32:in `run'", "file:/usr/local/logstash/logstash-1.1.5-monolithic.jar!/logstash/agent.rb:724:in `run_filter'", "file:/usr/local/logstash/logstash-1.1.5-monolithic.jar!/logstash/agent.rb:438:in `run_with_config'"], :filter=>#<LogStash::Filters::Grok:0x5461f89e @remove_tag=[], @singles=false, @named_captures_only=true, @pattern=["%{IPORHOST:client_ip} (%{USER:ident}|-) (%{USER:auth}|-) \\[%{HTTPDATE:timestamp}\\] \\\"(?:%{WORD:verb} (%{NOTSPACE:request}|-)(?: HTTP/%{NUMBER:http_version})?|-)\\\" (%{HOST:domain}|-) (%{NUMBER:response}|-) (?:%{NUMBER:bytes}|-) \\\"(%{NOTSPACE:referrer}|-)\\\" \\\"(?<agent>([\\w\\W]+?)|-)\\\" \\\"(%{WORD:x_forword}|-)\\\" \\\"((?<upstream_host>[\\w\\W,]+?)|-)\\\" \\\"(?<upstream_response>([0-9, ]+?)|-)\\\" (%{WORD:upstream_cache_status}|-) \\\"(?<upstream_content_type>([\\w\\W]+?)|-)\\\" \\\"(?<upstream_response_time>([0-9,. ]+?)|-)\\\" > (%{BASE16FLOAT:request_time}|-)"], @drop_if_match=false, @add_tag=[], @tags=[], @type="nginx-access", @keep_empty_captures=false, @params={"type"=>"nginx-access", "break_on_match"=>false, "pattern"=>["%{IPORHOST:client_ip} (%{USER:ident}|-) (%{USER:auth}|-) \\[%{HTTPDATE:timestamp}\\] \\\"(?:%{WORD:verb} (%{NOTSPACE:request}|-)(?: HTTP/%{NUMBER:http_version})?|-)\\\" (%{HOST:domain}|-) (%{NUMBER:response}|-) (?:%{NUMBER:bytes}|-) \\\"(%{NOTSPACE:referrer}|-)\\\" \\\"(?<agent>([\\w\\W]+?)|-)\\\" \\\"(%{WORD:x_forword}|-)\\\" \\\"((?<upstream_host>[\\w\\W,]+?)|-)\\\" \\\"(?<upstream_response>([0-9, ]+?)|-)\\\" (%{WORD:upstream_cache_status}|-) \\\"(?<upstream_content_type>([\\w\\W]+?)|-)\\\" \\\"(?<upstream_response_time>([0-9,. ]+?)|-)\\\" > (%{BASE16FLOAT:request_time}|-)"], "tags"=>[], "exclude_tags"=>[], "add_tag"=>[], "remove_tag"=>[], "add_field"=>{}, "match"=>{"@message"=>["%{IPORHOST:client_ip} (%{USER:ident}|-) (%{USER:auth}|-) \\[%{HTTPDATE:timestamp}\\] \\\"(?:%{WORD:verb} (%{NOTSPACE:request}|-)(?: HTTP/%{NUMBER:http_version})?|-)\\\" (%{HOST:domain}|-) (%{NUMBER:response}|-) (?:%{NUMBER:bytes}|-) \\\"(%{NOTSPACE:referrer}|-)\\\" \\\"(?<agent>([\\w\\W]+?)|-)\\\" \\\"(%{WORD:x_forword}|-)\\\" \\\"((?<upstream_host>[\\w\\W,]+?)|-)\\\" \\\"(?<upstream_response>([0-9, ]+?)|-)\\\" (%{WORD:upstream_cache_status}|-) \\\"(?<upstream_content_type>([\\w\\W]+?)|-)\\\" \\\"(?<upstream_response_time>([0-9,. ]+?)|-)\\\" > (%{BASE16FLOAT:request_time}|-)"]}, "patterns_dir"=>[], "drop_if_match"=>false, "named_captures_only"=>true, "keep_empty_captures"=>false, "singles"=>false}, @logger=#<LogStash::Logger:0x2a23f122 @target=#<IO:fd 2>, @subscriber_lock=#<Mutex:0x86ebaa5>, @data={}, @metrics=#<Cabin::Metrics:0x1d9faaf6 @channel=#<Cabin::Channel:0x5d910bab @subscriber_lock=#<Mutex:0x5d95378a>, @metrics=#<Cabin::Metrics:0x6f717505 @channel=#<Cabin::Channel:0x5d910bab ...>, @metrics={}, @metrics_lock=#<Mutex:0x1b9d46c>>, @data={}, @subscribers={}, @level=:info>, @metrics={}, @metrics_lock=#<Mutex:0x4f28ff56>>, @subscribers={2000=>#<Cabin::Outputs::IO:0x27988ee9 @io=#<IO:fd 2>, @lock=#<Mutex:0x10ce774e>>}, @level=:warn>, @add_field={}, @patterns={"@message"=>#<Grok::Pile:0x36cfec44 @patterns={"NETSCREENSESSIONLOG"=>"%{SYSLOGTIMESTAMP:date} %{IPORHOST:device} %{IPORHOST}: NetScreen device_id=%{WORD:device_id}%{DATA}: start_time=%{QUOTEDSTRING:start_time} duration=%{INT:duration} policy_id=%{INT:policy_id} service=%{DATA:service} proto=%{INT:proto} src zone=%{WORD:src_zone} dst zone=%{WORD:dst_zone} action=%{WORD:action} sent=%{INT:sent} rcvd=%{INT:rcvd} src=%{IPORHOST:src_ip} dst=%{IPORHOST:dst_ip} src_port=%{INT:src_port} dst_port=%{INT:dst_port} src-xlated ip=%{IPORHOST:src_xlated_ip} port=%{INT:src_xlated_port} dst-xlated ip=%{IPORHOST:dst_xlated_ip} port=%{INT:dst_xlated_port} session_id=%{INT:session_id} reason=%{GREEDYDATA:reason}", "USERNAME"=>"[a-zA-Z0-9_-]+", "USER"=>"%{USERNAME}", "INT"=>"(?:[+-]?(?:[0-9]+))", "BASE10NUM"=>"(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\\.[0-9]+)?)|(?:\\.[0-9]+)))", "NUMBER"=>"(?:%{BASE10NUM})", "BASE16NUM"=>"(?<![0-9A-Fa-f])(?:[+-]?(?:0x)?(?:[0-9A-Fa-f]+))", "BASE16FLOAT"=>"\\b(?<![0-9A-Fa-f.])(?:[+-]?(?:0x)?(?:(?:[0-9A-Fa-f]+(?:\\.[0-9A-Fa-f]*)?)|(?:\\.[0-9A-Fa-f]+)))\\b", "POSINT"=>"\\b(?:[1-9][0-9]*)\\b", "NONNEGINT"=>"\\b(?:[0-9]+)\\b", "WORD"=>"\\b\\w+\\b", "NOTSPACE"=>"\\S+", "SPACE"=>"\\s*", "DATA"=>".*?", "GREEDYDATA"=>".*", "QUOTEDSTRING"=>"(?>(?<!\\\\)(?>\"(?>\\\\.|[^\\\\\"]+)+\"|\"\"|(?>'(?>\\\\.|[^\\\\']+)+')|''|(?>`(?>\\\\.|[^\\\\`]+)+`)|``))", "UUID"=>"[A-Fa-f0-9]{8}-(?:[A-Fa-f0-9]{4}-){3}[A-Fa-f0-9]{12}", "MAC"=>"(?:%{CISCOMAC}|%{WINDOWSMAC}|%{COMMONMAC})", "CISCOMAC"=>"(?:(?:[A-Fa-f0-9]{4}\\.){2}[A-Fa-f0-9]{4})", "WINDOWSMAC"=>"(?:(?:[A-Fa-f0-9]{2}-){5}[A-Fa-f0-9]{2})", "COMMONMAC"=>"(?:(?:[A-Fa-f0-9]{2}:){5}[A-Fa-f0-9]{2})", "IP"=>"(?