# File is managed by Puppet

# Base
NECTAR_TIME (?!<[0-9])%{HOUR:timestamp_hour}:%{MINUTE:timestamp_minute}(?::%{SECOND:timestamp_second})(?![0-9])
NECTAR_HTTPDATE %{MONTHDAY:timestamp_monthday}/%{MONTH:timestamp_month}/%{YEAR:timestamp_year}:%{NECTAR_TIME} %{ISO8601_TIMEZONE}
AUDITLOGLEVEL ([C|c]ritical|CRITICAL[A|a]udit|AUDIT|[D|d]ebug|DEBUG|[N|n]otice|NOTICE|[I|i]nfo|INFO|[W|w]arn?(?:ing)?|WARN?(?:ING)?|[E|e]rr?(?:or)?|ERR?(?:OR)?|[C|c]rit?(?:ical)?|CRIT?(?:ICAL)?|[F|f]atal|FATAL|[S|s]evere|SEVERE)
RSYSLOG <%{POSINT}>%{TIMESTAMP_ISO8601:timestamp} (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource} %{SYSLOGPROG}: %{GREEDYDATA:message}
LOGBACK <%{POSINT}>%{TIMESTAMP_ISO8601:timestamp} %{SYSLOGHOST:logsource} \[%{NOTSPACE}\] ?%{SYSLOGPROG} %{GREEDYDATA:message}
PUPPET_CATALOG_COMPILE <%{POSINT}>%{TIMESTAMP_ISO8601:timestamp} %{SYSLOGHOST:logsource} \[%{NOTSPACE}\] ?%{SYSLOGPROG} Puppet Compiled catalog for %{NOTSPACE:certname} in environment %{NOTSPACE:environment} in %{NUMBER:response_secs} seconds

# OpenStack
OS_REQUEST_ID (req-%{UUID})
OS_REQUEST %{OS_REQUEST_ID:request_id} %{NOTSPACE:keystone_user} %{NOTSPACE:keystone_project} %{NOTSPACE} %{NOTSPACE} %{NOTSPACE}

OPENSTACK %{TIMESTAMP_ISO8601} %{POSINT:pid} %{AUDITLOGLEVEL:auditlevel} %{PROG:program_path} \[(?:%{OS_REQUEST}|-)\]*
OPENSTACKWSGI %{OPENSTACK} %{IP:clientip}("?,?\s*%{IP})* "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})"(?:\s+status: %{NUMBER:response})?(?:\s+len: %{NUMBER:bytes})?(?:\s+time: %{NUMBER:response_secs})?(?:\s+microversion: %{NUMBER:microversion})?
KEYSTONEWSGI %{OPENSTACK} %{WORD:verb} %{URI:request}

# OpenStack Audit
OPENSTACK_AUDIT_MSG \{"message_id":%{GREEDYDATA}"action": "%{NOTSPACE:action}"%{GREEDYDATA}"outcome": "%{WORD:outcome}"%{GREEDYDATA}\}
OPENSTACKAUDIT %{OPENSTACK} %{OPENSTACK_AUDIT_MSG}

# OpenStack Services
HEALTHCHECK GET \/healthcheck
SWIFTPROXY %{IPORHOST:clientip} %{IP:api_ip} %{NOTSPACE} ?(%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NOTSPACE:httpversion})?|%{DATA:rawrequest}) %{NUMBER:response} (?:%{QS:referrer}|-) %{NOTSPACE:agent} %{NOTSPACE} (?:%{NUMBER:bytes_request}|-) (?:%{NUMBER:bytes}|-) %{NOTSPACE} %{NOTSPACE:transactionid} %{NOTSPACE} %{NUMBER:response_secs} (?:%{NOTSPACE:swiftsource}|-)
SWIFTSTORAGE %{IPORHOST:clientip} \- \- \[%{HTTPDATE}\] "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" %{NUMBER:response} (?:%{NUMBER:bytes}|-) %{QS:referrer} \"%{NOTSPACE:transactionid}\" %{NOTSPACE} %{NOTSPACE} %{NUMBER:response_secs}

# F5
F5HTTP <%{POSINT}>%{TIMESTAMP_ISO8601:timestamp} %{IPORHOST:api_host} %{IP:api_ip} %{IPORHOST:clientip} %{USER:ident} %{USER:auth} \[%{NECTAR_HTTPDATE:httptimestamp}\] "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" %{NUMBER:response} (?:%{NUMBER:bytes}|-) "%{DATA:referrer}" "%{DATA:agent}" \"%{DATA:cookie}\" %{NUMBER:response_msecs}
F5 <%{POSINT}>%{TIMESTAMP_ISO8601:timestamp} %{SYSLOGHOST:logsource} %{IPORHOST:api_host}:%{POSINT:api_port} %{IP:api_ip} %{IPORHOST:clientip} %{USER:ident} %{USER:auth} \[%{NECTAR_HTTPDATE:httptimestamp}\] "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" %{NUMBER:response} (?:%{NUMBER:bytes}|-) "%{DATA:referrer}" "%{DATA:agent}" \"%{DATA:cookie}\" %{NUMBER:response_msecs}
F5_SYSLOG <%{POSINT}>%{TIMESTAMP_ISO8601:timestamp} %{SYSLOGHOST:logsource} (slot1\/)?%{NOTSPACE} %{LOGLEVEL:loglevel} %{SYSLOGPROG}: %{GREEDYDATA:message}

