{ "v": 1, "id": "b58caaef-418c-44b5-a082-165fa6140cf3", "rev": 3, "name": "GROK Pattern Collection", "summary": "GROK Pattern Collection", "description": "INCLUDES: COMMA DATE_US2 HOST NOTCOMMA PROTOCOL QSORNC QUOTEDQUOTES QUOTES WINDNS_FLAGSCHAR WINDNS_FLAGSHEX WINDNS_IP WINDNS_OPCODE WINDNS_PROTOCOL WINDNS_QTYPE WINDNS_QUERYRESP WINDNS_RESPONSE WINDNS_SNDRCV WINDNS_THREADID WINDNS_TIME WORDSWITHDASH", "vendor": "reighnman ", "url": "https://github.com/reighnman/Graylog_GROK_Pattern_Collection", "parameters": [], "entities": [ { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "3938827f-4c12-4441-b88b-0c954733ec99", "data": { "name": "COMMA", "pattern": "," }, "constraints": [ { "type": "server-version", "version": ">=4.0.0" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "f4890508-1501-4fb7-922b-8a5e07afd10f", "data": { "name": "DATE_US2", "pattern": "%{YEAR}[/-]%{MONTHNUM}[/-]%{MONTHDAY}" }, "constraints": [ { "type": "server-version", "version": ">=4.0.0" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "3d5d5a91-d9ef-4ba2-bad9-58771601a6a4", "data": { "name": "HOSTNAME", "pattern": "\\b(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\\b)" }, "constraints": [ { "type": "server-version", "version": ">=4.0.0" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "9b94598d-84e3-4f0d-8867-47cb3220889d", "data": { "name": "NOTCOMMA", "pattern": "[^,]+" }, "constraints": [ { "type": "server-version", "version": ">=4.0.0" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "42fb52c4-361e-441a-97a9-73630b0a88f5", "data": { "name": "PROTOCOL", "pattern": "(TCP|UDP|ICMP)" }, "constraints": [ { "type": "server-version", "version": ">=4.0.0" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "dee4613a-4b93-4a1d-ac59-65eae4dc1853", "data": { "name": "QSORNC", "pattern": "(%{QUOTEDQUOTES}|%{NOTCOMMA})" }, "constraints": [ { "type": "server-version", "version": ">=4.0.0" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "e109b87e-df85-48a2-b18e-ade846fa06a5", "data": { "name": "QUOTEDQUOTES", "pattern": "(\"((?:[^\"]|\"\")*+)\")" }, "constraints": [ { "type": "server-version", "version": ">=4.0.0" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "6ae52298-b374-4643-b9c2-ed76a153dc8b", "data": { "name": "QUOTES", "pattern": "/\"(.+)\"/" }, "constraints": [ { "type": "server-version", "version": ">=4.0.0" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "169c8618-2465-41f9-94f7-855ead54c725", "data": { "name": "WINDNS_FLAGSCHAR", "pattern": "(\\s+[A|T|D|R]{1,4}\\s+)|(\\s+[A|T|D|R]{1,4}\\s+[A|T|D|R]{1,4}\\s+)|(\\s+[A|T|D|R]{1,4}\\s+[A|T|D|R]{1,4}\\s+[A|T|D|R]{1,4}\\s+)|\\s+" }, "constraints": [ { "type": "server-version", "version": ">=4.0.0" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "ee3f5ddf-ca4f-427e-b9f5-30f24e33fd32", "data": { "name": "WINDNS_FLAGSHEX", "pattern": "([0-9]+)" }, "constraints": [ { "type": "server-version", "version": ">=4.0.0" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "815787ab-df71-4f63-8e53-be513c62978e", "data": { "name": "WINDNS_IP", "pattern": "(?=4.0.0" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "bc20a03c-e366-472c-b88a-afc5c53de1dc", "data": { "name": "WINDNS_OPCODE", "pattern": "([A-Z]{1})" }, "constraints": [ { "type": "server-version", "version": ">=4.0.0" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "462f096a-f259-4166-b6c1-05e67b7b2859", "data": { "name": "WINDNS_PROTOCOL", "pattern": "(UDP|TCP)" }, "constraints": [ { "type": "server-version", "version": ">=4.0.0" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "028c5bb6-276b-48a5-af8a-9a20ac3ba8ba", "data": { "name": "WINDNS_QTYPE", "pattern": "(?:\\s\\S+|)" }, "constraints": [ { "type": "server-version", "version": ">=4.0.0" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "0e0d63ce-ccf3-43f3-b354-022fec2d3394", "data": { "name": "WINDNS_QUERYRESP", "pattern": "(\\s+R\\s+|\\s+)" }, "constraints": [ { "type": "server-version", "version": ">=4.0.0" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "c476e976-6a56-4e5a-8107-a24d30da8bfa", "data": { "name": "WINDNS_RESPONSE", "pattern": "([A-Z]+)" }, "constraints": [ { "type": "server-version", "version": ">=4.0.0" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "dfccf17f-3ca3-4d90-be77-4eed05ff1818", "data": { "name": "WINDNS_SNDRCV", "pattern": "(Snd|Rcv)" }, "constraints": [ { "type": "server-version", "version": ">=4.0.0" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "3246e252-dbdc-4dc2-8013-6899082b92cd", "data": { "name": "WINDNS_THREADID", "pattern": "[a-zA-Z0-9]{4}" }, "constraints": [ { "type": "server-version", "version": ">=4.0.0" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "83aa549f-5abc-4bc7-a03a-73080a9b273d", "data": { "name": "WINDNS_TIME", "pattern": "(?:0?[1-9]|1[0-2])[/-](?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9])[/-](?>\\d\\d){1,2}\\s(?!<[0-9])(?:2[0123]|[01]?[0-9]):(?:[0-5][0-9]):(?:(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?)\\s(A|P)M" }, "constraints": [ { "type": "server-version", "version": ">=4.0.0" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "3d6f553b-7aeb-44db-adc5-98dcbcd67314", "data": { "name": "WORDSWITHDASH", "pattern": "([A-Za-z0-9\\-\\_]+)" }, "constraints": [ { "type": "server-version", "version": ">=4.0.0" } ] } ] }