rsyslog (protocol 23 format)
Provided by Walter Brock. You can discuss on this log here.
"syslog1": {
"display" : "Syslog",
"path" : "/var/log/syslog",
"refresh" : 20,
"max" : 20,
"notify" : false,
"format" : {
"regex": "|<([0-9]{1,3})>([0-9]) ([0-9]{4,4}-[0-9]{1,2}-[0-9]{1,2}T[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}.[0-9]{1,6}.[0-9]{1,2}:[0-9]{1,2}) (.*?) (.*?) (.*?) (.*?) (.*?) (.*?)$|",
"match": {
"Date" : 3,
"Time" : 3,
"Source" : 5,
"PID" : 6,
"Message" : 9
},
"types": {
"Date" : "date:d:M:Y",
"Time" : "date:H:i:s",
"Source" : "txt",
"PID" : "numeral",
"Message" : "txt"
}
}
}
It matches these logs:
<78>1 2014-01-12T20:05:01.519247-05:00 somebody 17541 - - (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)
<27>1 2014-01-12T20:06:05.777351-05:00 somebody smbd 17567 - - [2014/01/12 20:06:05.777159, 0] printing/print_cups.c:110(cups_connect)
<27>1 2014-01-12T20:06:05.783069-05:00 somebody smbd 17567 - - Unable to connect to CUPS server localhost:631 - Connection refused
<27>1 2014-01-12T20:06:05.783312-05:00 somebody smbd 3752 - - [2014/01/12 20:06:05.783190, 0] printing/print_cups.c:487(cups_async_callback)
<27>1 2014-01-12T20:06:05.783329-05:00 somebody smbd 3752 - - failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL
<78>1 2014-01-12T20:09:01.547243-05:00 somebody 17622 - - (root) CMD ( [ -x /usr/lib/php5/maxlifetime ] && [ -d /var/lib/php5 ] && find /var/lib/php5/ -depth -mindepth 1 -maxdepth 1 -type f -ignore_readdir_race -cmin +$(/usr/lib/php5/maxlifetime) ! -execdir fuser -s {} 2>/dev/null \; -delete)
<78>1 2014-01-12T20:10:01.719259-05:00 somebody 17646 - - (root) CMD (/usr/local/maldetect/maldet --mkpubpaths >> /dev/null 2>&1)
rsyslog.conf file contains this line to tell it to
use protocol 23:
$ActionFileDefaultTemplate RSYSLOG_SyslogProtocol23Format