-
Notifications
You must be signed in to change notification settings - Fork 3
Patterns
Gomatch needs to have a file to read pattern/event definitions from. Default location is ./Patterns.
Every pattern needs to be on a separate line, and has to look close to something like this:
session_opened##<MONTH> <NUMBER:month_number> <TIME> <IP> <CLASS> <SYSLOGPROG> session opened for user <USERNAME>
The pattern above consists of:
-
session_opened
(event name) -
##
(separator of pattern name) - things to match separated by single spaces
-
<token_name>
: reference to regex, gives token_name = matched_value in json output -
<token_name:any_semantic_name>
: reference to regex, gives any_semantic_name = matched_value in json output -
any_word
: word/number/etc that has to directly match, won't be in output, can be<any_word>
if there is no regex defined in file with tokens
Every matched token is stored and printed in output (with it's matched value) only once (recommendation is to rename the second occurrence of the same token).
Merged combinations of tokens and words aren't possible (ip=), but you can easily alter the regular expressions (default file ./tokens) to suit your needs.
It is also possible to append a new pattern while the program is running, to do this put the new pattern on the top line in the file with patterns.
If things are still unclear, try these few patterns (put them in your patterns file):
Pattern_1##y
Pattern_2##y <WORD> <IP>
Pattern_1 will match output generated by Unix command yes (endless generator of y or a given argument), try to run: yes | gomatch
.
Pattern_2 will match lines starting with y, followed by any non-alphanumeric word and any IP address, examples:
y wordyword 192.168.2.1
y wordofwords 127.0.0.1
won't match:
y 12wordofwords 127.0.0.1 // word with numbers
n wordofwords 127.0.0.1 // first word is not y