{
  "id" : null,
  "name" : "Untangle Firewall Syslog ",
  "description" : "Extract Meaningful fields from untangle syslog data into Graylog. ",
  "category" : "Firewall ",
  "inputs" : [ {
    "title" : "UTFirewall",
    "configuration" : {
      "override_source" : "",
      "allow_override_date" : true,
      "recv_buffer_size" : 262144,
      "bind_address" : "10.10.10.10",
      "port" : 514
    },
    "type" : "org.graylog2.inputs.syslog.udp.SyslogUDPInput",
    "global" : false,
    "extractors" : [ {
      "title" : "UVM-HTTPRequest-Method1",
      "type" : "GROK",
      "configuration" : {
        "grok_pattern" : "\"requestUri\":%{QUOTEDSTRING:requestURI}"
      },
      "converters" : [ ],
      "order" : 0,
      "cursor_strategy" : "COPY",
      "target_field" : "message",
      "source_field" : "message",
      "condition_type" : "STRING",
      "condition_value" : "class com.untangle.node.http.HttpRequestEvent"
    }, {
      "title" : "UVM-ClassID",
      "type" : "GROK",
      "configuration" : {
        "grok_pattern" : "class com.untangle.%{HOSTNAME:class}"
      },
      "converters" : [ ],
      "order" : 0,
      "cursor_strategy" : "COPY",
      "target_field" : "message",
      "source_field" : "message",
      "condition_type" : "NONE",
      "condition_value" : ""
    }, {
      "title" : "UVM-SessionEvent-dport",
      "type" : "GROK",
      "configuration" : {
        "grok_pattern" : "\"SServerPort\":%{INT:dport}"
      },
      "converters" : [ ],
      "order" : 0,
      "cursor_strategy" : "COPY",
      "target_field" : "message",
      "source_field" : "message",
      "condition_type" : "STRING",
      "condition_value" : "\"class com.untangle.uvm.node.SessionEvent\""
    }, {
      "title" : "UVM-SessionEvent-protocol",
      "type" : "GROK",
      "configuration" : {
        "grok_pattern" : "\"protocolName\":\"%{PROTOCOL:prot}"
      },
      "converters" : [ ],
      "order" : 0,
      "cursor_strategy" : "COPY",
      "target_field" : "message",
      "source_field" : "message",
      "condition_type" : "STRING",
      "condition_value" : "\"class com.untangle.uvm.node.SessionEvent\""
    }, {
      "title" : "UVM-SessionEvent-srcip",
      "type" : "GROK",
      "configuration" : {
        "grok_pattern" : "SClientAddr\":\"/%{IPV4:srcip}"
      },
      "converters" : [ ],
      "order" : 0,
      "cursor_strategy" : "COPY",
      "target_field" : "message",
      "source_field" : "message",
      "condition_type" : "STRING",
      "condition_value" : "\"class com.untangle.uvm.node.SessionEvent\""
    }, {
      "title" : "UVM-SessionEvent-destip",
      "type" : "GROK",
      "configuration" : {
        "grok_pattern" : "\"CServerAddr\":\"/%{IPV4:dstip}"
      },
      "converters" : [ ],
      "order" : 0,
      "cursor_strategy" : "COPY",
      "target_field" : "message",
      "source_field" : "message",
      "condition_type" : "STRING",
      "condition_value" : "\"class com.untangle.uvm.node.SessionEvent\""
    }, {
      "title" : "UVM-SessionEvent-sessionID",
      "type" : "GROK",
      "configuration" : {
        "grok_pattern" : "\"sessionId\":%{INT:sessionID}"
      },
      "converters" : [ ],
      "order" : 0,
      "cursor_strategy" : "COPY",
      "target_field" : "message",
      "source_field" : "message",
      "condition_type" : "NONE",
      "condition_value" : "\"class com.untangle.uvm.node.SessionEvent\""
    }, {
      "title" : "UVM-spamtarpit-srcip",
      "type" : "GROK",
      "configuration" : {
        "grok_pattern" : "\"IPAddr\":\"/%{IPV4:srcip}"