<![0-9])(?:(?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2}))(?![0-9])", "HOSTNAME"=>"\\b(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\\b)", "HOST"=>"%{HOSTNAME}", "IPORHOST"=>"(?:%{HOSTNAME}|%{IP})", "HOSTPORT"=>"(?:%{IPORHOST=~/\\./}:%{POSINT})", "PATH"=>"(?:%{UNIXPATH}|%{WINPATH})", "UNIXPATH"=>"(?:/(?:[\\w_%!$@:.,-]+|\\\\.)*)+", "LINUXTTY"=>"(?:/dev/pts/%{NONNEGINT})", "BSDTTY"=>"(?:/dev/tty[pq][a-z0-9])", "TTY"=>"(?:%{BSDTTY}|%{LINUXTTY})", "WINPATH"=>"(?:[A-Za-z]+:|\\\\)(?:\\\\[^\\\\?*]*)+", "URIPROTO"=>"[A-Za-z]+(\\+[A-Za-z+]+)?", "URIHOST"=>"%{IPORHOST}(?::%{POSINT:port})?", "URIPATH"=>"(?:/[A-Za-z0-9$.+!*'(){},~:;=#%_-]*)+", "URIPARAM"=>"\\?[A-Za-z0-9$.+!*'|(){},~#%&/=:;_?-]*", "URIPATHPARAM"=>"%{URIPATH}(?:%{URIPARAM})?", "URI"=>"%{URIPROTO}://(?:%{USER}(?::[^@]*)?@)?(?:%{URIHOST})?(?:%{URIPATHPARAM})?", "MONTH"=>"\\b(?:Jan(?:uary)?|Feb(?:ruary)?|Mar(?:ch)?|Apr(?:il)?|May|Jun(?:e)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|Oct(?:ober)?|Nov(?:ember)?|Dec(?:ember)?)\\b", "MONTHNUM"=>"(?:0?[1-9]|1[0-2])", "MONTHDAY"=>"(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9])", "DAY"=>"(?:Mon(?:day)?|Tue(?:sday)?|Wed(?:nesday)?|Thu(?:rsday)?|Fri(?:day)?|Sat(?:urday)?|Sun(?:day)?)", "YEAR"=>"[0-9]+", "HOUR"=>"(?:2[0123]|[01][0-9])", "MINUTE"=>"(?:[0-5][0-9])", "SECOND"=>"(?:(?:[0-5][0-9]|60)(?:[.,][0-9]+)?)", "TIME"=>"(?!<[0-9])%{HOUR}:%{MINUTE}(?::%{SECOND})(?![0-9])", "DATE_US"=>"%{MONTHNUM}[/-]%{MONTHDAY}[/-]%{YEAR}", "DATE_EU"=>"%{YEAR}[/-]%{MONTHNUM}[/-]%{MONTHDAY}", "ISO8601_TIMEZONE"=>"(?:Z|[+-]%{HOUR}(?::?%{MINUTE}))", "ISO8601_SECOND"=>"(?:%{SECOND}|60)", "TIMESTAMP_ISO8601"=>"%{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?%{ISO8601_TIMEZONE}?", "DATE"=>"%{DATE_US}|%{DATE_EU}", "DATESTAMP"=>"%{DATE}[- ]%{TIME}", "TZ"=>"(?:[PMCE][SD]T)", "DATESTAMP_RFC822"=>"%{DAY} %{MONTH} %{MONTHDAY} %{YEAR} %{TIME} %{TZ}", "DATESTAMP_OTHER"=>"%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{TZ} %{YEAR}", "SYSLOGTIMESTAMP"=>"%{MONTH} +%{MONTHDAY} %{TIME}", "PROG"=>"(?:[\\w._/%-]+)", "SYSLOGPROG"=>"%{PROG:program}(?:\\[%{POSINT:pid}\\])?", "SYSLOGHOST"=>"%{IPORHOST}", "SYSLOGFACILITY"=>"<%{NONNEGINT:facility}.%{NONNEGINT:priority}>", "HTTPDATE"=>"%{MONTHDAY}/%{MONTH}/%{YEAR}:%{TIME} %{INT}", "QS"=>"%{QUOTEDSTRING}", "SYSLOGBASE"=>"%{SYSLOGTIMESTAMP:timestamp} (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource} %{SYSLOGPROG}:", "COMBINEDAPACHELOG"=>"%{IPORHOST:clientip} %{USER:ident} %{USER:auth} \\[%{HTTPDATE:timestamp}\\] \"(?:%{WORD:verb} %{URIPATHPARAM:request}(?: HTTP/%{NUMBER:httpversion})?|-)\" %{NUMBER:response} (?:%{NUMBER:bytes}|-) %{QS:referrer} %{QS:agent}", "LOGLEVEL"=>"([D|d]ebug|DEBUG|[N|n]otice|NOTICE|[I|i]nfo|INFO|[W|w]arn?(?:ing)?|WARN?(?:ING)?|[E|e]rr?(?:or)?|ERR?(?:OR)?|[C|c]rit?(?:ical)?|CRIT?(?:ICAL)?|[F|f]atal|FATAL|[S|s]evere|SEVERE)", "HAPROXYTIME"=>"(?!<[0-9])%{HOUR:haproxy_hour}:%{MINUTE:haproxy_minute}(?::%{SECOND:haproxy_second})(?![0-9])", "HAPROXYDATE"=>"%{MONTHDAY:haproxy_monthday}/%{MONTH:haproxy_month}/%{YEAR:haproxy_year}:%{HAPROXYTIME:haproxy_time}.%{INT:haproxy_milliseconds}", "HAPROXYCAPTUREDREQUESTHEADERS"=>"%{DATA:captured_request_headers}", "HAPROXYCAPTUREDRESPONSEHEADERS"=>"%{DATA:captured_response_headers}", "HAPROXYHTTP"=>"%{SYSLOGTIMESTAMP:syslog_timestamp} %{IPORHOST:syslog_server} %{SYSLOGPROG}: %{IP:client_ip}:%{INT:client_port} \\[%{HAPROXYDATE:accept_date}\\] %{NOTSPACE:frontend_name} %{NOTSPACE:backend_name}/%{NOTSPACE:server_name} %{INT:time_request}/%{INT:time_queue}/%{INT:time_backend_connect}/%{INT:time_backend_response}/%{NOTSPACE:time_duration} %{INT:http_status_code} %{NOTSPACE:bytes_read} %{DATA:captured_request_cookie} %{DATA:captured_response_cookie} %{NOTSPACE:termination_state} %{INT:actconn}/%{INT:feconn}/%{INT:beconn}/%{INT:srvconn}/%{NOTSPACE:retries} %{INT:srv_queue}/%{INT:backend_queue} (\\{%{HAPROXYCAPTUREDREQUESTHEADERS}\\})?( )?(\\{%{HAPROXYCAPTUREDRESPONSEHEADERS}\\})?( )?\"%{WORD:http_verb} %{URIPATHPARAM:http_request}( HTTP/%{NUMBER:http_version}\")?", "HAPROXYTCP"=>"%{SYSLOGTIMESTAMP:syslog_timestamp} %{IPORHOST:syslog_server} %{SYSLOGPROG}: %{IP:client_ip}:%{INT:client_port} \\[%{HAPROXYDATE:accept_date}\\] %{NOTSPACE:frontend_name} %{NOTSPACE:backend_name}/%{NOTSPACE:server_name} %{INT:time_queue}/%{INT:time_backend_connect}/%{NOTSPACE:time_duration} %{NOTSPACE:bytes_read} %{NOTSPACE:termination_state} %{INT:actconn}/%{INT:feconn}/%{INT:beconn}/%{INT:srvconn}/%{NOTSPACE:retries} %{INT:srv_queue}/%{INT:backend_queue}", "JAVACLASS"=>"(?:[a-zA-Z0-9-]+\\.)+[A-Za-z0-9]+", "JAVAFILE"=>"(?:[A-Za-z0-9_.-]+)", "JAVASTACKTRACEPART"=>"at %{JAVACLASS:class}\\.%{WORD:method}\\(%{JAVAFILE:file}:%{NUMBER:line}\\)", "SYSLOGBASE2"=>"(?