vardef basic_time = '[[:digit:]]{2}:[[:digit:]]{2}:[[:digit:]]{2}'
vardef time = '\<' + $basic_time + '\>'
vardef ip = '[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\>'
vardef non_empty = '[^[:blank:]]+'

state date start '^[[:alpha:]]{3}[[:blank:]]{1,2}[[:digit:]]{1,2}(?=[[:blank:]]' + $basic_time + ')' begin
  state time start $time begin
    state symbol start $non_empty begin
      normal = ":" exitall
      function = '[^:\(\[]+'
      number delim "[" "]"
      number delim "(" ")"
    end
  end
end

state ip start '^' + $ip begin
  string = '[[:alnum:]]+(?=[[:blank:]]\[[[:digit:]]{2}/[[:alpha:]]{3}/[[:digit:]]{4})'
  date = '[[:digit:]]{2}/[[:alpha:]]{3}/[[:digit:]]{4}(?=:' + $basic_time + ')'
  time = $basic_time + '[[:blank:]][+-][[:digit:]]{4}'
  twonumbers = '[1-5][[:digit:]]{2}[[:blank:]][-0-9]+'
  state webmethod = "OPTIONS|GET|HEAD|POST|PUT|DELETE|TRACE|CONNECT|PROPFIND|MKCOL|COPY|MOVE|LOCK|UNLOCK" begin
    string = $non_empty exit
  end
end

vardef weekday_date = '\[[[:alpha:]]{3}[[:blank:]][[:alpha:]]{3}[[:blank:]]{1,2}[[:digit:]]{1,2}[[:blank:]](?=' + $basic_time + ')'

state date start '^' + $weekday_date begin
  time = $time
  date = '[[:digit:]]{4}\]'
  date = $weekday_date
  string = "[error]"
  comment = "[notice]"
  ip = $ip
end

ip = $ip

string = "root","failure"

(normal,port) = `((?:port|pid)[[:blank:]])([[:digit:]]+)`

state normal start '[[:blank:]](?=(IN|OUT)=)' begin
  state normal = '(IN|OUT|PROTO)=(?=[^[:blank:]]+)' begin
    string = $non_empty exit
  end
  state normal = '(SPT|DPT|TYPE|SEQ)=(?=[^[:blank:]]+)' begin
    cbracket = $non_empty exit
  end
  number = "CWR|ECE|URG|ACK|PSH|RST|SYN|FIN"
  ip = $ip
end