      },
      "converters" : [ ],
      "order" : 0,
      "cursor_strategy" : "COPY",
      "target_field" : "message",
      "source_field" : "message",
      "condition_type" : "STRING",
      "condition_value" : "\"class com.untangle.node.spam.SpamSmtpTarpitEvent\""
    }, {
      "title" : "UVM-spamtarpit-destip",
      "type" : "GROK",
      "configuration" : {
        "grok_pattern" : "\"CServerAddr\":\"/%{IPV4:dstip}"
      },
      "converters" : [ ],
      "order" : 0,
      "cursor_strategy" : "COPY",
      "target_field" : "message",
      "source_field" : "message",
      "condition_type" : "STRING",
      "condition_value" : "\"class com.untangle.node.spam.SpamSmtpTarpitEvent\""
    }, {
      "title" : "UVM-spamtarpit-dport",
      "type" : "GROK",
      "configuration" : {
        "grok_pattern" : "\"CServerPort\":%{INT:dport}"
      },
      "converters" : [ ],
      "order" : 0,
      "cursor_strategy" : "COPY",
      "target_field" : "message",
      "source_field" : "message",
      "condition_type" : "STRING",
      "condition_value" : "\"class com.untangle.node.spam.SpamSmtpTarpitEvent\""
    }, {
      "title" : "UVM-Spamtarpit-spamblocker",
      "type" : "GROK",
      "configuration" : {
        "grok_pattern" : "\"hostname\":\"%{HOSTNAME:spamblocker}"
      },
      "converters" : [ ],
      "order" : 0,
      "cursor_strategy" : "COPY",
      "target_field" : "message",
      "source_field" : "message",
      "condition_type" : "STRING",
      "condition_value" : "\"class com.untangle.node.spam.SpamSmtpTarpitEvent\""
    }, {
      "title" : "UVM-ClassID1",
      "type" : "GROK",
      "configuration" : {
        "grok_pattern" : "\"class com.untangle.%{HOSTNAME:class}"
      },
      "converters" : [ ],
      "order" : 0,
      "cursor_strategy" : "COPY",
      "target_field" : "message",
      "source_field" : "message",
      "condition_type" : "NONE",
      "condition_value" : ""
    }, {
      "title" : "UVM-HTTPRequest-URI",
      "type" : "GROK",
      "configuration" : {
        "grok_pattern" : "\"requestUri\":%{QUOTEDSTRING:requestURI}"
      },
      "converters" : [ ],
      "order" : 0,
      "cursor_strategy" : "COPY",
      "target_field" : "message",
      "source_field" : "message",
      "condition_type" : "STRING",
      "condition_value" : "class com.untangle.node.http.HttpRequestEvent"
    }, {
      "title" : "UVM-HTTPRequest-Method",
      "type" : "GROK",
      "configuration" : {
        "grok_pattern" : "\"method\":\"%{WORD:method}"
      },
      "converters" : [ ],
      "order" : 0,
      "cursor_strategy" : "COPY",
      "target_field" : "message",
      "source_field" : "message",
      "condition_type" : "STRING",
      "condition_value" : "class com.untangle.node.http.HttpRequestEvent"
    }, {
      "title" : "UVM-Firewall-Blocked",
      "type" : "GROK",
      "configuration" : {
        "grok_pattern" : "\"blocked\":%{WORD:blocked}"
      },
      "converters" : [ ],
      "order" : 0,
      "cursor_strategy" : "COPY",
      "target_field" : "message",
      "source_field" : "message",
      "condition_type" : "STRING",
      "condition_value" : "class com.untangle.node.firewall.FirewallEvent"
    }, {
      "title" : "UVM-Firewall-ruleID",
      "type" : "GROK",
      "configuration" : {
        "grok_pattern" : "ruleId\":%{INT:ruleID}"
      },
      "converters" : [ ],
      "order" : 0,
      "cursor_strategy" : "COPY",
      "target_field" : "message",
      "source_field" : "message",
      "condition_type" : "STRING",