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource} %{SYSLOGPROG}:", "SYSLOGPAMSESSION"=>"%{SYSLOGBASE} (?=%{GREEDYDATA:message})%{WORD:pam_module}\\(%{DATA:pam_caller}\\): session %{WORD:pam_session_state} for user %{USERNAME:username}(?: by %{GREEDYDATA:pam_by})?", "CRON_ACTION"=>"[A-Z ]+", "CRONLOG"=>"%{SYSLOGBASE} \\(%{USER:user}\\) %{CRON_ACTION:action} \\(%{DATA:message}\\)", "SYSLOGLINE"=>"%{SYSLOGBASE2} %{GREEDYDATA:message}", "NAGIOSTIME"=>"\\[%{NUMBER:nagios_epoch}\\]", "NAGIOS_TYPE_CURRENT_SERVICE_STATE"=>"CURRENT SERVICE STATE", "NAGIOS_TYPE_CURRENT_HOST_STATE"=>"CURRENT HOST STATE", "NAGIOS_TYPE_SERVICE_NOTIFICATION"=>"SERVICE NOTIFICATION", "NAGIOS_TYPE_HOST_NOTIFICATION"=>"HOST NOTIFICATION", "NAGIOS_TYPE_SERVICE_ALERT"=>"SERVICE ALERT", "NAGIOS_TYPE_HOST_ALERT"=>"HOST ALERT", "NAGIOS_TYPE_SERVICE_FLAPPING_ALERT"=>"SERVICE FLAPPING ALERT", "NAGIOS_TYPE_HOST_FLAPPING_ALERT"=>"HOST FLAPPING ALERT", "NAGIOS_TYPE_SERVICE_DOWNTIME_ALERT"=>"SERVICE DOWNTIME ALERT", "NAGIOS_TYPE_HOST_DOWNTIME_ALERT"=>"HOST DOWNTIME ALERT", "NAGIOS_TYPE_PASSIVE_SERVICE_CHECK"=>"PASSIVE SERVICE CHECK", "NAGIOS_TYPE_PASSIVE_HOST_CHECK"=>"PASSIVE HOST CHECK", "NAGIOS_TYPE_SERVICE_EVENT_HANDLER"=>"SERVICE EVENT HANDLER", "NAGIOS_TYPE_HOST_EVENT_HANDLER"=>"HOST EVENT HANDLER", "NAGIOS_TYPE_EXTERNAL_COMMAND"=>"EXTERNAL COMMAND", "NAGIOS_TYPE_TIMEPERIOD_TRANSITION"=>"TIMEPERIOD TRANSITION", "NAGIOS_EC_DISABLE_SVC_CHECK"=>"DISABLE_SVC_CHECK", "NAGIOS_EC_ENABLE_SVC_CHECK"=>"ENABLE_SVC_CHECK", "NAGIOS_EC_DISABLE_HOST_CHECK"=>"DISABLE_HOST_CHECK", "NAGIOS_EC_ENABLE_HOST_CHECK"=>"ENABLE_HOST_CHECK", "NAGIOS_EC_PROCESS_SERVICE_CHECK_RESULT"=>"PROCESS_SERVICE_CHECK_RESULT", "NAGIOS_EC_PROCESS_HOST_CHECK_RESULT"=>"PROCESS_HOST_CHECK_RESULT", "NAGIOS_EC_SCHEDULE_SERVICE_DOWNTIME"=>"SCHEDULE_SERVICE_DOWNTIME", "NAGIOS_EC_SCHEDULE_HOST_DOWNTIME"=>"SCHEDULE_HOST_DOWNTIME", "NAGIOS_WARNING"=>"Warning:%{SPACE}%{GREEDYDATA:nagios_message}", "NAGIOS_CURRENT_SERVICE_STATE"=>"%{NAGIOS_TYPE_CURRENT_SERVICE_STATE:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{DATA:nagios_statetype};%{DATA:nagios_statecode};%{GREEDYDATA:nagios_message}", "NAGIOS_CURRENT_HOST_STATE"=>"%{NAGIOS_TYPE_CURRENT_HOST_STATE:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{DATA:nagios_statetype};%{DATA:nagios_statecode};%{GREEDYDATA:nagios_message}", "NAGIOS_SERVICE_NOTIFICATION"=>"%{NAGIOS_TYPE_SERVICE_NOTIFICATION:nagios_type}: %{DATA:nagios_notifyname};%{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{DATA:nagios_contact};%{GREEDYDATA:nagios_message}", "NAGIOS_HOST_NOTIFICATION"=>"%{NAGIOS_TYPE_HOST_NOTIFICATION}: %{DATA:nagios_notifyname};%{DATA:nagios_hostname};%{DATA:nagios_state};%{DATA:nagios_contact};%{GREEDYDATA:nagios_message}", "NAGIOS_SERVICE_ALERT"=>"%{NAGIOS_TYPE_SERVICE_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{DATA:nagios_statelevel};%{NUMBER:nagios_attempt};%{GREEDYDATA:nagios_message}", "NAGIOS_HOST_ALERT"=>"%{NAGIOS_TYPE_HOST_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{DATA:nagios_statelevel};%{NUMBER:nagios_attempt};%{GREEDYDATA:nagios_message}", "NAGIOS_SERVICE_FLAPPING_ALERT"=>"%{NAGIOS_TYPE_SERVICE_FLAPPING_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{GREEDYDATA:nagios_message}", "NAGIOS_HOST_FLAPPING_ALERT"=>"%{NAGIOS_TYPE_HOST_FLAPPING_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{GREEDYDATA:nagios_message}", "NAGIOS_SERVICE_DOWNTIME_ALERT"=>"%{NAGIOS_TYPE_SERVICE_DOWNTIME_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{GREEDYDATA:nagios_comment}", "NAGIOS_HOST_DOWNTIME_ALERT"=>"%{NAGIOS_TYPE_HOST_DOWNTIME_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{GREEDYDATA:nagios_comment}", "NAGIOS_PASSIVE_SERVICE_CHECK"=>"%{NAGIOS_TYPE_PASSIVE_SERVICE_CHECK:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{GREEDYDATA:nagios_comment}", "NAGIOS_PASSIVE_HOST_CHECK"=>"%{NAGIOS_TYPE_PASSIVE_HOST_CHECK:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{GREEDYDATA:nagios_comment}", "NAGIOS_SERVICE_EVENT_HANDLER"=>"%{NAGIOS_TYPE_SERVICE_EVENT_HANDLER:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{DATA:nagios_statelevel};%{DATA:nagios_event_handler_name}", "NAGIOS_HOST_EVENT_HANDLER"=>"%{NAGIOS_TYPE_HOST_EVENT_HANDLER:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{DATA:nagios_statelevel};%{DATA:nagios_event_handler_name}", "NAGIOS_TIMEPERIOD_TRANSITION"=>"%{NAGIOS_TYPE_TIMEPERIOD_TRANSITION:nagios_type}: %{DATA:nagios_service};%{DATA:nagios_unknown1};%{DATA:nagios_unknown2};", "NAGIOS_EC_LINE_DISABLE_SVC_CHECK"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_DISABLE_SVC_CHECK:nagios_command};%{DATA:nagios_hostname};%{DATA:nagios_service}", "NAGIOS_EC_LINE_DISABLE_HOST_CHECK"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_DISABLE_HOST_CHECK:nagios_command};%{DATA:nagios_hostname}", "NAGIOS_EC_LINE_ENABLE_SVC_CHECK"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_ENABLE_SVC_CHECK:nagios_command};%{DATA:nagios_hostname};%{DATA:nagios_service}", "NAGIOS_EC_LINE_ENABLE_HOST_CHECK"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_ENABLE_HOST_CHECK:nagios_command};%{DATA:nagios_hostname}", "NAGIOS_EC_LINE_PROCESS_SERVICE_CHECK_RESULT"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_PROCESS_SERVICE_CHECK_RESULT:nagios_command};%{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{GREEDYDATA:nagios_check_result}", "NAGIOS_EC_LINE_PROCESS_HOST_CHECK_RESULT"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_PROCESS_HOST_CHECK_RESULT:nagios_command};%{DATA:nagios_hostname};%{DATA:nagios_state};%{GREEDYDATA:nagios_check_result}", "NAGIOS_EC_LINE_SCHEDULE_HOST_DOWNTIME"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_SCHEDULE_HOST_DOWNTIME:nagios_command};%{DATA:nagios_hostname};%{NUMBER:nagios_start_time};%{NUMBER:nagios_end_time};%{NUMBER:nagios_fixed};%{NUMBER:nagios_trigger_id};%{NUMBER:nagios_duration};%{DATA:author};%{DATA:comment}", "NAGIOSLOGLINE"=>"%{NAGIOSTIME} (?:%{NAGIOS_WARNING}|%{NAGIOS_CURRENT_SERVICE_STATE}|%{NAGIOS_CURRENT_HOST_STATE}|%{NAGIOS_SERVICE_NOTIFICATION}|%{NAGIOS_HOST_NOTIFICATION}|%{NAGIOS_SERVICE_ALERT}|%{NAGIOS_HOST_ALERT}|%{NAGIOS_SERVICE_FLAPPING_ALERT}|%{NAGIOS_HOST_FLAPPING_ALERT}|%{NAGIOS_SERVICE_DOWNTIME_ALERT}|%{NAGIOS_HOST_DOWNTIME_ALERT}|%{NAGIOS_PASSIVE_SERVICE_CHECK}|%{NAGIOS_PASSIVE_HOST_CHECK}|%{NAGIOS_SERVICE_EVENT_HANDLER}|%{NAGIOS_HOST_EVENT_HANDLER}|%{NAGIOS_TIMEPERIOD_TRANSITION}|%{NAGIOS_EC_LINE_DISABLE_SVC_CHECK}|%{NAGIOS_EC_LINE_ENABLE_SVC_CHECK}|%{NAGIOS_EC_LINE_DISABLE_HOST_CHECK|%{NAGIOS_EC_LINE_ENABLE_HOST_CHECK}|%{NAGIOS_EC_LINE_PROCESS_HOST_CHECK_RESULT}|%{NAGIOS_EC_LINE_PROCESS_SERVICE_CHECK_RESULT}|%{NAGIOS_EC_LINE_SCHEDULE_HOST_DOWNTIME})", "RUBY_LOGLEVEL"=>"(?:DEBUG|FATAL|ERROR|WARN|INFO)", "RUBY_LOGGER"=>"[DFEWI], \\[%{TIMESTAMP_ISO8601} \#{POSINT:pid}\\] *%{RUBY_LOGLEVEL} -- %{DATA:progname}: %{DATA:message}"}, @pattern_files=[], @logger=#<Cabin::Channel:0x7d528e68 @subscriber_lock=#<Mutex:0x4a67b170>, @metrics=#<Cabin::Metrics:0x5db25639 @channel=#<Cabin::Channel:0x7d528e68 ...>, @metrics={}, @metrics_lock=#<Mutex:0x673ae83d>>, @data={}, @subscribers={4250=>#<Cabin::Outputs::StdlibLogger:0x46932781 @logger=#<Logger:0x6706aa59 @logdev=#<Logger::LogDevice:0x6699ede6 @shift_age=nil, @filename=nil, @dev=#<IO:fd 1>, @mutex=#<Logger::LogDevice::LogDeviceMutex:0x3d1cbaa @mon_count=0, @mon_mutex=#<Mutex:0x429207db>, @mon_owner=nil>, @shift_size=nil>, @formatter=nil, @progname=nil, @default_formatter=#<Logger::Formatter:0x141dd02 @datetime_format=nil>, @level=0>>}, @level=:warn>, @groks=[#<Grok:0x7ae9d933 @regexp=/(?<a0>(?:(?<a1>\b(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\.?|\b))|(?<a2>(?<![0-9])(?:(?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2}))(?![0-9])))) ((?<a3>(?<a4>[a-zA-Z0-9_-]+))|-) ((?<a5>(?<a6>[a-zA-Z0-9_-]+))|-) \[(?<a7>(?<a8>(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9]))\/(?<a9>\b(?:Jan(?:uary)?|Feb(?:ruary)?|Mar(?:ch)?|Apr(?:il)?|May|Jun(?:e)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|Oct(?:ober)?|Nov(?:ember)?|Dec(?:ember)?)\b)\/(?<a10>[0-9]+):(?<a11>(?!<[0-9])(?<a12>(?:2[0123]|[01][0-9])):(?<a13>(?:[0-5][0-9]))(?::(?<a14>(?:(?:[0-5][0-9]|60)(?:[.,][0-9]+)?)))(?![0-9])) (?<a15>(?:[+-]?(?:[0-9]+))))\] \"(?:(?<a16>\b\w+\b) ((?<a17>\S+)|-)(?: HTTP\/(?<a18>(?:(?<a19>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))))))?|-)\" ((?<a20>(?<a21>\b(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\.?|\b)))|-) ((?<a22>(?:(?<a23>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))))|-) (?:(?<a24>(?:(?<a25>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))))|-) \"((?<a26>\S+)|-)\" \"(?<agent>([\w\W]+?)|-)\" \"((?<a27>\b\w+\b)|-)\" \"((?<upstream_host>[\w\W,]+?)|-)\" \"(?<upstream_response>([0-9, ]+?)|-)\" ((?<a28>\b\w+\b)|-) \"(?<upstream_content_type>([\w\W]+?)|-)\" \"(?<upstream_response_time>([0-9,. ]+?)|-)\" > ((?<a29>\b(?<![0-9A-Fa-f.])(?:[+-]?(?:0x)?(?:(?:[0-9A-Fa-f]+(?:\.[0-9A-Fa-f]*)?)|(?:\.[0-9A-Fa-f]+)))\b)|-)/, @patterns={"NETSCREENSESSIONLOG"=>"%{SYSLOGTIMESTAMP:date} %{IPORHOST:device} %{IPORHOST}: NetScreen device_id=%{WORD:device_id}%{DATA}: start_time=%{QUOTEDSTRING:start_time} duration=%{INT:duration} policy_id=%{INT:policy_id} service=%{DATA:service} proto=%{INT:proto} src zone=%{WORD:src_zone} dst zone=%{WORD:dst_zone} action=%{WORD:action} sent=%{INT:sent} rcvd=%{INT:rcvd} src=%{IPORHOST:src_ip} dst=%{IPORHOST:dst_ip} src_port=%{INT:src_port} dst_port=%{INT:dst_port} src-xlated ip=%{IPORHOST:src_xlated_ip} port=%{INT:src_xlated_port} dst-xlated ip=%{IPORHOST:dst_xlated_ip} port=%{INT:dst_xlated_port} session_id=%{INT:session_id} reason=%{GREEDYDATA:reason}", "USERNAME"=>"[a-zA-Z0-9_-]+", "USER"=>"%{USERNAME}", "INT"=>"(?:[+-]?