daily pastebin goal
16%
SHARE
TWEET

Untitled

a guest Dec 7th, 2016 89 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. [2016-12-07T10:45:29,591][DEBUG][logstash.runner          ] -------- Logstash Settings (* means modified) ---------
  2. [2016-12-07T10:45:29,596][DEBUG][logstash.runner          ] node.name: "mylogstashserver.com"
  3. [2016-12-07T10:45:29,596][DEBUG][logstash.runner          ] *path.config: "/etc/logstash/conf.d"
  4. [2016-12-07T10:45:29,596][DEBUG][logstash.runner          ] *path.data: "/var/lib/logstash" (default: "/usr/share/logstash/data")
  5. [2016-12-07T10:45:29,596][DEBUG][logstash.runner          ] config.test_and_exit: false
  6. [2016-12-07T10:45:29,596][DEBUG][logstash.runner          ] config.reload.automatic: false
  7. [2016-12-07T10:45:29,597][DEBUG][logstash.runner          ] config.reload.interval: 3
  8. [2016-12-07T10:45:29,597][DEBUG][logstash.runner          ] metric.collect: true
  9. [2016-12-07T10:45:29,597][DEBUG][logstash.runner          ] pipeline.id: "main"
  10. [2016-12-07T10:45:29,597][DEBUG][logstash.runner          ] pipeline.workers: 6
  11. [2016-12-07T10:45:29,598][DEBUG][logstash.runner          ] pipeline.output.workers: 1
  12. [2016-12-07T10:45:29,598][DEBUG][logstash.runner          ] pipeline.batch.size: 125
  13. [2016-12-07T10:45:29,598][DEBUG][logstash.runner          ] pipeline.batch.delay: 5
  14. [2016-12-07T10:45:29,598][DEBUG][logstash.runner          ] pipeline.unsafe_shutdown: false
  15. [2016-12-07T10:45:29,598][DEBUG][logstash.runner          ] path.plugins: []
  16. [2016-12-07T10:45:29,599][DEBUG][logstash.runner          ] config.debug: false
  17. [2016-12-07T10:45:29,599][DEBUG][logstash.runner          ] *log.level: "debug" (default: "info")
  18. [2016-12-07T10:45:29,599][DEBUG][logstash.runner          ] version: false
  19. [2016-12-07T10:45:29,600][DEBUG][logstash.runner          ] help: false
  20. [2016-12-07T10:45:29,600][DEBUG][logstash.runner          ] log.format: "plain"
  21. [2016-12-07T10:45:29,600][DEBUG][logstash.runner          ] http.host: "127.0.0.1"
  22. [2016-12-07T10:45:29,600][DEBUG][logstash.runner          ] http.port: 9600..9700
  23. [2016-12-07T10:45:29,600][DEBUG][logstash.runner          ] http.environment: "production"
  24. [2016-12-07T10:45:29,601][DEBUG][logstash.runner          ] *path.settings: "/etc/logstash" (default: "/usr/share/logstash/config")
  25. [2016-12-07T10:45:29,601][DEBUG][logstash.runner          ] *path.logs: "/var/log/logstash" (default: "/usr/share/logstash/logs")
  26. [2016-12-07T10:45:29,601][DEBUG][logstash.runner          ] --------------- Logstash Settings -------------------
  27. [2016-12-07T10:45:29,640][DEBUG][logstash.agent           ] Agent: Configuring metric collection
  28. [2016-12-07T10:45:29,642][DEBUG][logstash.instrument.periodicpoller.os] PeriodicPoller: Starting {:polling_interval=>5, :polling_timeout=>120}
  29. [2016-12-07T10:45:29,647][DEBUG][logstash.instrument.periodicpoller.jvm] PeriodicPoller: Starting {:polling_interval=>5, :polling_timeout=>120}
  30. [2016-12-07T10:45:29,700][DEBUG][logstash.agent           ] Reading config file {:config_file=>"/etc/logstash/conf.d/02-beats-input.conf"}
  31. [2016-12-07T10:45:29,701][DEBUG][logstash.agent           ] Reading config file {:config_file=>"/etc/logstash/conf.d/10-syslog-filter.conf"}
  32. [2016-12-07T10:45:29,702][DEBUG][logstash.agent           ] Reading config file {:config_file=>"/etc/logstash/conf.d/30-elasticsearch-output.conf"}
  33. [2016-12-07T10:45:29,704][DEBUG][logstash.agent           ] Reading config file {:config_file=>"/etc/logstash/conf.d/apache-filter.conf"}
  34. [2016-12-07T10:45:30,002][DEBUG][logstash.codecs.plain    ] config LogStash::Codecs::Plain/@id = "plain_959b4d43-f9df-4212-85c1-43940f9258a5"
  35. [2016-12-07T10:45:30,002][DEBUG][logstash.codecs.plain    ] config LogStash::Codecs::Plain/@enable_metric = true
  36. [2016-12-07T10:45:30,002][DEBUG][logstash.codecs.plain    ] config LogStash::Codecs::Plain/@charset = "UTF-8"
  37. [2016-12-07T10:45:30,004][DEBUG][logstash.inputs.beats    ] config LogStash::Inputs::Beats/@port = 5044
  38. [2016-12-07T10:45:30,004][DEBUG][logstash.inputs.beats    ] config LogStash::Inputs::Beats/@ssl = true
  39. [2016-12-07T10:45:30,004][DEBUG][logstash.inputs.beats    ] config LogStash::Inputs::Beats/@ssl_certificate = "/etc/pki/tls/certs/logstash-forwarder.crt"
  40. [2016-12-07T10:45:30,005][DEBUG][logstash.inputs.beats    ] config LogStash::Inputs::Beats/@ssl_key = "/etc/pki/tls/private/logstash-forwarder.key"
  41. [2016-12-07T10:45:30,005][DEBUG][logstash.inputs.beats    ] config LogStash::Inputs::Beats/@id = "c9a3f6db8ed8a6d49522218695035d01803f7ac6-1"
  42. [2016-12-07T10:45:30,005][DEBUG][logstash.inputs.beats    ] config LogStash::Inputs::Beats/@enable_metric = true
  43. [2016-12-07T10:45:30,005][DEBUG][logstash.inputs.beats    ] config LogStash::Inputs::Beats/@codec = <LogStash::Codecs::Plain id=>"plain_959b4d43-f9df-4212-85c1-43940f9258a5", enable_metric=>true, charset=>"UTF-8">
  44. [2016-12-07T10:45:30,005][DEBUG][logstash.inputs.beats    ] config LogStash::Inputs::Beats/@add_field = {}
  45. [2016-12-07T10:45:30,005][DEBUG][logstash.inputs.beats    ] config LogStash::Inputs::Beats/@host = "0.0.0.0"
  46. [2016-12-07T10:45:30,006][DEBUG][logstash.inputs.beats    ] config LogStash::Inputs::Beats/@ssl_certificate_authorities = []
  47. [2016-12-07T10:45:30,006][DEBUG][logstash.inputs.beats    ] config LogStash::Inputs::Beats/@ssl_verify_mode = "none"
  48. [2016-12-07T10:45:30,006][DEBUG][logstash.inputs.beats    ] config LogStash::Inputs::Beats/@include_codec_tag = true
  49. [2016-12-07T10:45:30,006][DEBUG][logstash.inputs.beats    ] config LogStash::Inputs::Beats/@ssl_handshake_timeout = 10000