      "condition_value" : "class com.untangle.node.firewall.FirewallEvent"
    }, {
      "title" : "UVM-SMTPEvent-senderid",
      "type" : "GROK",
      "configuration" : {
        "grok_pattern" : "sender\":\"%{EMAILADDRESS:senderid}"
      },
      "converters" : [ ],
      "order" : 0,
      "cursor_strategy" : "COPY",
      "target_field" : "message",
      "source_field" : "message",
      "condition_type" : "STRING",
      "condition_value" : "class com.untangle.node.smtp.SmtpMessageEvent"
    }, {
      "title" : "UVM-SMTPEvent-recipientid",
      "type" : "GROK",
      "configuration" : {
        "grok_pattern" : "addr\":\"%{EMAILADDRESS:recipientid}"
      },
      "converters" : [ ],
      "order" : 0,
      "cursor_strategy" : "COPY",
      "target_field" : "message",
      "source_field" : "message",
      "condition_type" : "STRING",
      "condition_value" : "class com.untangle.node.smtp.SmtpMessageEvent"
    }, {
      "title" : "UVM-SMTPEvent-messageid",
      "type" : "GROK",
      "configuration" : {
        "grok_pattern" : "messageId\":%{INT:messageid}"
      },
      "converters" : [ ],
      "order" : 0,
      "cursor_strategy" : "COPY",
      "target_field" : "message",
      "source_field" : "message",
      "condition_type" : "STRING",
      "condition_value" : "class com.untangle.node.smtp.SmtpMessageAddressEvent"
    }, {
      "title" : "UVM-SPAM-recipientid",
      "type" : "GROK",
      "configuration" : {
        "grok_pattern" : "receiver\":\"%{EMAILADDRESS:recipientid}"
      },
      "converters" : [ ],
      "order" : 0,
      "cursor_strategy" : "COPY",
      "target_field" : "message",
      "source_field" : "message",
      "condition_type" : "STRING",
      "condition_value" : "class com.untangle.node.spam.SpamLogEvent"
    }, {
      "title" : "UVM-SPAM-score",
      "type" : "GROK",
      "configuration" : {
        "grok_pattern" : "score\":%{BASE10NUM:score}"
      },
      "converters" : [ ],
      "order" : 0,
      "cursor_strategy" : "COPY",
      "target_field" : "message",
      "source_field" : "message",
      "condition_type" : "STRING",
      "condition_value" : "class com.untangle.node.spam.SpamLogEvent"
    }, {
      "title" : "UVM-SPAM-srcip",
      "type" : "GROK",
      "configuration" : {
        "grok_pattern" : "clientAddr\":\"/%{IPV4:srcip}"
      },
      "converters" : [ ],
      "order" : 0,
      "cursor_strategy" : "COPY",
      "target_field" : "message",
      "source_field" : "message",
      "condition_type" : "STRING",
      "condition_value" : "class com.untangle.node.spam.SpamLogEvent"
    }, {
      "title" : "UVM-SPAM-senderid",
      "type" : "GROK",
      "configuration" : {
        "grok_pattern" : "sender\":\"%{EMAILADDRESS:senderid}"
      },
      "converters" : [ ],
      "order" : 0,
      "cursor_strategy" : "COPY",
      "target_field" : "message",
      "source_field" : "message",
      "condition_type" : "STRING",
      "condition_value" : "class com.untangle.node.spam.SpamLogEvent"
    }, {
      "title" : "UVM-SPAM-destip",
      "type" : "GROK",
      "configuration" : {
        "grok_pattern" : "serverAddr\":\"/%{IPV4:destip}"
      },
      "converters" : [ ],
      "order" : 0,
      "cursor_strategy" : "COPY",
      "target_field" : "message",
      "source_field" : "message",
      "condition_type" : "STRING",
      "condition_value" : "class com.untangle.node.spam.SpamLogEvent"
    }, {
      "title" : "UVM-OPENVPN-srcip",
      "type" : "GROK",
      "configuration" : {
        "grok_pattern" : "address\":\"/%{IPV4:srcip}"
      },