(?:[0-9]+))", "BASE10NUM"=>"(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\\.[0-9]+)?)|(?:\\.[0-9]+)))", "NUMBER"=>"(?:%{BASE10NUM})", "BASE16NUM"=>"(?<![0-9A-Fa-f])(?:[+-]?(?:0x)?(?:[0-9A-Fa-f]+))", "BASE16FLOAT"=>"\\b(?<![0-9A-Fa-f.])(?:[+-]?(?:0x)?(?:(?:[0-9A-Fa-f]+(?:\\.[0-9A-Fa-f]*)?)|(?:\\.[0-9A-Fa-f]+)))\\b", "POSINT"=>"\\b(?:[1-9][0-9]*)\\b", "NONNEGINT"=>"\\b(?:[0-9]+)\\b", "WORD"=>"\\b\\w+\\b", "NOTSPACE"=>"\\S+", "SPACE"=>"\\s*", "DATA"=>".*?", "GREEDYDATA"=>".*", "QUOTEDSTRING"=>"(?>(?<!\\\\)(?>\"(?>\\\\.|[^\\\\\"]+)+\"|\"\"|(?>'(?>\\\\.|[^\\\\']+)+')|''|(?>`(?>\\\\.|[^\\\\`]+)+`)|``))", "UUID"=>"[A-Fa-f0-9]{8}-(?:[A-Fa-f0-9]{4}-){3}[A-Fa-f0-9]{12}", "MAC"=>"(?:%{CISCOMAC}|%{WINDOWSMAC}|%{COMMONMAC})", "CISCOMAC"=>"(?:(?:[A-Fa-f0-9]{4}\\.){2}[A-Fa-f0-9]{4})", "WINDOWSMAC"=>"(?:(?:[A-Fa-f0-9]{2}-){5}[A-Fa-f0-9]{2})", "COMMONMAC"=>"(?:(?:[A-Fa-f0-9]{2}:){5}[A-Fa-f0-9]{2})", "IP"=>"(?<![0-9])(?:(?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2}))(?![0-9])", "HOSTNAME"=>"\\b(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\\b)", "HOST"=>"%{HOSTNAME}", "IPORHOST"=>"(?:%{HOSTNAME}|%{IP})", "HOSTPORT"=>"(?:%{IPORHOST=~/\\./}:%{POSINT})", "PATH"=>"(?:%{UNIXPATH}|%{WINPATH})", "UNIXPATH"=>"(?:/(?:[\\w_%!$@:.,-]+|\\\\.)*)+", "LINUXTTY"=>"(?:/dev/pts/%{NONNEGINT})", "BSDTTY"=>"(?:/dev/tty[pq][a-z0-9])", "TTY"=>"(?:%{BSDTTY}|%{LINUXTTY})", "WINPATH"=>"(?:[A-Za-z]+:|\\\\)(?:\\\\[^\\\\?*]*)+", "URIPROTO"=>"[A-Za-z]+(\\+[A-Za-z+]+)?", "URIHOST"=>"%{IPORHOST}(?::%{POSINT:port})?", "URIPATH"=>"(?:/[A-Za-z0-9$.+!*'(){},~:;=#%_-]*)+", "URIPARAM"=>"\\?[A-Za-z0-9$.+!*'|(){},~#%&/=:;_?-]*", "URIPATHPARAM"=>"%{URIPATH}(?:%{URIPARAM})?", "URI"=>"%{URIPROTO}://(?:%{USER}(?::[^@]*)?@)?(?:%{URIHOST})?(?:%{URIPATHPARAM})?", "MONTH"=>"\\b(?:Jan(?:uary)?|Feb(?:ruary)?|Mar(?:ch)?|Apr(?:il)?|May|Jun(?:e)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|Oct(?:ober)?|Nov(?:ember)?|Dec(?:ember)?)\\b", "MONTHNUM"=>"(?:0?[1-9]|1[0-2])", "MONTHDAY"=>"(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9])", "DAY"=>"(?:Mon(?:day)?|Tue(?:sday)?|Wed(?:nesday)?|Thu(?:rsday)?|Fri(?:day)?|Sat(?:urday)?|Sun(?:day)?)", "YEAR"=>"[0-9]+", "HOUR"=>"(?:2[0123]|[01][0-9])", "MINUTE"=>"(?:[0-5][0-9])", "SECOND"=>"(?:(?:[0-5][0-9]|60)(?:[.,][0-9]+)?)", "TIME"=>"(?!<[0-9])%{HOUR}:%{MINUTE}(?::%{SECOND})(?![0-9])", "DATE_US"=>"%{MONTHNUM}[/-]%{MONTHDAY}[/-]%{YEAR}", "DATE_EU"=>"%{YEAR}[/-]%{MONTHNUM}[/-]%{MONTHDAY}", "ISO8601_TIMEZONE"=>"(?:Z|[+-]%{HOUR}(?::?%{MINUTE}))", "ISO8601_SECOND"=>"(?:%{SECOND}|60)", "TIMESTAMP_ISO8601"=>"%{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?%{ISO8601_TIMEZONE}?", "DATE"=>"%{DATE_US}|%{DATE_EU}", "DATESTAMP"=>"%{DATE}[- ]%{TIME}", "TZ"=>"(?:[PMCE][SD]T)", "DATESTAMP_RFC822"=>"%{DAY} %{MONTH} %{MONTHDAY} %{YEAR} %{TIME} %{TZ}", "DATESTAMP_OTHER"=>"%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{TZ} %{YEAR}", "SYSLOGTIMESTAMP"=>"%{MONTH} +%{MONTHDAY} %{TIME}", "PROG"=>"(?:[\\w._/%-]+)", "SYSLOGPROG"=>"%{PROG:program}(?:\\[%{POSINT:pid}\\])?", "SYSLOGHOST"=>"%{IPORHOST}", "SYSLOGFACILITY"=>"<%{NONNEGINT:facility}.%{NONNEGINT:priority}>", "HTTPDATE"=>"%{MONTHDAY}/%{MONTH}/%{YEAR}:%{TIME} %{INT}", "QS"=>"%{QUOTEDSTRING}", "SYSLOGBASE"=>"%{SYSLOGTIMESTAMP:timestamp} (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource} %{SYSLOGPROG}:", "COMBINEDAPACHELOG"=>"%{IPORHOST:clientip} %{USER:ident} %{USER:auth} \\[%{HTTPDATE:timestamp}\\] \"(?:%{WORD:verb} %{URIPATHPARAM:request}(?: HTTP/%{NUMBER:httpversion})?|-)\" %{NUMBER:response} (?:%{NUMBER:bytes}|-) %{QS:referrer} %{QS:agent}", "LOGLEVEL"=>"([D|d]ebug|DEBUG|[N|n]otice|NOTICE|[I|i]nfo|INFO|[W|w]arn?(?:ing)?|WARN?(?:ING)?|[E|e]rr?(?:or)?|ERR?(?:OR)?|[C|c]rit?(?:ical)?|CRIT?(?:ICAL)?|[F|f]atal|FATAL|[S|s]evere|SEVERE)", "HAPROXYTIME"=>"(?!<[0-9])%{HOUR:haproxy_hour}:%{MINUTE:haproxy_minute}(?::%{SECOND:haproxy_second})(?![0-9])", "HAPROXYDATE"=>"%{MONTHDAY:haproxy_monthday}/%{MONTH:haproxy_month}/%{YEAR:haproxy_year}:%{HAPROXYTIME:haproxy_time}.%{INT:haproxy_milliseconds}", "HAPROXYCAPTUREDREQUESTHEADERS"=>"%{DATA:captured_request_headers}", "HAPROXYCAPTUREDRESPONSEHEADERS"=>"%{DATA:captured_response_headers}", "HAPROXYHTTP"=>"%{SYSLOGTIMESTAMP:syslog_timestamp} %{IPORHOST:syslog_server} %{SYSLOGPROG}: %{IP:client_ip}:%{INT:client_port} \\[%{HAPROXYDATE:accept_date}\\] %{NOTSPACE:frontend_name} %{NOTSPACE:backend_name}/%{NOTSPACE:server_name} %{INT:time_request}/%{INT:time_queue}/%{INT:time_backend_connect}/%{INT:time_backend_response}/%{NOTSPACE:time_duration} %{INT:http_status_code} %{NOTSPACE:bytes_read} %{DATA:captured_request_cookie} %{DATA:captured_response_cookie} %{NOTSPACE:termination_state} %{INT:actconn}/%{INT:feconn}/%{INT:beconn}/%{INT:srvconn}/%{NOTSPACE:retries} %{INT:srv_queue}/%{INT:backend_queue} (\\{%{HAPROXYCAPTUREDREQUESTHEADERS}\\})?