  50. [2016-12-07T10:45:30,006][DEBUG][logstash.inputs.beats    ] config LogStash::Inputs::Beats/@congestion_threshold = 5
  51. [2016-12-07T10:45:30,006][DEBUG][logstash.inputs.beats    ] config LogStash::Inputs::Beats/@target_field_for_codec = "message"
  52. [2016-12-07T10:45:30,007][DEBUG][logstash.inputs.beats    ] config LogStash::Inputs::Beats/@tls_min_version = 1
  53. [2016-12-07T10:45:30,007][DEBUG][logstash.inputs.beats    ] config LogStash::Inputs::Beats/@tls_max_version = 1.2
  54. [2016-12-07T10:45:30,007][DEBUG][logstash.inputs.beats    ] config LogStash::Inputs::Beats/@cipher_suites = ["TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"]
  55. [2016-12-07T10:45:30,008][DEBUG][logstash.inputs.beats    ] config LogStash::Inputs::Beats/@client_inactivity_timeout = 60
  56. [2016-12-07T10:45:30,026][DEBUG][logstash.filters.grok    ] config LogStash::Filters::Grok/@match = {"message"=>"%{COMBINEDAPACHELOG}"}
  57. [2016-12-07T10:45:30,027][DEBUG][logstash.filters.grok    ] config LogStash::Filters::Grok/@id = "c9a3f6db8ed8a6d49522218695035d01803f7ac6-2"
  58. [2016-12-07T10:45:30,027][DEBUG][logstash.filters.grok    ] config LogStash::Filters::Grok/@enable_metric = true
  59. [2016-12-07T10:45:30,027][DEBUG][logstash.filters.grok    ] config LogStash::Filters::Grok/@add_tag = []
  60. [2016-12-07T10:45:30,027][DEBUG][logstash.filters.grok    ] config LogStash::Filters::Grok/@remove_tag = []
  61. [2016-12-07T10:45:30,027][DEBUG][logstash.filters.grok    ] config LogStash::Filters::Grok/@add_field = {}
  62. [2016-12-07T10:45:30,028][DEBUG][logstash.filters.grok    ] config LogStash::Filters::Grok/@remove_field = []
  63. [2016-12-07T10:45:30,028][DEBUG][logstash.filters.grok    ] config LogStash::Filters::Grok/@periodic_flush = false
  64. [2016-12-07T10:45:30,028][DEBUG][logstash.filters.grok    ] config LogStash::Filters::Grok/@patterns_dir = []
  65. [2016-12-07T10:45:30,028][DEBUG][logstash.filters.grok    ] config LogStash::Filters::Grok/@patterns_files_glob = "*"
  66. [2016-12-07T10:45:30,028][DEBUG][logstash.filters.grok    ] config LogStash::Filters::Grok/@break_on_match = true
  67. [2016-12-07T10:45:30,028][DEBUG][logstash.filters.grok    ] config LogStash::Filters::Grok/@named_captures_only = true
  68. [2016-12-07T10:45:30,029][DEBUG][logstash.filters.grok    ] config LogStash::Filters::Grok/@keep_empty_captures = false
  69. [2016-12-07T10:45:30,029][DEBUG][logstash.filters.grok    ] config LogStash::Filters::Grok/@tag_on_failure = ["_grokparsefailure"]
  70. [2016-12-07T10:45:30,029][DEBUG][logstash.filters.grok    ] config LogStash::Filters::Grok/@timeout_millis = 30000
  71. [2016-12-07T10:45:30,029][DEBUG][logstash.filters.grok    ] config LogStash::Filters::Grok/@tag_on_timeout = "_groktimeout"
  72. [2016-12-07T10:45:30,029][DEBUG][logstash.filters.grok    ] config LogStash::Filters::Grok/@overwrite = []
  73. [2016-12-07T10:45:30,047][DEBUG][logstash.filters.date    ] config LogStash::Filters::Date/@locale = "pt_BR"
  74. [2016-12-07T10:45:30,047][DEBUG][logstash.filters.date    ] config LogStash::Filters::Date/@timezone = "America/Sao_Paulo"
  75. [2016-12-07T10:45:30,047][DEBUG][logstash.filters.date    ] config LogStash::Filters::Date/@match = ["timestamp", "dd/MMM/yyyy:HH:mm:ss Z"]
  76. [2016-12-07T10:45:30,047][DEBUG][logstash.filters.date    ] config LogStash::Filters::Date/@add_tag = ["tsmatch"]
  77. [2016-12-07T10:45:30,047][DEBUG][logstash.filters.date    ] config LogStash::Filters::Date/@id = "c9a3f6db8ed8a6d49522218695035d01803f7ac6-3"
  78. [2016-12-07T10:45:30,048][DEBUG][logstash.filters.date    ] config LogStash::Filters::Date/@enable_metric = true
  79. [2016-12-07T10:45:30,048][DEBUG][logstash.filters.date    ] config LogStash::Filters::Date/@remove_tag = []
  80. [2016-12-07T10:45:30,048][DEBUG][logstash.filters.date    ] config LogStash::Filters::Date/@add_field = {}
  81. [2016-12-07T10:45:30,048][DEBUG][logstash.filters.date    ] config LogStash::Filters::Date/@remove_field = []
  82. [2016-12-07T10:45:30,048][DEBUG][logstash.filters.date    ] config LogStash::Filters::Date/@periodic_flush = false
  83. [2016-12-07T10:45:30,048][DEBUG][logstash.filters.date    ] config LogStash::Filters::Date/@target = "@timestamp"
  84. [2016-12-07T10:45:30,049][DEBUG][logstash.filters.date    ] config LogStash::Filters::Date/@tag_on_failure = ["_dateparsefailure"]
  85. [2016-12-07T10:45:30,052][DEBUG][logstash.filters.grok    ] config LogStash::Filters::Grok/@match = {"message"=>"%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\\[%{POSINT:syslog_pid}\\])?: %{GREEDYDATA:syslog_message}"}
  86. [2016-12-07T10:45:30,052][DEBUG][logstash.filters.grok    ] config LogStash::Filters::Grok/@add_field = {"received_at"=>"%{@timestamp}", "received_from"=>"%{host}"}
  87. [2016-12-07T10:45:30,052][DEBUG][logstash.filters.grok    ] config LogStash::Filters::Grok/@id = "c9a3f6db8ed8a6d49522218695035d01803f7ac6-4"
  88. [2016-12-07T10:45:30,053][DEBUG][logstash.filters.grok    ] config LogStash::Filters::Grok/@enable_metric = true
  89. [2016-12-07T10:45:30,053][DEBUG][logstash.filters.grok    ] config LogStash::Filters::Grok/@add_tag = []
  90. [2016-12-07T10:45:30,053][DEBUG][logstash.filters.grok    ] config LogStash::Filters::Grok/@remove_tag = []
  91. [2016-12-07T10:45:30,053][DEBUG][logstash.filters.grok    ] config LogStash::Filters::Grok/@remove_field = []
  92. [2016-12-07T10:45:30,053][DEBUG][logstash.filters.grok    ] config LogStash::Filters::Grok/@periodic_flush = false
  93. [2016-12-07T10:45:30,053][DEBUG][logstash.filters.grok    ] config LogStash::Filters::Grok/@patterns_dir = []
  94. [2016-12-07T10:45:30,053][DEBUG][logstash.filters.grok    ] config LogStash::Filters::Grok/@patterns_files_glob = "*"
  95. [2016-12-07T10:45:30,054][DEBUG][logstash.filters.grok    ] config LogStash::Filters::Grok/@break_on_match = true
