-
Notifications
You must be signed in to change notification settings - Fork 3
Patterns
Gomatch needs to have a file to read patterns/events from. Default location is ./Patterns.
Each pattern needs to be on a separate line and look something like this:
session_opened##<MONTH> <NUMBER:month_number> <TIME> <IP> <CLASS> <SYSLOGPROG> session opened for user <USERNAME>
Note that the pattern starts with a name, followed by ## and then the first thing to match (either <token_name> as a reference to regex or any_word), then followed by a single space and another thing to match, and so on. Unfortunatelly you cannot combine tokens with word parts, but you can easily alter the regullar expressions to suit your log data.
Every matched token is stored and printed in output, words are lost.
When you use <token_name> you will get token_name = matched_value in your output, but you can change this to <token_name:my_name>, to get my_name = matched_value.
It is also possible to append a new pattern while the program is running, to do that put it in on the top line in file with Patterns and save changes.
If things are still unclear, try these few patterns (put them in your patterns file):
Pattern_1##y
Pattern_2##y <WORD> <IP>
Pattern_1 will match output generated by Unix command yes (endless generator of y or a given argument), try to run: yes | gomatch.
Pattern_2 will match lines starting with y, followed by non-alphanumeric word and IP address, examples:
y wordyword 192.168.2.1
y wordofwords 127.0.0.1
but won't match:
y 12wordofwords 127.0.0.1 // word with numbers
n wordofwords 127.0.0.1 // first word is not y