      "converters" : [ ],
      "order" : 0,
      "cursor_strategy" : "COPY",
      "target_field" : "message",
      "source_field" : "message",
      "condition_type" : "STRING",
      "condition_value" : "class com.untangle.node.openvpn.OpenVpnStatusEvent"
    }, {
      "title" : "UVM-OPENVPN-openvpnid",
      "type" : "GROK",
      "configuration" : {
        "grok_pattern" : "clientName\":\"%{WORD:openvpnid}"
      },
      "converters" : [ ],
      "order" : 0,
      "cursor_strategy" : "COPY",
      "target_field" : "message",
      "source_field" : "message",
      "condition_type" : "STRING",
      "condition_value" : "class com.untangle.node.openvpn.OpenVpnStatusEvent"
    }, {
      "title" : "UVM-HTTPRequest-hostname",
      "type" : "GROK",
      "configuration" : {
        "grok_pattern" : "host\":\"%{IPORHOST:HOSTNAME}"
      },
      "converters" : [ ],
      "order" : 0,
      "cursor_strategy" : "COPY",
      "target_field" : "message",
      "source_field" : "message",
      "condition_type" : "STRING",
      "condition_value" : "class com.untangle.node.http.HttpRequestEvent"
    }, {
      "title" : "UVM-HTTPRequest-destip",
      "type" : "GROK",
      "configuration" : {
        "grok_pattern" : "CServerAddr\":\"/%{IPV4:destip}"
      },
      "converters" : [ ],
      "order" : 0,
      "cursor_strategy" : "COPY",
      "target_field" : "message",
      "source_field" : "message",
      "condition_type" : "STRING",
      "condition_value" : "class com.untangle.node.http.HttpRequestEvent"
    } ],
    "static_fields" : { }
  } ],
  "streams" : [ {
    "id" : "56ae940384ae55af23c492af",
    "title" : "TechSupport Stream",
    "description" : "Sample Stream for Tech Support Engineers",
    "disabled" : false,
    "outputs" : [ ],
    "stream_rules" : [ {
      "type" : "PRESENCE",
      "field" : "class",
      "value" : "",
      "inverted" : false
    } ]
  } ],
  "outputs" : [ ],
  "dashboards" : [ {
    "title" : "Interesting Items to Investigate",
    "description" : "List of Items worth Investigating",
    "dashboard_widgets" : [ {
      "description" : "Top XMLRPC attacks",
      "type" : "QUICKVALUES",
      "configuration" : {
        "timerange" : {
          "type" : "relative",
          "range" : 3600
        },
        "field" : "srcip",
        "show_pie_chart" : false,
        "query" : "requestURI:\\/xmlrpc.php",
        "show_data_table" : true
      },
      "col" : 4,
      "row" : 4,
      "cache_time" : 10
    }, {
      "description" : "Top Openvpnid Logins",
      "type" : "QUICKVALUES",
      "configuration" : {
        "timerange" : {
          "type" : "relative",
          "range" : 3600
        },
        "field" : "openvpnid",
        "show_pie_chart" : false,
        "query" : "class:node.openvpn.OpenVpnStatusEvent",
        "show_data_table" : true
      },
      "col" : 3,
      "row" : 6,
      "cache_time" : 10
    }, {
      "description" : "Top blog login Attackers",
      "type" : "QUICKVALUES",
      "configuration" : {
        "timerange" : {
          "type" : "relative",
          "range" : 3600
        },
        "field" : "srcip",
        "show_pie_chart" : false,
        "query" : "requestURI:\\/blog\\/wp\\-login.php",
        "show_data_table" : true
      },
      "col" : 2,
      "row" : 6,
      "cache_time" : 10
    }, {
      "description" : "Top Destination IPs",
      "type" : "QUICKVALUES",
      "configuration" : {
        "timerange" : {
          "type" : "relative",
          "range" : 3600
        },
        "field" : "dstip",
        "show_pie_chart" : true,