  96. [2016-12-07T10:45:30,054][DEBUG][logstash.filters.grok    ] config LogStash::Filters::Grok/@named_captures_only = true
  97. [2016-12-07T10:45:30,054][DEBUG][logstash.filters.grok    ] config LogStash::Filters::Grok/@keep_empty_captures = false
  98. [2016-12-07T10:45:30,054][DEBUG][logstash.filters.grok    ] config LogStash::Filters::Grok/@tag_on_failure = ["_grokparsefailure"]
  99. [2016-12-07T10:45:30,054][DEBUG][logstash.filters.grok    ] config LogStash::Filters::Grok/@timeout_millis = 30000
  100. [2016-12-07T10:45:30,054][DEBUG][logstash.filters.grok    ] config LogStash::Filters::Grok/@tag_on_timeout = "_groktimeout"
  101. [2016-12-07T10:45:30,054][DEBUG][logstash.filters.grok    ] config LogStash::Filters::Grok/@overwrite = []
  102. [2016-12-07T10:45:30,062][DEBUG][logstash.filters.syslog_pri] config LogStash::Filters::Syslog_pri/@id = "c9a3f6db8ed8a6d49522218695035d01803f7ac6-5"
  103. [2016-12-07T10:45:30,062][DEBUG][logstash.filters.syslog_pri] config LogStash::Filters::Syslog_pri/@enable_metric = true
  104. [2016-12-07T10:45:30,062][DEBUG][logstash.filters.syslog_pri] config LogStash::Filters::Syslog_pri/@add_tag = []
  105. [2016-12-07T10:45:30,063][DEBUG][logstash.filters.syslog_pri] config LogStash::Filters::Syslog_pri/@remove_tag = []
  106. [2016-12-07T10:45:30,063][DEBUG][logstash.filters.syslog_pri] config LogStash::Filters::Syslog_pri/@add_field = {}
  107. [2016-12-07T10:45:30,063][DEBUG][logstash.filters.syslog_pri] config LogStash::Filters::Syslog_pri/@remove_field = []
  108. [2016-12-07T10:45:30,063][DEBUG][logstash.filters.syslog_pri] config LogStash::Filters::Syslog_pri/@periodic_flush = false
  109. [2016-12-07T10:45:30,063][DEBUG][logstash.filters.syslog_pri] config LogStash::Filters::Syslog_pri/@use_labels = true
  110. [2016-12-07T10:45:30,063][DEBUG][logstash.filters.syslog_pri] config LogStash::Filters::Syslog_pri/@syslog_pri_field_name = "syslog_pri"
  111. [2016-12-07T10:45:30,064][DEBUG][logstash.filters.syslog_pri] config LogStash::Filters::Syslog_pri/@facility_labels = ["kernel", "user-level", "mail", "daemon", "security/authorization", "syslogd", "line printer", "network news", "uucp", "clock", "security/authorization", "ftp", "ntp", "log audit", "log alert", "clock", "local0", "local1", "local2", "local3", "local4", "local5", "local6", "local7"]
  112. [2016-12-07T10:45:30,064][DEBUG][logstash.filters.syslog_pri] config LogStash::Filters::Syslog_pri/@severity_labels = ["emergency", "alert", "critical", "error", "warning", "notice", "informational", "debug"]
  113. [2016-12-07T10:45:30,067][DEBUG][logstash.filters.date    ] config LogStash::Filters::Date/@match = ["syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss"]
  114. [2016-12-07T10:45:30,067][DEBUG][logstash.filters.date    ] config LogStash::Filters::Date/@id = "c9a3f6db8ed8a6d49522218695035d01803f7ac6-6"
  115. [2016-12-07T10:45:30,067][DEBUG][logstash.filters.date    ] config LogStash::Filters::Date/@enable_metric = true
  116. [2016-12-07T10:45:30,068][DEBUG][logstash.filters.date    ] config LogStash::Filters::Date/@add_tag = []
  117. [2016-12-07T10:45:30,068][DEBUG][logstash.filters.date    ] config LogStash::Filters::Date/@remove_tag = []
  118. [2016-12-07T10:45:30,068][DEBUG][logstash.filters.date    ] config LogStash::Filters::Date/@add_field = {}
  119. [2016-12-07T10:45:30,068][DEBUG][logstash.filters.date    ] config LogStash::Filters::Date/@remove_field = []
  120. [2016-12-07T10:45:30,068][DEBUG][logstash.filters.date    ] config LogStash::Filters::Date/@periodic_flush = false
  121. [2016-12-07T10:45:30,068][DEBUG][logstash.filters.date    ] config LogStash::Filters::Date/@target = "@timestamp"
  122. [2016-12-07T10:45:30,068][DEBUG][logstash.filters.date    ] config LogStash::Filters::Date/@tag_on_failure = ["_dateparsefailure"]
  123. [2016-12-07T10:45:30,251][DEBUG][logstash.codecs.plain    ] config LogStash::Codecs::Plain/@id = "plain_2a333afb-0abd-4d92-ad35-35ae3fa5e2d5"
  124. [2016-12-07T10:45:30,251][DEBUG][logstash.codecs.plain    ] config LogStash::Codecs::Plain/@enable_metric = true
  125. [2016-12-07T10:45:30,252][DEBUG][logstash.codecs.plain    ] config LogStash::Codecs::Plain/@charset = "UTF-8"
  126. [2016-12-07T10:45:30,254][DEBUG][logstash.outputs.elasticsearch] config LogStash::Outputs::ElasticSearch/@hosts = ["localhost:9200"]
  127. [2016-12-07T10:45:30,254][DEBUG][logstash.outputs.elasticsearch] config LogStash::Outputs::ElasticSearch/@sniffing = true
  128. [2016-12-07T10:45:30,255][DEBUG][logstash.outputs.elasticsearch] config LogStash::Outputs::ElasticSearch/@manage_template = false
  129. [2016-12-07T10:45:30,255][DEBUG][logstash.outputs.elasticsearch] config LogStash::Outputs::ElasticSearch/@index = "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
  130. [2016-12-07T10:45:30,255][DEBUG][logstash.outputs.elasticsearch] config LogStash::Outputs::ElasticSearch/@document_type = "%{[@metadata][type]}"
  131. [2016-12-07T10:45:30,255][DEBUG][logstash.outputs.elasticsearch] config LogStash::Outputs::ElasticSearch/@id = "c9a3f6db8ed8a6d49522218695035d01803f7ac6-7"
  132. [2016-12-07T10:45:30,255][DEBUG][logstash.outputs.elasticsearch] config LogStash::Outputs::ElasticSearch/@enable_metric = true
  133. [2016-12-07T10:45:30,256][DEBUG][logstash.outputs.elasticsearch] config LogStash::Outputs::ElasticSearch/@codec = <LogStash::Codecs::Plain id=>"plain_2a333afb-0abd-4d92-ad35-35ae3fa5e2d5", enable_metric=>true, charset=>"UTF-8">
  134. [2016-12-07T10:45:30,256][DEBUG][logstash.outputs.elasticsearch] config LogStash::Outputs::ElasticSearch/@workers = 1
  135. [2016-12-07T10:45:30,256][DEBUG][logstash.outputs.elasticsearch] config LogStash::Outputs::ElasticSearch/@template_name = "logstash"
  136. [2016-12-07T10:45:30,256][DEBUG][logstash.outputs.elasticsearch] config LogStash::Outputs::ElasticSearch/@template_overwrite = false