( )?(\\{%{HAPROXYCAPTUREDRESPONSEHEADERS}\\})?( )?\"%{WORD:http_verb} %{URIPATHPARAM:http_request}( HTTP/%{NUMBER:http_version}\")?", "HAPROXYTCP"=>"%{SYSLOGTIMESTAMP:syslog_timestamp} %{IPORHOST:syslog_server} %{SYSLOGPROG}: %{IP:client_ip}:%{INT:client_port} \\[%{HAPROXYDATE:accept_date}\\] %{NOTSPACE:frontend_name} %{NOTSPACE:backend_name}/%{NOTSPACE:server_name} %{INT:time_queue}/%{INT:time_backend_connect}/%{NOTSPACE:time_duration} %{NOTSPACE:bytes_read} %{NOTSPACE:termination_state} %{INT:actconn}/%{INT:feconn}/%{INT:beconn}/%{INT:srvconn}/%{NOTSPACE:retries} %{INT:srv_queue}/%{INT:backend_queue}", "JAVACLASS"=>"(?:[a-zA-Z0-9-]+\\.)+[A-Za-z0-9]+", "JAVAFILE"=>"(?:[A-Za-z0-9_.-]+)", "JAVASTACKTRACEPART"=>"at %{JAVACLASS:class}\\.%{WORD:method}\\(%{JAVAFILE:file}:%{NUMBER:line}\\)", "SYSLOGBASE2"=>"(?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource} %{SYSLOGPROG}:", "SYSLOGPAMSESSION"=>"%{SYSLOGBASE} (?=%{GREEDYDATA:message})%{WORD:pam_module}\\(%{DATA:pam_caller}\\): session %{WORD:pam_session_state} for user %{USERNAME:username}(?: by %{GREEDYDATA:pam_by})?", "CRON_ACTION"=>"[A-Z ]+", "CRONLOG"=>"%{SYSLOGBASE} \\(%{USER:user}\\) %{CRON_ACTION:action} \\(%{DATA:message}\\)", "SYSLOGLINE"=>"%{SYSLOGBASE2} %{GREEDYDATA:message}", "NAGIOSTIME"=>"\\[%{NUMBER:nagios_epoch}\\]", "NAGIOS_TYPE_CURRENT_SERVICE_STATE"=>"CURRENT SERVICE STATE", "NAGIOS_TYPE_CURRENT_HOST_STATE"=>"CURRENT HOST STATE", "NAGIOS_TYPE_SERVICE_NOTIFICATION"=>"SERVICE NOTIFICATION", "NAGIOS_TYPE_HOST_NOTIFICATION"=>"HOST NOTIFICATION", "NAGIOS_TYPE_SERVICE_ALERT"=>"SERVICE ALERT", "NAGIOS_TYPE_HOST_ALERT"=>"HOST ALERT", "NAGIOS_TYPE_SERVICE_FLAPPING_ALERT"=>"SERVICE FLAPPING ALERT", "NAGIOS_TYPE_HOST_FLAPPING_ALERT"=>"HOST FLAPPING ALERT", "NAGIOS_TYPE_SERVICE_DOWNTIME_ALERT"=>"SERVICE DOWNTIME ALERT", "NAGIOS_TYPE_HOST_DOWNTIME_ALERT"=>"HOST DOWNTIME ALERT", "NAGIOS_TYPE_PASSIVE_SERVICE_CHECK"=>"PASSIVE SERVICE CHECK", "NAGIOS_TYPE_PASSIVE_HOST_CHECK"=>"PASSIVE HOST CHECK", "NAGIOS_TYPE_SERVICE_EVENT_HANDLER"=>"SERVICE EVENT HANDLER", "NAGIOS_TYPE_HOST_EVENT_HANDLER"=>"HOST EVENT HANDLER", "NAGIOS_TYPE_EXTERNAL_COMMAND"=>"EXTERNAL COMMAND", "NAGIOS_TYPE_TIMEPERIOD_TRANSITION"=>"TIMEPERIOD TRANSITION", "NAGIOS_EC_DISABLE_SVC_CHECK"=>"DISABLE_SVC_CHECK", "NAGIOS_EC_ENABLE_SVC_CHECK"=>"ENABLE_SVC_CHECK", "NAGIOS_EC_DISABLE_HOST_CHECK"=>"DISABLE_HOST_CHECK", "NAGIOS_EC_ENABLE_HOST_CHECK"=>"ENABLE_HOST_CHECK", "NAGIOS_EC_PROCESS_SERVICE_CHECK_RESULT"=>"PROCESS_SERVICE_CHECK_RESULT", "NAGIOS_EC_PROCESS_HOST_CHECK_RESULT"=>"PROCESS_HOST_CHECK_RESULT", "NAGIOS_EC_SCHEDULE_SERVICE_DOWNTIME"=>"SCHEDULE_SERVICE_DOWNTIME", "NAGIOS_EC_SCHEDULE_HOST_DOWNTIME"=>"SCHEDULE_HOST_DOWNTIME", "NAGIOS_WARNING"=>"Warning:%{SPACE}%{GREEDYDATA:nagios_message}", "NAGIOS_CURRENT_SERVICE_STATE"=>"%{NAGIOS_TYPE_CURRENT_SERVICE_STATE:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{DATA:nagios_statetype};%{DATA:nagios_statecode};%{GREEDYDATA:nagios_message}", "NAGIOS_CURRENT_HOST_STATE"=>"%{NAGIOS_TYPE_CURRENT_HOST_STATE:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{DATA:nagios_statetype};%{DATA:nagios_statecode};%{GREEDYDATA:nagios_message}", "NAGIOS_SERVICE_NOTIFICATION"=>"%{NAGIOS_TYPE_SERVICE_NOTIFICATION:nagios_type}: %{DATA:nagios_notifyname};%{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{DATA:nagios_contact};%{GREEDYDATA:nagios_message}", "NAGIOS_HOST_NOTIFICATION"=>"%{NAGIOS_TYPE_HOST_NOTIFICATION}: %{DATA:nagios_notifyname};%{DATA:nagios_hostname};%{DATA:nagios_state};%{DATA:nagios_contact};%{GREEDYDATA:nagios_message}", "NAGIOS_SERVICE_ALERT"=>"%{NAGIOS_TYPE_SERVICE_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{DATA:nagios_statelevel};%{NUMBER:nagios_attempt};%{GREEDYDATA:nagios_message}", "NAGIOS_HOST_ALERT"=>"%{NAGIOS_TYPE_HOST_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{DATA:nagios_statelevel};%{NUMBER:nagios_attempt};%{GREEDYDATA:nagios_message}", "NAGIOS_SERVICE_FLAPPING_ALERT"=>"%{NAGIOS_TYPE_SERVICE_FLAPPING_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{GREEDYDATA:nagios_message}", "NAGIOS_HOST_FLAPPING_ALERT"=>"%{NAGIOS_TYPE_HOST_FLAPPING_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{GREEDYDATA:nagios_message}", "NAGIOS_SERVICE_DOWNTIME_ALERT"=>"%{NAGIOS_TYPE_SERVICE_DOWNTIME_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{GREEDYDATA:nagios_comment}", "NAGIOS_HOST_DOWNTIME_ALERT"=>"%{NAGIOS_TYPE_HOST_DOWNTIME_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