# HAProxy LB
NECTAR_HAPROXYTIME (?!<[0-9])%{HOUR:timestamp_hour}:%{MINUTE:timestamp_minute}(?::%{SECOND:timestamp_second})(?![0-9])
NECTAR_HAPROXYDATE %{MONTHDAY:timestamp_monthday}/%{MONTH:timestamp_month}/%{YEAR:timestamp_year}:%{NECTAR_HAPROXYTIME:timestamp_time}.%{INT:timestamp_milliseconds}
NECTAR_HAPROXYHTTP %{IPORHOST:api_host}?(:%{POSINT})? %{IP:api_ip}:%{POSINT:api_port} %{IPORHOST:clientip}:%{POSINT:clientport} \[%{NECTAR_HAPROXYDATE:httptimestamp}\] "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" %{NUMBER:response} (?:%{NUMBER:bytes}|-) "%{DATA:referrer}" "%{DATA:agent}" %{NUMBER:response_msecs}

# Apache
NECTAR_APACHECOMMON %{IPORHOST:clientip} %{USER:ident} %{USER:auth} \[%{NECTAR_HTTPDATE:httptimestamp}\] "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" %{NUMBER:response} (?:%{NUMBER:bytes}|-)
NECTAR_APACHECOMBINED %{NECTAR_APACHECOMMON} "%{DATA:referrer}" "%{DATA:agent}"
NECTAR_APACHEERRORDATE %{DAY} %{MONTH:timestamp_month} %{MONTHDAY:timestamp_monthday} %{NECTAR_TIME} %{YEAR:timestamp_year}
NECTAR_APACHEERROR \[%{NECTAR_APACHEERRORDATE}\] \[%{WORD:apache_module}:%{LOGLEVEL:apache_loglevel}\] \[pid %{POSINT:pid}(:tid %{NUMBER:tid})?\]( \[remote %{IPORHOST:clientip}:%{POSINT:clientport}\])?(?: %{LOGLEVEL:loglevel})? %{GREEDYDATA:message}

# Bumblebee
BUMBLEBEE_DJANGO \[%{NECTAR_APACHEERRORDATE}\] \[%{WORD:apache_module}:%{LOGLEVEL:apache_loglevel}\] \[pid %{POSINT:pid}(:tid %{NUMBER:tid})?\]( \[remote %{IPORHOST:clientip}:%{POSINT: clientport}\])?(?: %{LOGLEVEL})? \[%{TIMESTAMP_ISO8601}\] \[%{LOGLEVEL:loglevel}\] %{GREEDYDATA:message}
BUMBLEBEE_RQ \[%{TIMESTAMP_ISO8601}\] \[%{LOGLEVEL:loglevel}\] %{GREEDYDATA:message}

# Kubernetes - fluentd
FLUENTD_MSG %{GREEDYDATA:message}
KUBERNETES_LABELS %{GREEDYDATA}
KUBERNETES ({"container_name"=>")%{GREEDYDATA:program}(", "namespace_name"=>")%{GREEDYDATA}(", "pod_name"=>")%{GREEDYDATA:program_path}(", "container_image"=>")%{GREEDYDATA}(", "container_image_id"=>")%{GREEDYDATA}(", "pod_id"=>")%{GREEDYDATA}(", "pod_ip"=>")%{GREEDYDATA}(", "host"=>")%{GREEDYDATA:logsource}(", "labels"=>)%{KUBERNETES_LABELS}(, "master_url"=>")%{GREEDYDATA}(", "namespace_id"=>")%{GREEDYDATA}(", "namespace_labels"=>)%{GREEDYDATA}(})
FLUENTD ( fluentd: stream:)%{WORD}(.*)(message:)
NECTAR_FLUENTD %{TIMESTAMP_ISO8601} %{IPORHOST}%{FLUENTD}%{FLUENTD_MSG}(#011)(time:)%{TIMESTAMP_ISO8601:timestamp}(#011)(docker:{"container_id"=>")%{WORD}"\}(#011kubernetes:)%{KUBERNETES}

# JupyterHub
NECTAR_JUPYTER_TIMESTAMP \[%{WORD:loglevel} %{YEAR}-%{MONTHNUM2}-%{MONTHDAY} %{HOUR}:%{MINUTE}:%{SECOND}.%{POSINT} %{WORD:app} %{WORD:component}:%{POSINT}\]
NECTAR_JUPYTER_REQUEST %{NECTAR_JUPYTER_TIMESTAMP} %{NUMBER:response} %{WORD:verb} %{NOTSPACE:request}(?: -> %{GREEDYDATA})? \(%{NOTSPACE:auth}?@%{IPORHOST:clientip}\) %{NUMBER:response_msecs}ms
NECTAR_JUPYTER %{NECTAR_JUPYTER_TIMESTAMP} %{GREEDYDATA:message}

# BinderHub
NECTAR_BINDER_TIMESTAMP \[%{WORD:loglevel} %{YEAR}%{MONTHNUM2}%{MONTHDAY} %{HOUR}:%{MINUTE}:%{SECOND} %{WORD:component}:%{POSINT}\]
NECTAR_BINDER_REQUEST %{NECTAR_BINDER_TIMESTAMP} %{NUMBER:response} %{WORD:verb} %{NOTSPACE:request}(?: -> %{GREEDYDATA})? \(%{NOTSPACE:auth}?@%{IPORHOST:clientip}\) %{NUMBER:response_msecs}ms
NECTAR_BINDER_LAUNCH %{NECTAR_BINDER_TIMESTAMP} Launched %{NOTSPACE:request} in %{NUMBER:response_secs}s
NECTAR_BINDER %{NECTAR_BINDER_TIMESTAMP} %{GREEDYDATA:message}