  137. [2016-12-07T10:45:30,256][DEBUG][logstash.outputs.elasticsearch] config LogStash::Outputs::ElasticSearch/@parent = nil
  138. [2016-12-07T10:45:30,256][DEBUG][logstash.outputs.elasticsearch] config LogStash::Outputs::ElasticSearch/@flush_size = 500
  139. [2016-12-07T10:45:30,257][DEBUG][logstash.outputs.elasticsearch] config LogStash::Outputs::ElasticSearch/@idle_flush_time = 1
  140. [2016-12-07T10:45:30,257][DEBUG][logstash.outputs.elasticsearch] config LogStash::Outputs::ElasticSearch/@upsert = ""
  141. [2016-12-07T10:45:30,257][DEBUG][logstash.outputs.elasticsearch] config LogStash::Outputs::ElasticSearch/@doc_as_upsert = false
  142. [2016-12-07T10:45:30,257][DEBUG][logstash.outputs.elasticsearch] config LogStash::Outputs::ElasticSearch/@script = ""
  143. [2016-12-07T10:45:30,257][DEBUG][logstash.outputs.elasticsearch] config LogStash::Outputs::ElasticSearch/@script_type = "inline"
  144. [2016-12-07T10:45:30,257][DEBUG][logstash.outputs.elasticsearch] config LogStash::Outputs::ElasticSearch/@script_lang = "painless"
  145. [2016-12-07T10:45:30,257][DEBUG][logstash.outputs.elasticsearch] config LogStash::Outputs::ElasticSearch/@script_var_name = "event"
  146. [2016-12-07T10:45:30,258][DEBUG][logstash.outputs.elasticsearch] config LogStash::Outputs::ElasticSearch/@scripted_upsert = false
  147. [2016-12-07T10:45:30,258][DEBUG][logstash.outputs.elasticsearch] config LogStash::Outputs::ElasticSearch/@retry_initial_interval = 2
  148. [2016-12-07T10:45:30,258][DEBUG][logstash.outputs.elasticsearch] config LogStash::Outputs::ElasticSearch/@retry_max_interval = 64
  149. [2016-12-07T10:45:30,258][DEBUG][logstash.outputs.elasticsearch] config LogStash::Outputs::ElasticSearch/@retry_on_conflict = 1
  150. [2016-12-07T10:45:30,258][DEBUG][logstash.outputs.elasticsearch] config LogStash::Outputs::ElasticSearch/@pipeline = nil
  151. [2016-12-07T10:45:30,258][DEBUG][logstash.outputs.elasticsearch] config LogStash::Outputs::ElasticSearch/@action = "index"
  152. [2016-12-07T10:45:30,258][DEBUG][logstash.outputs.elasticsearch] config LogStash::Outputs::ElasticSearch/@ssl_certificate_verification = true
  153. [2016-12-07T10:45:30,259][DEBUG][logstash.outputs.elasticsearch] config LogStash::Outputs::ElasticSearch/@sniffing_delay = 5
  154. [2016-12-07T10:45:30,259][DEBUG][logstash.outputs.elasticsearch] config LogStash::Outputs::ElasticSearch/@timeout = 60
  155. [2016-12-07T10:45:30,259][DEBUG][logstash.outputs.elasticsearch] config LogStash::Outputs::ElasticSearch/@failure_type_logging_whitelist = []
  156. [2016-12-07T10:45:30,259][DEBUG][logstash.outputs.elasticsearch] config LogStash::Outputs::ElasticSearch/@pool_max = 1000
  157. [2016-12-07T10:45:30,259][DEBUG][logstash.outputs.elasticsearch] config LogStash::Outputs::ElasticSearch/@pool_max_per_route = 100
  158. [2016-12-07T10:45:30,259][DEBUG][logstash.outputs.elasticsearch] config LogStash::Outputs::ElasticSearch/@healthcheck_path = "/"
  159. [2016-12-07T10:45:30,259][DEBUG][logstash.outputs.elasticsearch] config LogStash::Outputs::ElasticSearch/@resurrect_delay = 5
  160. [2016-12-07T10:45:30,260][DEBUG][logstash.outputs.elasticsearch] config LogStash::Outputs::ElasticSearch/@validate_after_inactivity = 10000
  161. [2016-12-07T10:45:30,266][DEBUG][logstash.filters.grok    ] config LogStash::Filters::Grok/@match = {"message"=>"%{COMBINEDAPACHELOG}"}
  162. [2016-12-07T10:45:30,266][DEBUG][logstash.filters.grok    ] config LogStash::Filters::Grok/@id = "c9a3f6db8ed8a6d49522218695035d01803f7ac6-8"
  163. [2016-12-07T10:45:30,266][DEBUG][logstash.filters.grok    ] config LogStash::Filters::Grok/@enable_metric = true
  164. [2016-12-07T10:45:30,266][DEBUG][logstash.filters.grok    ] config LogStash::Filters::Grok/@add_tag = []
  165. [2016-12-07T10:45:30,266][DEBUG][logstash.filters.grok    ] config LogStash::Filters::Grok/@remove_tag = []
  166. [2016-12-07T10:45:30,267][DEBUG][logstash.filters.grok    ] config LogStash::Filters::Grok/@add_field = {}
  167. [2016-12-07T10:45:30,267][DEBUG][logstash.filters.grok    ] config LogStash::Filters::Grok/@remove_field = []
  168. [2016-12-07T10:45:30,267][DEBUG][logstash.filters.grok    ] config LogStash::Filters::Grok/@periodic_flush = false
  169. [2016-12-07T10:45:30,267][DEBUG][logstash.filters.grok    ] config LogStash::Filters::Grok/@patterns_dir = []
  170. [2016-12-07T10:45:30,267][DEBUG][logstash.filters.grok    ] config LogStash::Filters::Grok/@patterns_files_glob = "*"
  171. [2016-12-07T10:45:30,267][DEBUG][logstash.filters.grok    ] config LogStash::Filters::Grok/@break_on_match = true
  172. [2016-12-07T10:45:30,268][DEBUG][logstash.filters.grok    ] config LogStash::Filters::Grok/@named_captures_only = true
  173. [2016-12-07T10:45:30,268][DEBUG][logstash.filters.grok    ] config LogStash::Filters::Grok/@keep_empty_captures = false
  174. [2016-12-07T10:45:30,268][DEBUG][logstash.filters.grok    ] config LogStash::Filters::Grok/@tag_on_failure = ["_grokparsefailure"]
  175. [2016-12-07T10:45:30,268][DEBUG][logstash.filters.grok    ] config LogStash::Filters::Grok/@timeout_millis = 30000
  176. [2016-12-07T10:45:30,268][DEBUG][logstash.filters.grok    ] config LogStash::Filters::Grok/@tag_on_timeout = "_groktimeout"
  177. [2016-12-07T10:45:30,268][DEBUG][logstash.filters.grok    ] config LogStash::Filters::Grok/@overwrite = []
  178. [2016-12-07T10:45:30,275][DEBUG][logstash.filters.date    ] config LogStash::Filters::Date/@locale = "pt_BR"
  179. [2016-12-07T10:45:30,275][DEBUG][logstash.filters.date    ] config LogStash::Filters::Date/@timezone = "America/Sao_Paulo"
  180. [2016-12-07T10:45:30,275][DEBUG][logstash.filters.date    ] config LogStash::Filters::Date/@match = ["timestamp", "dd/MMM/yyyy:HH:mm:ss Z"]
  181. [2016-12-07T10:45:30,275][DEBUG][logstash.filters.date    ] config LogStash::Filters::Date/@add_tag = ["tsmatch"]
