username [a-za-z0-9_-]+user %{username}int (?: [+]? (?: [0-9]+)] base10num (? <![ 0-9.+-]) (? >[+-]? (?:(?: [0-9]+ (?: \. [0-9]+]?) | (?:\. [0-9]+)] number (?:%{base10num}) base16num (? <![ 0-9A-FA-F]) (?: [-+]? (?: 0 x)? (?: [0-9a-fa-f]+)] base16float \b (? <![ 0-9a-fa-f.]) (?:[+-]? (?: 0 x)? (?:(?: [0-9a-fa-f]+ (?: \. [0-9a-fa-f]*]?) | (?:\. [0-9a-fa-f]+)] \b posint \b (?: [1-9][0-9]*) \bnonnegint \b (?: [0-9]+) \bword \b\w+\bnotspace \s+space \s*data .*? greedydata .* quotedstring (?> (? <!\\) (?> "(? >\\.| [^\\"]+)+"|""| (?> ' (? >\\.| [^\\ ']+) + ') | (?> ' (? >\\.| [^\\ ']+) + ') uuid [a-fa-f0-9]{8}-(?: [a-fa-f0-9]{4}-) {3}[a-fa-f0-9]{12} # networkingmac (?:%{ciscomac}|%{windowsmac}|%{commonmac}) ciscomac (?:(?: [A-fa-f0-9]{4}\.) {2} [A-fa-f0-9] {4}) windowsmac (?:(?: [a-fa-f0-9]{2}-) {5}[a-fa-f0-9]{2}) commonmac (?:(?: [a-fa-f0-9]{2}:) {5}[a-fa-f0-9]{2} ) ip (? <![ 0-9]) (?:(? : 25[0-5]|2[0-4][0-9]| [0-1]? [0-9] {.}) [.] (?: 25[0-5]|2[0-4][0-9]| [0-1]? [0-9] {.}) [.] (?: 25[0-5]|2[0-4][0-9]| [0-1]? [0-9] {.}) [.] (?: 25[0-5]|2[0-4][0-9]| [0-1]? [0-9] {)}) (?! [0-9]) hostname \b (?: [0-9a-za-z][0-9a-za-z-]{0,62}) (?: \. (?: [0-9a-za-z][0-9a-za-z-]{0,62})) *(\.?| \b) host %{hostname}iporhost (?:%{hostname}|%{ip}) hostport (?:%{iporhost=~/\./}:%{posint}) # pathspath (?:%{unixpath}|%{winpath}) unixpath (? >/(? >[\w_%[email protected]:.,-]+|\ \.) *) + #UNIXPATH (<![ \w\/]) (?:/ [^\/\s?*]*] +linuxtty (? >/dev/pts/%{nonnegint}) bsdtty (? >/dev/tty[pq][a-z0-9]) TTY (?:%{ Bsdtty}|%{linuxtty}) winpath (? >[a-za-z]+:|\\) (?: \ \[^\\?*]*) +uriproto [a-za-z]+ (\+[a-za-z+]+)? Urihost %{iporhost} (?::%{posint:port})? uripath (?:/ [a-za-z0-9$.+!* ' () {},~:;=#%_\-]*) + #URIPARAM \? (?: [a-za-z0-9]+ (?: = (?: [^&]*))?] (?:& (?: [a-za-z0-9]+ (?: = (?: [^&]*))?) *)? Uriparam \? [a-za-z0-9$.+!* ' | () {},~#%&/=:;_?\-\[\]]*uripathparam %{Uripath} (?:%{uriparam})? uri %{uriproto}://(?:%{user} (?:: [^@]*) [email protected])? (?:%{urihost})? (?:%{uripathparam})? # months: january, feb, 3, 03, 12, decembermonth \b (?: Jan (?: uary)? | Feb (?: ruary)? | Mar (?: ch)? | APR (?: il)? | may| June (?: E)? | Jul (?: Y)? | (?: UST)? | Sep (?: tember)? | OCT (?: o ber)? | Nov (?: Ember)? | Dec (?: Ember)?) \bmonthnum (?: 0?) [1-9]|1[0-2]) monthday (?:(?: 0 [1-9]) | (?: [12][0-9]) | (?: 3[01]) | [1-9]) # days: monday, tue, thu, etc ... day (?: Mon (?:d ay)? | Tue (?: sday)? | Wed (?: nesday)? | Thu (?: rsday)? | Fri (?:d ay)? | Sat (?: urday)? | Sun (?:d ay)?) # years? year (? >\d\d) {1,2}hour (?: 2[0123]|[ 01][0-9]) minute (?: [0-5][0-9]) # ' is a leap second in most Time standards and thus is valid. second (?:(?: [0-5][0-9]|60) (?: [:.,][0-9]+)?) time (?! <[0-9])%{hour}:%{minute} (?::%{second}) (?! [0-9]) # datestamp iS yyyy/mm/dd-hh:mm:ss. uuuu (or something like it) date_us %{monthnum}[/-]%{monthday}[/-]%{year}date_eu %{year}[./-]%{monthnum}[./-]%{monthday}iso8601_timezone (?: z|[ +-]%{hour} (?::?%{minute})) iso8601_second (?:%{second}|60) timestamp_iso8601 %{year}-%{monthnum}-%{ Monthday}[t ]%{hour}:?%{minute} (?::?%{second})?%{iso8601_timezone}? date %{date_us}|%{date_eu}datestamp %{date}[- ]%{time}tz (?: [PMCE][SD]T) DATESTAMP_RFC822 %{day} %{month} %{monthday} %{year} %{time} %{tz}datestamp_other %{day} %{month} %{monthday} %{time} %{tz} %{year} # syslog dates: month Day HH:MM:SSSYSLOGTIMESTAMP %{MONTH} +%{MONTHDAY} %{TIME}PROG (?: [\w._/%-]+) Syslogprog %{prog:program} (?: \ [%{posint:pid}\])? Sysloghost %{iporhost}syslogfacility <%{nonnegint:facility}.%{nonnegint:priority}>httpdate %{monthday}/%{month}/%{year}:%{time} %{int} # shortcutsqs %{quotedstring} # log formatssyslogbase %{syslogtimestamp:timestamp} (?:%{syslogfacility} )?%{SYSLOGHOST:logsource} %{syslogprog}:combinedapachelog %{iporhost:clientip} %{user:ident} %{user:auth} \[%{ httpdate:timestamp}\] "(?:%{word:verb} %{notspace:request} (?: http/%{number:httpversion})? | -) " %{NUMBER:response} (?:%{number:bytes}|-) %{qs:referrer} %{qs:agent} # log LevelsLOGLEVEL ([t|t]race| trace| [D|d]ebug| Debug| [n|n]otice| notice| [i|i]nfo|info| [W|w]arn? (?: ing)? | WARN? (?: I NG)? | [E|E]RR? (?: O R)? | Err? (?: O R)? | [C|c]rit? (?: ical)? | Crit? (?: I CAL)? | [f|f]atal| fatal| [s|s]evere| SEVERE)
Logstash There are many more pattern, please refer to
Https://github.com/logstash-plugins/logstash-patterns-core/tree/master/patterns
This article is from the "Zengestudy" blog, make sure to keep this source http://zengestudy.blog.51cto.com/1702365/1782593
Grok pattern in Logstash