vardef basic_time = '[[:digit:]]{2}:[[:digit:]]{2}:[[:digit:]]{2}' vardef time = '\<' + $basic_time + '\>' vardef ip = '[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\>' vardef non_empty = '[^[:blank:]]+' state date start '^[[:alpha:]]{3}[[:blank:]]{1,2}[[:digit:]]{1,2}(?=[[:blank:]]' + $basic_time + ')' begin state time start $time begin state symbol start $non_empty begin normal = ":" exitall function = '[^:\(\[]+' number delim "[" "]" number delim "(" ")" end end end state ip start '^' + $ip begin string = '[[:alnum:]]+(?=[[:blank:]]\[[[:digit:]]{2}/[[:alpha:]]{3}/[[:digit:]]{4})' date = '[[:digit:]]{2}/[[:alpha:]]{3}/[[:digit:]]{4}(?=:' + $basic_time + ')' time = $basic_time + '[[:blank:]][+-][[:digit:]]{4}' twonumbers = '[1-5][[:digit:]]{2}[[:blank:]][-0-9]+' state webmethod = "OPTIONS|GET|HEAD|POST|PUT|DELETE|TRACE|CONNECT|PROPFIND|MKCOL|COPY|MOVE|LOCK|UNLOCK" begin string = $non_empty exit end end vardef weekday_date = '\[[[:alpha:]]{3}[[:blank:]][[:alpha:]]{3}[[:blank:]]{1,2}[[:digit:]]{1,2}[[:blank:]](?=' + $basic_time + ')' state date start '^' + $weekday_date begin time = $time date = '[[:digit:]]{4}\]' date = $weekday_date string = "[error]" comment = "[notice]" ip = $ip end ip = $ip string = "root","failure" (normal,port) = `((?:port|pid)[[:blank:]])([[:digit:]]+)` state normal start '[[:blank:]](?=(IN|OUT)=)' begin state normal = '(IN|OUT|PROTO)=(?=[^[:blank:]]+)' begin string = $non_empty exit end state normal = '(SPT|DPT|TYPE|SEQ)=(?=[^[:blank:]]+)' begin cbracket = $non_empty exit end number = "CWR|ECE|URG|ACK|PSH|RST|SYN|FIN" ip = $ip end