  182. [2016-12-07T10:45:30,276][DEBUG][logstash.filters.date    ] config LogStash::Filters::Date/@id = "c9a3f6db8ed8a6d49522218695035d01803f7ac6-9"
  183. [2016-12-07T10:45:30,276][DEBUG][logstash.filters.date    ] config LogStash::Filters::Date/@enable_metric = true
  184. [2016-12-07T10:45:30,276][DEBUG][logstash.filters.date    ] config LogStash::Filters::Date/@remove_tag = []
  185. [2016-12-07T10:45:30,276][DEBUG][logstash.filters.date    ] config LogStash::Filters::Date/@add_field = {}
  186. [2016-12-07T10:45:30,276][DEBUG][logstash.filters.date    ] config LogStash::Filters::Date/@remove_field = []
  187. [2016-12-07T10:45:30,276][DEBUG][logstash.filters.date    ] config LogStash::Filters::Date/@periodic_flush = false
  188. [2016-12-07T10:45:30,277][DEBUG][logstash.filters.date    ] config LogStash::Filters::Date/@target = "@timestamp"
  189. [2016-12-07T10:45:30,277][DEBUG][logstash.filters.date    ] config LogStash::Filters::Date/@tag_on_failure = ["_dateparsefailure"]
  190. [2016-12-07T10:45:30,283][DEBUG][logstash.agent           ] starting agent
  191. [2016-12-07T10:45:30,284][DEBUG][logstash.agent           ] starting pipeline {:id=>"main"}
  192. [2016-12-07T10:45:30,328][DEBUG][io.netty.util.internal.logging.InternalLoggerFactory] Using Log4J as the default logging framework
  193. [2016-12-07T10:45:30,341][DEBUG][io.netty.util.internal.NativeLibraryLoader] -Dio.netty.tmpdir: /tmp (java.io.tmpdir)
  194. [2016-12-07T10:45:30,341][DEBUG][io.netty.util.internal.NativeLibraryLoader] -Dio.netty.native.workdir: /tmp (io.netty.tmpdir)
  195. [2016-12-07T10:45:30,467][DEBUG][io.netty.util.internal.ThreadLocalRandom] -Dio.netty.initialSeedUniquifier: 0x3f2f9c91410c0724
  196. [2016-12-07T10:45:30,648][DEBUG][io.netty.util.internal.PlatformDependent0] java.nio.Buffer.address: available
  197. [2016-12-07T10:45:30,648][DEBUG][io.netty.util.internal.PlatformDependent0] sun.misc.Unsafe.theUnsafe: available
  198. [2016-12-07T10:45:30,648][DEBUG][io.netty.util.internal.PlatformDependent0] sun.misc.Unsafe.copyMemory: available
  199. [2016-12-07T10:45:30,650][DEBUG][io.netty.util.internal.PlatformDependent0] java.nio.Bits.unaligned: true
  200. [2016-12-07T10:45:30,650][DEBUG][io.netty.util.internal.PlatformDependent0] java.nio.DirectByteBuffer.<init>(long, int): available
  201. [2016-12-07T10:45:30,644][DEBUG][logstash.instrument.collector] Collector: Sending snapshot to observers {:created_at=>2016-12-07 10:45:30 -0200}
  202. [2016-12-07T10:45:30,653][DEBUG][io.netty.util.internal.Cleaner0] java.nio.ByteBuffer.cleaner(): available
  203. [2016-12-07T10:45:30,654][DEBUG][io.netty.util.internal.PlatformDependent] Java version: 8
  204. [2016-12-07T10:45:30,654][DEBUG][io.netty.util.internal.PlatformDependent] -Dio.netty.noUnsafe: false
  205. [2016-12-07T10:45:30,655][DEBUG][io.netty.util.internal.PlatformDependent] sun.misc.Unsafe: available
  206. [2016-12-07T10:45:30,655][DEBUG][io.netty.util.internal.PlatformDependent] -Dio.netty.noJavassist: false
  207. [2016-12-07T10:45:30,867][DEBUG][io.netty.util.internal.PlatformDependent] Javassist: available
  208. [2016-12-07T10:45:30,868][DEBUG][io.netty.util.internal.PlatformDependent] -Dio.netty.tmpdir: /tmp (java.io.tmpdir)
  209. [2016-12-07T10:45:30,868][DEBUG][io.netty.util.internal.PlatformDependent] -Dio.netty.bitMode: 64 (sun.arch.data.model)
  210. [2016-12-07T10:45:30,868][DEBUG][io.netty.util.internal.PlatformDependent] -Dio.netty.noPreferDirect: false
  211. [2016-12-07T10:45:30,868][DEBUG][io.netty.util.internal.PlatformDependent] io.netty.maxDirectMemory: 1037959168 bytes
  212. [2016-12-07T10:45:30,891][DEBUG][io.netty.buffer.AbstractByteBuf] -Dio.netty.buffer.bytebuf.checkAccessible: true
  213. [2016-12-07T10:45:30,898][DEBUG][io.netty.util.ResourceLeakDetector] -Dio.netty.leakDetection.level: simple
  214. [2016-12-07T10:45:30,898][DEBUG][io.netty.util.ResourceLeakDetector] -Dio.netty.leakDetection.maxRecords: 4
  215. [2016-12-07T10:45:30,902][DEBUG][io.netty.util.ResourceLeakDetectorFactory] Loaded default ResourceLeakDetector: io.netty.util.ResourceLeakDetector@47cb175f
  216. [2016-12-07T10:45:30,948][DEBUG][io.netty.buffer.PooledByteBufAllocator] -Dio.netty.allocator.numHeapArenas: 10
  217. [2016-12-07T10:45:30,948][DEBUG][io.netty.buffer.PooledByteBufAllocator] -Dio.netty.allocator.numDirectArenas: 10
  218. [2016-12-07T10:45:30,948][DEBUG][io.netty.buffer.PooledByteBufAllocator] -Dio.netty.allocator.pageSize: 8192
  219. [2016-12-07T10:45:30,948][DEBUG][io.netty.buffer.PooledByteBufAllocator] -Dio.netty.allocator.maxOrder: 11
  220. [2016-12-07T10:45:30,949][DEBUG][io.netty.buffer.PooledByteBufAllocator] -Dio.netty.allocator.chunkSize: 16777216
  221. [2016-12-07T10:45:30,949][DEBUG][io.netty.buffer.PooledByteBufAllocator] -Dio.netty.allocator.tinyCacheSize: 512
  222. [2016-12-07T10:45:30,949][DEBUG][io.netty.buffer.PooledByteBufAllocator] -Dio.netty.allocator.smallCacheSize: 256
  223. [2016-12-07T10:45:30,949][DEBUG][io.netty.buffer.PooledByteBufAllocator] -Dio.netty.allocator.normalCacheSize: 64
  224. [2016-12-07T10:45:30,949][DEBUG][io.netty.buffer.PooledByteBufAllocator] -Dio.netty.allocator.maxCachedBufferCapacity: 32768
  225. [2016-12-07T10:45:30,949][DEBUG][io.netty.buffer.PooledByteBufAllocator] -Dio.netty.allocator.cacheTrimInterval: 8192
  226. [2016-12-07T10:45:30,976][DEBUG][io.netty.buffer.ByteBufUtil] -Dio.netty.allocator.type: pooled
  227. [2016-12-07T10:45:30,976][DEBUG][io.netty.buffer.ByteBufUtil] -Dio.netty.threadLocalDirectBufferSize: 65536
  228. [2016-12-07T10:45:30,976][DEBUG][io.netty.buffer.ByteBufUtil] -Dio.netty.maxThreadLocalCharBufferSize: 16384
  229. [2016-12-07T10:45:31,005][DEBUG][io.netty.handler.ssl.OpenSslContext] Default cipher suite (OpenSSL): [ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-SHA, ECDHE-RSA-AES256-SHA, AES128-GCM-SHA256, AES128-SHA, AES256-SHA, DES-CBC3-SHA]