        "query" : "class:uvm.node.SessionEvent",
        "show_data_table" : true
      },
      "col" : 4,
      "row" : 1,
      "cache_time" : 10
    }, {
      "description" : "Top Source IPs",
      "type" : "QUICKVALUES",
      "configuration" : {
        "timerange" : {
          "type" : "relative",
          "range" : 3600
        },
        "field" : "srcip",
        "show_pie_chart" : true,
        "query" : "class:uvm.node.SessionEvent",
        "show_data_table" : true
      },
      "col" : 3,
      "row" : 1,
      "cache_time" : 10
    }, {
      "description" : "TOP Spam Senders ",
      "type" : "QUICKVALUES",
      "configuration" : {
        "timerange" : {
          "type" : "relative",
          "range" : 3600
        },
        "field" : "senderid",
        "show_pie_chart" : true,
        "query" : "class:node.spam.SpamLogEvent score:<0",
        "show_data_table" : true
      },
      "col" : 2,
      "row" : 1,
      "cache_time" : 10
    }, {
      "description" : "Top Spam IPs past hour",
      "type" : "QUICKVALUES",
      "configuration" : {
        "timerange" : {
          "type" : "relative",
          "range" : 3600
        },
        "field" : "srcip",
        "show_pie_chart" : true,
        "query" : "class:node.spam.SpamLogEvent score:<0",
        "show_data_table" : true
      },
      "col" : 1,
      "row" : 1,
      "cache_time" : 10
    }, {
      "description" : "WP Login Attempt VictimIPs",
      "type" : "QUICKVALUES",
      "configuration" : {
        "timerange" : {
          "type" : "relative",
          "range" : 3600
        },
        "field" : "dstip",
        "show_pie_chart" : false,
        "query" : "method:POST AND requestURI:\\/wp\\-login.php",
        "show_data_table" : true
      },
      "col" : 2,
      "row" : 4,
      "cache_time" : 10
    }, {
      "description" : "Top WP Login Victim HOSTs",
      "type" : "QUICKVALUES",
      "configuration" : {
        "timerange" : {
          "type" : "relative",
          "range" : 3600
        },
        "field" : "HOSTNAME",
        "show_pie_chart" : false,
        "query" : "method:POST AND requestURI:\\/wp\\-login.php",
        "show_data_table" : true
      },
      "col" : 3,
      "row" : 4,
      "cache_time" : 10
    }, {
      "description" : "TOP WP Login Attackers",
      "type" : "QUICKVALUES",
      "configuration" : {
        "timerange" : {
          "type" : "relative",
          "range" : 3600
        },
        "field" : "srcip",
        "show_pie_chart" : false,
        "query" : "method:POST AND requestURI:\\/wp\\-login.php",
        "show_data_table" : true
      },
      "col" : 1,
      "row" : 4,
      "cache_time" : 10
    }, {
      "description" : "Top blocked Firewall Rules",
      "type" : "QUICKVALUES",
      "configuration" : {
        "timerange" : {
          "type" : "relative",
          "range" : 1800
        },
        "field" : "ruleID",
        "show_pie_chart" : false,
        "query" : "blocked:true",
        "show_data_table" : true
      },
      "col" : 1,
      "row" : 6,
      "cache_time" : 10
    } ]
  } ],
  "grok_patterns" : [ {
    "name" : "URIPARAM",
    "pattern" : "\\?[A-Za-z0-9$.+!*'|(){},~@#%&/=:;_?\\-\\[\\]<>]*"
  }, {
    "name" : "BASE16NUM",
    "pattern" : "(?<![0-9A-Fa-f])(?:[+-]?(?:0x)?(?:[0-9A-Fa-f]+))"
  }, {
    "name" : "DATESTAMP_EVENTLOG",
    "pattern" : "%{YEAR}%{MONTHNUM2}%{MONTHDAY}%{HOUR}%{MINUTE}%{SECOND}"
  }, {
    "name" : "IPV6",
    "pattern" : "((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:)))(%.+)?"