{GREEDYDATA:nagios_comment}", "NAGIOS_PASSIVE_SERVICE_CHECK"=>"%{NAGIOS_TYPE_PASSIVE_SERVICE_CHECK:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{GREEDYDATA:nagios_comment}", "NAGIOS_PASSIVE_HOST_CHECK"=>"%{NAGIOS_TYPE_PASSIVE_HOST_CHECK:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{GREEDYDATA:nagios_comment}", "NAGIOS_SERVICE_EVENT_HANDLER"=>"%{NAGIOS_TYPE_SERVICE_EVENT_HANDLER:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{DATA:nagios_statelevel};%{DATA:nagios_event_handler_name}", "NAGIOS_HOST_EVENT_HANDLER"=>"%{NAGIOS_TYPE_HOST_EVENT_HANDLER:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{DATA:nagios_statelevel};%{DATA:nagios_event_handler_name}", "NAGIOS_TIMEPERIOD_TRANSITION"=>"%{NAGIOS_TYPE_TIMEPERIOD_TRANSITION:nagios_type}: %{DATA:nagios_service};%{DATA:nagios_unknown1};%{DATA:nagios_unknown2};", "NAGIOS_EC_LINE_DISABLE_SVC_CHECK"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_DISABLE_SVC_CHECK:nagios_command};%{DATA:nagios_hostname};%{DATA:nagios_service}", "NAGIOS_EC_LINE_DISABLE_HOST_CHECK"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_DISABLE_HOST_CHECK:nagios_command};%{DATA:nagios_hostname}", "NAGIOS_EC_LINE_ENABLE_SVC_CHECK"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_ENABLE_SVC_CHECK:nagios_command};%{DATA:nagios_hostname};%{DATA:nagios_service}", "NAGIOS_EC_LINE_ENABLE_HOST_CHECK"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_ENABLE_HOST_CHECK:nagios_command};%{DATA:nagios_hostname}", "NAGIOS_EC_LINE_PROCESS_SERVICE_CHECK_RESULT"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_PROCESS_SERVICE_CHECK_RESULT:nagios_command};%{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{GREEDYDATA:nagios_check_result}", "NAGIOS_EC_LINE_PROCESS_HOST_CHECK_RESULT"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_PROCESS_HOST_CHECK_RESULT:nagios_command};%{DATA:nagios_hostname};%{DATA:nagios_state};%{GREEDYDATA:nagios_check_result}", "NAGIOS_EC_LINE_SCHEDULE_HOST_DOWNTIME"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_SCHEDULE_HOST_DOWNTIME:nagios_command};%{DATA:nagios_hostname};%{NUMBER:nagios_start_time};%{NUMBER:nagios_end_time};%{NUMBER:nagios_fixed};%{NUMBER:nagios_trigger_id};%{NUMBER:nagios_duration};%{DATA:author};%{DATA:comment}", "NAGIOSLOGLINE"=>"%{NAGIOSTIME} (?:%{NAGIOS_WARNING}|%{NAGIOS_CURRENT_SERVICE_STATE}|%{NAGIOS_CURRENT_HOST_STATE}|%{NAGIOS_SERVICE_NOTIFICATION}|%{NAGIOS_HOST_NOTIFICATION}|%{NAGIOS_SERVICE_ALERT}|%{NAGIOS_HOST_ALERT}|%{NAGIOS_SERVICE_FLAPPING_ALERT}|%{NAGIOS_HOST_FLAPPING_ALERT}|%{NAGIOS_SERVICE_DOWNTIME_ALERT}|%{NAGIOS_HOST_DOWNTIME_ALERT}|%{NAGIOS_PASSIVE_SERVICE_CHECK}|%{NAGIOS_PASSIVE_HOST_CHECK}|%{NAGIOS_SERVICE_EVENT_HANDLER}|%{NAGIOS_HOST_EVENT_HANDLER}|%{NAGIOS_TIMEPERIOD_TRANSITION}|%{NAGIOS_EC_LINE_DISABLE_SVC_CHECK}|%{NAGIOS_EC_LINE_ENABLE_SVC_CHECK}|%{NAGIOS_EC_LINE_DISABLE_HOST_CHECK|%{NAGIOS_EC_LINE_ENABLE_HOST_CHECK}|%{NAGIOS_EC_LINE_PROCESS_HOST_CHECK_RESULT}|%{NAGIOS_EC_LINE_PROCESS_SERVICE_CHECK_RESULT}|%{NAGIOS_EC_LINE_SCHEDULE_HOST_DOWNTIME})", "RUBY_LOGLEVEL"=>"(?:DEBUG|FATAL|ERROR|WARN|INFO)", "RUBY_LOGGER"=>"[DFEWI], \\[%{TIMESTAMP_ISO8601} \#{POSINT:pid}\\] *%{RUBY_LOGLEVEL} -- %{DATA:progname}: %{DATA:message}"}, @pattern="%{IPORHOST:client_ip} (%{USER:ident}|-) (%{USER:auth}|-) \\[%{HTTPDATE:timestamp}\\] \\\"(?:%{WORD:verb} (%{NOTSPACE:request}|-)(?: HTTP/%{NUMBER:http_version})?|-)\\\" (%{HOST:domain}|-) (%{NUMBER:response}|-) (?:%{NUMBER:bytes}|-) \\\"(%{NOTSPACE:referrer}|-)\\\" \\\"(?<agent>([\\w\\W]+?)|-)\\\" \\\"(%{WORD:x_forword}|-)\\\" \\\"((?<upstream_host>[\\w\\W,]+?)|-)\\\" \\\"(?<upstream_response>([0-9, ]+?)|-)\\\" (%{WORD:upstream_cache_status}|-) \\\"(?<upstream_content_type>([\\w\\W]+?)|-)\\\" \\\"(?<upstream_response_time>([0-9,. ]+?)|-)\\\" > (%{BASE16FLOAT:request_time}|-)", @expanded_pattern="(?<a0>(?:(?<a1>\\b(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\\b))|(?<a2>(?<![0-9])(?:(?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2}))(?![0-9])))) ((?<a3>(?<a4>[a-zA-Z0-9_-]+))|-) ((?<a5>(?<a6>[a-zA-Z0-9_-]+))|-) \\[(?<a7>(?<a8>(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9]))/(?<a9>\\b(?:Jan(?:uary)?|Feb(?:ruary)?|Mar(?:ch)?|Apr(?:il)?|May|Jun(?:e)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|Oct(?:ober)?|Nov(?:ember)?|Dec(?:ember)?)\\b)/(?<a10>[0-9]+):(?<a11>(?!<[0-9])(?<a12>(?:2[0123]|[01][0-9])):(?<a13>(?:[0-5][0-9]))(?::(?<a14>(?:(?:[0-5][0-9]|60)(?:[.,][0-9]+)?)))(?![0-9])) (?<a15>(?:[+-]?(?:[0-9]+))))\\] \\\"(?:(?<a16>\\b\\w+\\b) ((?<a17>\\S+)|-)(?: HTTP/(?<a18>(?:(?<a19>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\\.[0-9]+)?)|(?:\\.[0-9]+)))))))?|-)\\\" ((?<a20>(?<a21>\\b(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\\b)))|-) ((?<a22>(?:(?