  230. [2016-12-07T10:45:31,005][DEBUG][io.netty.handler.ssl.OpenSslContext] OpenSslContext only support -Djdk.tls.ephemeralDHKeySize={int}, but got: matched
  231. [2016-12-07T10:45:31,014][DEBUG][io.netty.util.Recycler   ] -Dio.netty.recycler.maxCapacity: 262144
  232. [2016-12-07T10:45:31,014][DEBUG][io.netty.util.Recycler   ] -Dio.netty.recycler.maxSharedCapacityFactor: 2
  233. [2016-12-07T10:45:31,014][DEBUG][io.netty.util.Recycler   ] -Dio.netty.recycler.linkCapacity: 16
  234. [2016-12-07T10:45:31,043][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 => ECDHE-ECDSA-AES128-GCM-SHA256
  235. [2016-12-07T10:45:31,043][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 => ECDHE-ECDSA-AES128-GCM-SHA256
  236. [2016-12-07T10:45:31,043][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 => ECDHE-RSA-AES128-GCM-SHA256
  237. [2016-12-07T10:45:31,043][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256 => ECDHE-RSA-AES128-GCM-SHA256
  238. [2016-12-07T10:45:31,043][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: TLS_RSA_WITH_ECDHE_PSK_AES128_GCM_SHA256 => ECDHE-PSK-AES128-GCM-SHA256
  239. [2016-12-07T10:45:31,043][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: SSL_RSA_WITH_ECDHE_PSK_AES128_GCM_SHA256 => ECDHE-PSK-AES128-GCM-SHA256
  240. [2016-12-07T10:45:31,043][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 => DHE-RSA-AES128-GCM-SHA256
  241. [2016-12-07T10:45:31,043][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: SSL_DHE_RSA_WITH_AES_128_GCM_SHA256 => DHE-RSA-AES128-GCM-SHA256
  242. [2016-12-07T10:45:31,043][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 => ECDHE-ECDSA-AES256-GCM-SHA384
  243. [2016-12-07T10:45:31,044][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 => ECDHE-ECDSA-AES256-GCM-SHA384
  244. [2016-12-07T10:45:31,044][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 => ECDHE-RSA-AES256-GCM-SHA384
  245. [2016-12-07T10:45:31,044][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384 => ECDHE-RSA-AES256-GCM-SHA384
  246. [2016-12-07T10:45:31,044][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: TLS_RSA_WITH_ECDHE_PSK_AES256_GCM_SHA384 => ECDHE-PSK-AES256-GCM-SHA384
  247. [2016-12-07T10:45:31,044][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: SSL_RSA_WITH_ECDHE_PSK_AES256_GCM_SHA384 => ECDHE-PSK-AES256-GCM-SHA384
  248. [2016-12-07T10:45:31,044][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 => DHE-RSA-AES256-GCM-SHA384
  249. [2016-12-07T10:45:31,044][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: SSL_DHE_RSA_WITH_AES_256_GCM_SHA384 => DHE-RSA-AES256-GCM-SHA384
  250. [2016-12-07T10:45:31,044][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 => ECDHE-ECDSA-CHACHA20-POLY1305
  251. [2016-12-07T10:45:31,044][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: SSL_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 => ECDHE-ECDSA-CHACHA20-POLY1305
  252. [2016-12-07T10:45:31,044][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 => ECDHE-RSA-CHACHA20-POLY1305
  253. [2016-12-07T10:45:31,044][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: SSL_ECDHE_RSA_WITH_CHACHA20_POLY1305 => ECDHE-RSA-CHACHA20-POLY1305
  254. [2016-12-07T10:45:31,044][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: TLS_RSA_WITH_ECDHE_PSK_CHACHA20_POLY1305 => ECDHE-PSK-CHACHA20-POLY1305
  255. [2016-12-07T10:45:31,044][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: SSL_RSA_WITH_ECDHE_PSK_CHACHA20_POLY1305 => ECDHE-PSK-CHACHA20-POLY1305
  256. [2016-12-07T10:45:31,045][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA => ECDHE-ECDSA-AES128-SHA
  257. [2016-12-07T10:45:31,045][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA => ECDHE-ECDSA-AES128-SHA
  258. [2016-12-07T10:45:31,045][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 => ECDHE-ECDSA-AES128-SHA256
  259. [2016-12-07T10:45:31,045][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 => ECDHE-ECDSA-AES128-SHA256
  260. [2016-12-07T10:45:31,045][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA => ECDHE-RSA-AES128-SHA
  261. [2016-12-07T10:45:31,045][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA => ECDHE-RSA-AES128-SHA
  262. [2016-12-07T10:45:31,045][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 => ECDHE-RSA-AES128-SHA256
  263. [2016-12-07T10:45:31,045][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256 => ECDHE-RSA-AES128-SHA256
  264. [2016-12-07T10:45:31,045][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: TLS_RSA_WITH_ECDHE_PSK_AES128_CBC_SHA => ECDHE-PSK-AES128-CBC-SHA
  265. [2016-12-07T10:45:31,045][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: SSL_RSA_WITH_ECDHE_PSK_AES128_CBC_SHA => ECDHE-PSK-AES128-CBC-SHA
  266. [2016-12-07T10:45:31,045][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: TLS_DHE_RSA_WITH_AES_128_CBC_SHA => DHE-RSA-AES128-SHA
  267. [2016-12-07T10:45:31,045][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: SSL_DHE_RSA_WITH_AES_128_CBC_SHA => DHE-RSA-AES128-SHA
  268. [2016-12-07T10:45:31,046][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 => DHE-RSA-AES128-SHA256
  269. [2016-12-07T10:45:31,046][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: SSL_DHE_RSA_WITH_AES_128_CBC_SHA256 => DHE-RSA-AES128-SHA256
  270. [2016-12-07T10:45:31,046][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA => ECDHE-ECDSA-AES256-SHA
  271. [2016-12-07T10:45:31,046][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA => ECDHE-ECDSA-AES256-SHA
  272. [2016-12-07T10:45:31,046][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 => ECDHE-ECDSA-AES256-SHA384
  273. [2016-12-07T10:45:31,046][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 => ECDHE-ECDSA-AES256-SHA384