  }, {
    "name" : "TIMESTAMP_ISO8601",
    "pattern" : "%{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?%{ISO8601_TIMEZONE}?"
  }, {
    "name" : "USER",
    "pattern" : "%{USERNAME}"
  }, {
    "name" : "URIHOST",
    "pattern" : "%{IPORHOST}(?::%{POSINT:port})?"
  }, {
    "name" : "EMAILADDRESS",
    "pattern" : "%{EMAILLOCALPART}@%{HOSTNAME}"
  }, {
    "name" : "EMAILLOCALPART",
    "pattern" : "[a-zA-Z][a-zA-Z0-9_.+-=:]+"
  }, {
    "name" : "HTTPDUSER",
    "pattern" : "%{EMAILADDRESS}|%{USER}"
  }, {
    "name" : "DATE_US",
    "pattern" : "%{MONTHNUM}[/-]%{MONTHDAY}[/-]%{YEAR}"
  }, {
    "name" : "MONTHNUM2",
    "pattern" : "(?:0[1-9]|1[0-2])"
  }, {
    "name" : "TIME",
    "pattern" : "(?!<[0-9])%{HOUR}:%{MINUTE}(?::%{SECOND})(?![0-9])"
  }, {
    "name" : "PROG",
    "pattern" : "[\\x21-\\x5a\\x5c\\x5e-\\x7e]+"
  }, {
    "name" : "TZ",
    "pattern" : "(?:[PMCE][SD]T|UTC)"
  }, {
    "name" : "SYSLOGHOST",
    "pattern" : "%{IPORHOST}"
  }, {
    "name" : "SECOND",
    "pattern" : "(?:(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?)"
  }, {
    "name" : "HOUR",
    "pattern" : "(?:2[0123]|[01]?[0-9])"
  }, {
    "name" : "COMBINEDAPACHELOG",
    "pattern" : "%{COMMONAPACHELOG} %{QS:referrer} %{QS:agent}"
  }, {
    "name" : "DATESTAMP",
    "pattern" : "%{DATE}[- ]%{TIME}"
  }, {
    "name" : "URIPATH",
    "pattern" : "(?:/[A-Za-z0-9$.+!*'(){},~:;=@#%_\\-]*)+"
  }, {
    "name" : "QS",
    "pattern" : "%{QUOTEDSTRING}"
  }, {
    "name" : "UUID",
    "pattern" : "[A-Fa-f0-9]{8}-(?:[A-Fa-f0-9]{4}-){3}[A-Fa-f0-9]{12}"
  }, {
    "name" : "INT",
    "pattern" : "(?:[+-]?(?:[0-9]+))"
  }, {
    "name" : "MONTHDAY",
    "pattern" : "(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9])"
  }, {
    "name" : "ISO8601_TIMEZONE",
    "pattern" : "(?:Z|[+-]%{HOUR}(?::?%{MINUTE}))"
  }, {
    "name" : "YEAR",
    "pattern" : "(?>\\d\\d){1,2}"
  }, {
    "name" : "HTTPDERROR_DATE",
    "pattern" : "%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR}"
  }, {
    "name" : "LOGLEVEL",
    "pattern" : "([Aa]lert|ALERT|[Tt]race|TRACE|[Dd]ebug|DEBUG|[Nn]otice|NOTICE|[Ii]nfo|INFO|[Ww]arn?(?:ing)?|WARN?(?:ING)?|[Ee]rr?(?:or)?|ERR?(?:OR)?|[Cc]rit?(?:ical)?|CRIT?(?:ICAL)?|[Ff]atal|FATAL|[Ss]evere|SEVERE|EMERG(?:ENCY)?|[Ee]merg(?:ency)?)"