<a23>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\\.[0-9]+)?)|(?:\\.[0-9]+))))))|-) (?:(?<a24>(?:(?<a25>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\\.[0-9]+)?)|(?:\\.[0-9]+))))))|-) \\\"((?<a26>\\S+)|-)\\\" \\\"(?<agent>([\\w\\W]+?)|-)\\\" \\\"((?<a27>\\b\\w+\\b)|-)\\\" \\\"((?<upstream_host>[\\w\\W,]+?)|-)\\\" \\\"(?<upstream_response>([0-9, ]+?)|-)\\\" ((?<a28>\\b\\w+\\b)|-) \\\"(?<upstream_content_type>([\\w\\W]+?)|-)\\\" \\\"(?<upstream_response_time>([0-9,. ]+?)|-)\\\" > ((?<a29>\\b(?<![0-9A-Fa-f.])(?:[+-]?(?:0x)?(?:(?:[0-9A-Fa-f]+(?:\\.[0-9A-Fa-f]*)?)|(?:\\.[0-9A-Fa-f]+)))\\b)|-)", @capture_map={"a0"=>"IPORHOST:client_ip", "a1"=>"HOSTNAME", "a2"=>"IP", "a3"=>"USER:ident", "a4"=>"USERNAME", "a5"=>"USER:auth", "a6"=>"USERNAME", "a7"=>"HTTPDATE:timestamp", "a8"=>"MONTHDAY", "a9"=>"MONTH", "a10"=>"YEAR", "a11"=>"TIME", "a12"=>"HOUR", "a13"=>"MINUTE", "a14"=>"SECOND", "a15"=>"INT", "a16"=>"WORD:verb", "a17"=>"NOTSPACE:request", "a18"=>"NUMBER:http_version", "a19"=>"BASE10NUM", "a20"=>"HOST:domain", "a21"=>"HOSTNAME", "a22"=>"NUMBER:response", "a23"=>"BASE10NUM", "a24"=>"NUMBER:bytes", "a25"=>"BASE10NUM", "a26"=>"NOTSPACE:referrer", "a27"=>"WORD:x_forword", "a28"=>"WORD:upstream_cache_status", "a29"=>"BASE16FLOAT:request_time"}, @logger=#<Cabin::Channel:0x7d528e68 @subscriber_lock=#<Mutex:0x4a67b170>, @metrics=#<Cabin::Metrics:0x5db25639 @channel=#<Cabin::Channel:0x7d528e68 ...>, @metrics={}, @metrics_lock=#<Mutex:0x673ae83d>>, @data={}, @subscribers={4250=>#<Cabin::Outputs::StdlibLogger:0x46932781 @logger=#<Logger:0x6706aa59 @logdev=#<Logger::LogDevice:0x6699ede6 @shift_age=nil, @filename=nil, @dev=#<IO:fd 1>, @mutex=#<Logger::LogDevice::LogDeviceMutex:0x3d1cbaa @mon_count=0, @mon_mutex=#<Mutex:0x429207db>, @mon_owner=nil>, @shift_size=nil>, @formatter=nil, @progname=nil, @default_formatter=#<Logger::Formatter:0x141dd02 @datetime_format=nil>, @level=0>>}, @level=:warn>>]>}, @threadsafe=true, @patternfiles=["file:/usr/local/logstash/logstash-1.1.5-monolithic.jar!/patterns/firewalls", "file:/usr/local/logstash/logstash-1.1.5-monolithic.jar!/patterns/grok-patterns", "file:/usr/local/logstash/logstash-1.1.5-monolithic.jar!/patterns/haproxy", "file:/usr/local/logstash/logstash-1.1.5-monolithic.jar!/patterns/java", "file:/usr/local/logstash/logstash-1.1.5-monolithic.jar!/patterns/linux-syslog", "file:/usr/local/logstash/logstash-1.1.5-monolithic.jar!/patterns/nagios", "file:/usr/local/logstash/logstash-1.1.5-monolithic.jar!/patterns/ruby"], @patterns_dir=["file:/usr/local/logstash/logstash-1.1.5-monolithic.jar!/logstash/filters/../../patterns/*"], @config={"type"=>"nginx-access", "break_on_match"=>false, "pattern"=>["%{IPORHOST:client_ip} (%{USER:ident}|-) (%{USER:auth}|-) \\[%{HTTPDATE:timestamp}\\] \\\"(?:%{WORD:verb} (%{NOTSPACE:request}|-)(?: HTTP/%{NUMBER:http_version})?|-)\\\" (%{HOST:domain}|-) (%{NUMBER:response}|-) (?:%{NUMBER:bytes}|-) \\\"(%{NOTSPACE:referrer}|-)\\\" \\\"(?<agent>([\\w\\W]+?)|-)\\\" \\\"(%{WORD:x_forword}|-)\\\" \\\"((?<upstream_host>[\\w\\W,]+?)|-)\\\" \\\"(?<upstream_response>([0-9, ]+?)|-)\\\" (%{WORD:upstream_cache_status}|-) \\\"(?<upstream_content_type>([\\w\\W]+?)|-)\\\" \\\"(?<upstream_response_time>([0-9,. ]+?)|-)\\\" > (%{BASE16FLOAT:request_time}|-)"], "tags"=>[], "exclude_tags"=>[], "add_tag"=>[], "remove_tag"=>[], "add_field"=>{}, "match"=>{"@message"=>["%{IPORHOST:client_ip} (%{USER:ident}|-) (%{USER:auth}|-) \\[%{HTTPDATE:timestamp}\\] \\\"(?:%{WORD:verb} (%{NOTSPACE:request}|-)(?: HTTP/%{NUMBER:http_version})?|-)\\\" (%{HOST:domain}|-) (%{NUMBER:response}|-) (?:%{NUMBER:bytes}|-) \\\"(%{NOTSPACE:referrer}|-)\\\" \\\"(?<agent>([\\w\\W]+?)|-)\\\" \\\"(%{WORD:x_forword}|-)\\\" \\\"((?<upstream_host>[\\w\\W,]+?)|-)\\\" \\\"(?<upstream_response>([0-9, ]+?)|-)\\\" (%{WORD:upstream_cache_status}|-) \\\"(?<upstream_content_type>([\\w\\W]+?)|-)\\\" \\\"(?<upstream_response_time>([0-9,. ]+?)|-)\\\" > (%{BASE16FLOAT:request_time}|-)"]}, "patterns_dir"=>[], "drop_if_match"=>false, "named_captures_only"=>true, "keep_empty_captures"=>false, "singles"=>false}, @break_on_match=false, @match={"@message"=>["%{IPORHOST:client_ip} (%{USER:ident}|-) (%{USER:auth}|-) \\[%{HTTPDATE:timestamp}\\] \\\"(?:%{WORD:verb} (%{NOTSPACE:request}|-)(?: HTTP/%{NUMBER:http_version})?|-)\\\" (%{HOST:domain}|-) (%{NUMBER:response}|-) (?:%{NUMBER:bytes}|-) \\\"(%{NOTSPACE:referrer}|-)\\\" \\\"(?<agent>([\\w\\W]+?)|-)\\\" \\\"(%{WORD:x_forword}|-)\\\" \\\"((?<upstream_host>[\\w\\W,]+?)|-)\\\" \\\"(?<upstream_response>([0-9, ]+?)|-)\\\" (%{WORD:upstream_cache_status}|-) \\\"(?<upstream_content_type>([\\w\\W]+?)|-)\\\" \\\"(?<upstream_response_time>([0-9,. ]+?)|-)\\\" > (%{BASE16FLOAT:request_time}|-)"]}, @exclude_tags=[]>, :level=>:warn}
|