  274. [2016-12-07T10:45:31,046][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA => ECDHE-RSA-AES256-SHA
  275. [2016-12-07T10:45:31,046][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA => ECDHE-RSA-AES256-SHA
  276. [2016-12-07T10:45:31,046][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 => ECDHE-RSA-AES256-SHA384
  277. [2016-12-07T10:45:31,046][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384 => ECDHE-RSA-AES256-SHA384
  278. [2016-12-07T10:45:31,046][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: TLS_RSA_WITH_ECDHE_PSK_AES256_CBC_SHA => ECDHE-PSK-AES256-CBC-SHA
  279. [2016-12-07T10:45:31,046][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: SSL_RSA_WITH_ECDHE_PSK_AES256_CBC_SHA => ECDHE-PSK-AES256-CBC-SHA
  280. [2016-12-07T10:45:31,047][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: TLS_DHE_RSA_WITH_AES_256_CBC_SHA => DHE-RSA-AES256-SHA
  281. [2016-12-07T10:45:31,047][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: SSL_DHE_RSA_WITH_AES_256_CBC_SHA => DHE-RSA-AES256-SHA
  282. [2016-12-07T10:45:31,047][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 => DHE-RSA-AES256-SHA256
  283. [2016-12-07T10:45:31,047][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: SSL_DHE_RSA_WITH_AES_256_CBC_SHA256 => DHE-RSA-AES256-SHA256
  284. [2016-12-07T10:45:31,047][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA => ECDHE-ECDSA-RC4-SHA
  285. [2016-12-07T10:45:31,047][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: SSL_ECDHE_ECDSA_WITH_RC4_128_SHA => ECDHE-ECDSA-RC4-SHA
  286. [2016-12-07T10:45:31,047][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: TLS_ECDHE_RSA_WITH_RC4_128_SHA => ECDHE-RSA-RC4-SHA
  287. [2016-12-07T10:45:31,047][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: SSL_ECDHE_RSA_WITH_RC4_128_SHA => ECDHE-RSA-RC4-SHA
  288. [2016-12-07T10:45:31,047][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: TLS_RSA_WITH_AES_128_GCM_SHA256 => AES128-GCM-SHA256
  289. [2016-12-07T10:45:31,047][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: SSL_RSA_WITH_AES_128_GCM_SHA256 => AES128-GCM-SHA256
  290. [2016-12-07T10:45:31,047][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: TLS_RSA_WITH_AES_256_GCM_SHA384 => AES256-GCM-SHA384
  291. [2016-12-07T10:45:31,047][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: SSL_RSA_WITH_AES_256_GCM_SHA384 => AES256-GCM-SHA384
  292. [2016-12-07T10:45:31,047][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: TLS_RSA_WITH_AES_128_CBC_SHA => AES128-SHA
  293. [2016-12-07T10:45:31,048][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: SSL_RSA_WITH_AES_128_CBC_SHA => AES128-SHA
  294. [2016-12-07T10:45:31,048][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: TLS_RSA_WITH_AES_128_CBC_SHA256 => AES128-SHA256
  295. [2016-12-07T10:45:31,048][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: SSL_RSA_WITH_AES_128_CBC_SHA256 => AES128-SHA256
  296. [2016-12-07T10:45:31,048][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: TLS_PSK_WITH_AES_128_CBC_SHA => PSK-AES128-CBC-SHA
  297. [2016-12-07T10:45:31,048][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: SSL_PSK_WITH_AES_128_CBC_SHA => PSK-AES128-CBC-SHA
  298. [2016-12-07T10:45:31,048][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: TLS_RSA_WITH_AES_256_CBC_SHA => AES256-SHA
  299. [2016-12-07T10:45:31,048][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: SSL_RSA_WITH_AES_256_CBC_SHA => AES256-SHA
  300. [2016-12-07T10:45:31,048][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: TLS_RSA_WITH_AES_256_CBC_SHA256 => AES256-SHA256
  301. [2016-12-07T10:45:31,048][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: SSL_RSA_WITH_AES_256_CBC_SHA256 => AES256-SHA256
  302. [2016-12-07T10:45:31,048][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: TLS_PSK_WITH_AES_256_CBC_SHA => PSK-AES256-CBC-SHA
  303. [2016-12-07T10:45:31,048][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: SSL_PSK_WITH_AES_256_CBC_SHA => PSK-AES256-CBC-SHA
  304. [2016-12-07T10:45:31,048][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: TLS_RSA_WITH_3DES_EDE_CBC_SHA => DES-CBC3-SHA
  305. [2016-12-07T10:45:31,048][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: SSL_RSA_WITH_3DES_EDE_CBC_SHA => DES-CBC3-SHA
  306. [2016-12-07T10:45:31,048][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: TLS_RSA_WITH_RC4_128_SHA => RC4-SHA
  307. [2016-12-07T10:45:31,049][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: SSL_RSA_WITH_RC4_128_SHA => RC4-SHA
  308. [2016-12-07T10:45:31,049][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: TLS_PSK_WITH_RC4_128_SHA => PSK-RC4-SHA
  309. [2016-12-07T10:45:31,049][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: SSL_PSK_WITH_RC4_128_SHA => PSK-RC4-SHA
  310. [2016-12-07T10:45:31,049][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: TLS_RSA_WITH_RC4_128_MD5 => RC4-MD5
  311. [2016-12-07T10:45:31,049][DEBUG][io.netty.handler.ssl.CipherSuiteConverter] Cipher suite mapping: SSL_RSA_WITH_RC4_128_MD5 => RC4-MD5
  312. [2016-12-07T10:45:31,051][INFO ][logstash.inputs.beats    ] Beats inputs: Starting input listener {:address=>"0.0.0.0:5044"}
  313. [2016-12-07T10:45:31,059][DEBUG][io.netty.channel.MultithreadEventLoopGroup] -Dio.netty.eventLoopThreads: 12
  314. [2016-12-07T10:45:31,089][DEBUG][io.netty.channel.nio.NioEventLoop] -Dio.netty.noKeySetOptimization: false
  315. [2016-12-07T10:45:31,089][DEBUG][io.netty.channel.nio.NioEventLoop] -Dio.netty.selectorAutoRebuildThreshold: 512