  }, {
    "name" : "NUMBER",
    "pattern" : "(?:%{BASE10NUM})"
  }, {
    "name" : "SYSLOGPROG",
    "pattern" : "%{PROG:program}(?:\\[%{POSINT:pid}\\])?"
  }, {
    "name" : "DAY",
    "pattern" : "(?:Mon(?:day)?|Tue(?:sday)?|Wed(?:nesday)?|Thu(?:rsday)?|Fri(?:day)?|Sat(?:urday)?|Sun(?:day)?)"
  }, {
    "name" : "SYSLOGBASE",
    "pattern" : "%{SYSLOGTIMESTAMP:timestamp} (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource} %{SYSLOGPROG}:"
  }, {
    "name" : "HOSTNAME",
    "pattern" : "\\b(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\\b)"
  }, {
    "name" : "MONTH",
    "pattern" : "\\b(?:Jan(?:uary|uar)?|Feb(?:ruary|ruar)?|M(?:a|ä)?r(?:ch|z)?|Apr(?:il)?|Ma(?:y|i)?|Jun(?:e|i)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|O(?:c|k)?t(?:ober)?|Nov(?:ember)?|De(?:c|z)(?:ember)?)\\b"
  }, {
    "name" : "URI",
    "pattern" : "%{URIPROTO}://(?:%{USER}(?::[^@]*)?@)?(?:%{URIHOST})?(?:%{URIPATHPARAM})?"
  }, {
    "name" : "SPACE",
    "pattern" : "\\s*"
  }, {
    "name" : "URIPATHPARAM",
    "pattern" : "%{URIPATH}(?:%{URIPARAM})?"
  }, {
    "name" : "HTTPD_ERRORLOG",
    "pattern" : "%{HTTPD20_ERRORLOG}|%{HTTPD24_ERRORLOG}"
  }, {
    "name" : "USERNAME",
    "pattern" : "[a-zA-Z0-9._-]+"
  }, {
    "name" : "HTTPDATE",
    "pattern" : "%{MONTHDAY}/%{MONTH}/%{YEAR}:%{TIME} %{INT}"
  }, {
    "name" : "DATESTAMP_RFC822",
    "pattern" : "%{DAY} %{MONTH} %{MONTHDAY} %{YEAR} %{TIME} %{TZ}"
  }, {
    "name" : "IPORHOST",
    "pattern" : "(?:%{IP}|%{HOSTNAME})"
  }, {
    "name" : "HOSTPORT",
    "pattern" : "%{IPORHOST}:%{POSINT}"
  }, {
    "name" : "IP",
    "pattern" : "(?:%{IPV6}|%{IPV4})"
  }, {
    "name" : "DATESTAMP_OTHER",
    "pattern" : "%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{TZ} %{YEAR}"
  }, {
    "name" : "DATE",
    "pattern" : "%{DATE_US}|%{DATE_EU}"
  }, {
    "name" : "HTTPD24_ERRORLOG",
    "pattern" : "\\[%{HTTPDERROR_DATE:timestamp}\\] \\[%{WORD:module}:%{LOGLEVEL:loglevel}\\] \\[pid %{POSINT:pid}:tid %{NUMBER:tid}\\]( \\(%{POSINT:proxy_errorcode}\\)%{DATA:proxy_errormessage}:)?( \\[client %{IPORHOST:client}:%{POSINT:clientport}\\])? %{DATA:errorcode}: %{GREEDYDATA:message}"
  }, {
    "name" : "WORD",
    "pattern" : "\\b\\w+\\b"
  }, {
    "name" : "URIPROTO",
    "pattern" : "[A-Za-z]+(\\+[A-Za-z+]+)?"
  }, {
    "name" : "COMMONAPACHELOG",
    "pattern" : "%{IPORHOST:clientip} %{HTTPDUSER:ident} %{USER:auth} \\[%{HTTPDATE:timestamp}\\] \"(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})\" %{NUMBER:response} (?:%{NUMBER:bytes}|-)"
  }, {
    "name" : "TTY",
    "pattern" : "(?:/dev/(pts|tty([pq])?)(\\w+)?/?(?:[0-9]+))"
  }, {
    "name" : "PATH",
    "pattern" : "(?:%{UNIXPATH}|%{WINPATH})"
  }, {
    "name" : "POSINT",
    "pattern" : "\\b(?:[1-9][0-9]*)\\b"
  }, {
    "name" : "WINPATH",
    "pattern" : "(?>[A-Za-z]+:|\\\\)(?:\\\\[^\\\\?*]*)+"
  }, {
    "name" : "HTTPD20_ERRORLOG",
    "pattern" : "\\[%{HTTPDERROR_DATE:timestamp}\\] \\[%{LOGLEVEL:loglevel}\\] (?:\\[client %{IPORHOST:clientip}\\] ){0,1}%{GREEDYDATA:errormsg}"
  }, {
    "name" : "MAC",
    "pattern" : "(?:%{CISCOMAC}|%{WINDOWSMAC}|%{COMMONMAC})"
  }, {
    "name" : "NOTSPACE",
    "pattern" : "\\S+"
  }, {
    "name" : "SYSLOGFACILITY",
    "pattern" : "<%{NONNEGINT:facility}.%{NONNEGINT:priority}>"
  }, {
    "name" : "BASE16FLOAT",
    "pattern" : "\\b(?<![0-9A-Fa-f.])(?:[+-]?(?:0x)?(?:(?:[0-9A-Fa-f]+(?:\\.[0-9A-Fa-f]*)?)|(?:\\.[0-9A-Fa-f]+)))\\b"
  }, {
    "name" : "WINDOWSMAC",
    "pattern" : "(?:(?:[A-Fa-f0-9]{2}-){5}[A-Fa-f0-9]{2})"
  }, {
    "name" : "DATE_EU",
    "pattern" : "%{MONTHDAY}[./-]%{MONTHNUM}[./-]%{YEAR}"
  }, {
    "name" : "GREEDYDATA",
    "pattern" : ".*"
  }, {
    "name" : "UNIXPATH",
    "pattern" : "(/([\\w_%!$@:.,~-]+|\\\\.)*)+"
  }, {
    "name" : "DATESTAMP_RFC2822",
    "pattern" : "%{DAY}, %{MONTHDAY} %{MONTH} %{YEAR} %{TIME} %{ISO8601_TIMEZONE}"
  }, {
    "name" : "SYSLOGTIMESTAMP",
    "pattern" : "%{MONTH} +%{MONTHDAY} %{TIME}"
  }, {
    "name" : "ISO8601_SECOND",
    "pattern" : "(?:%{SECOND}|60)"
  }, {
    "name" : "QUOTEDSTRING",
    "pattern" : "(?>(?<!\\\\)(?>\"(?>\\\\.|[^\\\\\"]+)+\"|\"\"|(?>'(?>\\\\.|[^\\\\']+)+')|''|(?>`(?>\\\\.|[^\\\\`]+)+`)|``))"
  }, {
    "name" : "COMMONMAC",
    "pattern" : "(?:(?:[A-Fa-f0-9]{2}:){5}[A-Fa-f0-9]{2})"
  }, {
    "name" : "MINUTE",
    "pattern" : "(?:[0-5][0-9])"
  }, {
    "name" : "CISCOMAC",
    "pattern" : "(?:(?:[A-Fa-f0-9]{4}\\.){2}[A-Fa-f0-9]{4})"
  }, {
    "name" : "IPV4",
    "pattern" : "(?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]))(?![0-9])"
  }, {
    "name" : "DATA",
    "pattern" : ".*?"
  }, {
    "name" : "MONTHNUM",
    "pattern" : "(?:0?[1-9]|1[0-2])"
  }, {
    "name" : "BASE10NUM",
    "pattern" : "(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\\.[0-9]+)?)|(?:\\.[0-9]+)))"
  }, {
    "name" : "NONNEGINT",
    "pattern" : "\\b(?:[0-9]+)\\b"
  } ]
}