  316. [2016-12-07T10:45:31,097][DEBUG][org.logstash.netty.SslSimpleBuilder] Cipher is supported: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  317. [2016-12-07T10:45:31,097][DEBUG][org.logstash.netty.SslSimpleBuilder] Cipher is supported: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  318. [2016-12-07T10:45:31,097][DEBUG][org.logstash.netty.SslSimpleBuilder] Cipher is supported: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  319. [2016-12-07T10:45:31,097][DEBUG][org.logstash.netty.SslSimpleBuilder] Cipher is supported: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  320. [2016-12-07T10:45:31,097][DEBUG][org.logstash.netty.SslSimpleBuilder] Cipher is supported: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
  321. [2016-12-07T10:45:31,097][DEBUG][org.logstash.netty.SslSimpleBuilder] Cipher is supported: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  322. [2016-12-07T10:45:31,098][DEBUG][org.logstash.netty.SslSimpleBuilder] Cipher is supported: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  323. [2016-12-07T10:45:31,099][DEBUG][logstash.outputs.elasticsearch] Normalizing http path {:path=>nil, :normalized=>nil}
  324. [2016-12-07T10:45:31,114][INFO ][org.logstash.beats.Server] Starting server on port: 5044
  325. [2016-12-07T10:45:31,133][DEBUG][io.netty.util.internal.JavassistTypeParameterMatcherGenerator] Generated: io.netty.util.internal.__matchers__.org.logstash.beats.BatchMatcher
  326. [2016-12-07T10:45:31,173][DEBUG][io.netty.channel.DefaultChannelId] -Dio.netty.processId: 29481 (auto-detected)
  327. [2016-12-07T10:45:31,176][DEBUG][io.netty.util.NetUtil    ] Loopback interface: lo (lo, 0:0:0:0:0:0:0:1%lo)
  328. [2016-12-07T10:45:31,177][DEBUG][io.netty.util.NetUtil    ] /proc/sys/net/core/somaxconn: 65000
  329. [2016-12-07T10:45:31,178][DEBUG][io.netty.channel.DefaultChannelId] -Dio.netty.machineId: 00:50:56:ff:fe:ac:63:9e (auto-detected)
  330. [2016-12-07T10:45:31,478][INFO ][logstash.outputs.elasticsearch] Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>["http://localhost:9200"]}}
  331. [2016-12-07T10:45:31,481][INFO ][logstash.outputs.elasticsearch] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>["localhost:9200"]}
  332. [2016-12-07T10:45:31,505][DEBUG][logstash.filters.grok    ] Grok patterns path {:paths=>["/usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-4.0.2/patterns", "/usr/share/logstash/patterns/*"]}
  333. [2016-12-07T10:45:31,507][DEBUG][logstash.filters.grok    ] Grok patterns path {:paths=>[]}
  334. [2016-12-07T10:45:31,508][DEBUG][logstash.filters.grok    ] Match data {:match=>{"message"=>"%{COMBINEDAPACHELOG}"}}
  335. [2016-12-07T10:45:31,509][DEBUG][logstash.filters.grok    ] regexp: /message {:pattern=>"%{COMBINEDAPACHELOG}"}
  336. [2016-12-07T10:45:31,512][DEBUG][logstash.filters.grok    ] Adding pattern {"S3_REQUEST_LINE"=>"(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})"}
  337. [2016-12-07T10:45:31,513][DEBUG][logstash.filters.grok    ] Adding pattern {"S3_ACCESS_LOG"=>"%{WORD:owner} %{NOTSPACE:bucket} \\[%{HTTPDATE:timestamp}\\] %{IP:clientip} %{NOTSPACE:requester} %{NOTSPACE:request_id} %{NOTSPACE:operation} %{NOTSPACE:key} (?:\"%{S3_REQUEST_LINE}\"|-) (?:%{INT:response:int}|-) (?:-|%{NOTSPACE:error_code}) (?:%{INT:bytes:int}|-) (?:%{INT:object_size:int}|-) (?:%{INT:request_time_ms:int}|-) (?:%{INT:turnaround_time_ms:int}|-) (?:%{QS:referrer}|-) (?:\"?%{QS:agent}\"?|-) (?:-|%{NOTSPACE:version_id})"}
  338. [2016-12-07T10:45:31,514][DEBUG][logstash.filters.grok    ] Adding pattern {"ELB_URIPATHPARAM"=>"%{URIPATH:path}(?:%{URIPARAM:params})?"}
  339. [2016-12-07T10:45:31,514][DEBUG][logstash.filters.grok    ] Adding pattern {"ELB_URI"=>"%{URIPROTO:proto}://(?:%{USER}(?::[^@]*)?@)?(?:%{URIHOST:urihost})?(?:%{ELB_URIPATHPARAM})?"}
  340. [2016-12-07T10:45:31,514][DEBUG][logstash.filters.grok    ] Adding pattern {"ELB_REQUEST_LINE"=>"(?:%{WORD:verb} %{ELB_URI:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})"}
  341. [2016-12-07T10:45:31,515][DEBUG][logstash.filters.grok    ] Adding pattern {"ELB_ACCESS_LOG"=>"%{TIMESTAMP_ISO8601:timestamp} %{NOTSPACE:elb} %{IP:clientip}:%{INT:clientport:int} (?:(%{IP:backendip}:?:%{INT:backendport:int})|-) %{NUMBER:request_processing_time:float} %{NUMBER:backend_processing_time:float} %{NUMBER:response_processing_time:float} %{INT:response:int} %{INT:backend_response:int} %{INT:received_bytes:int} %{INT:bytes:int} \"%{ELB_REQUEST_LINE}\""}
  342. [2016-12-07T10:45:31,515][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_TIMESTAMP"=>"%{MONTHDAY}-%{MONTH} %{HOUR}:%{MINUTE}"}
  343. [2016-12-07T10:45:31,515][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_HOST"=>"[a-zA-Z0-9-]+"}
  344. [2016-12-07T10:45:31,516][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_VOLUME"=>"%{USER}"}
  345. [2016-12-07T10:45:31,516][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_DEVICE"=>"%{USER}"}
  346. [2016-12-07T10:45:31,516][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_DEVICEPATH"=>"%{UNIXPATH}"}
  347. [2016-12-07T10:45:31,517][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_CAPACITY"=>"%{INT}{1,3}(,%{INT}{3})*"}
  348. [2016-12-07T10:45:31,517][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_VERSION"=>"%{USER}"}
  349. [2016-12-07T10:45:31,517][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_JOB"=>"%{USER}"}
  350. [2016-12-07T10:45:31,517][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_MAX_CAPACITY"=>"User defined maximum volume capacity %{BACULA_CAPACITY} exceeded on device \\\"%{BACULA_DEVICE:device}\\\" \\(%{BACULA_DEVICEPATH}\\)"}
  351. [2016-12-07T10:45:31,518][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_END_VOLUME"=>"End of medium on Volume \\\"%{BACULA_VOLUME:volume}\\\" Bytes=%{BACULA_CAPACITY} Blocks=%{BACULA_CAPACITY} at %{MONTHDAY}-%{MONTH}-%{YEAR} %{HOUR}:%{MINUTE}."}
  352. [2016-12-07T10:45:31,518][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_NEW_VOLUME"=>"Created new Volume \\\"%{BACULA_VOLUME:volume}\\\" in catalog."}
  353. [2016-12-07T10:45:31,518][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_NEW_LABEL"=>"Labeled new Volume \\\"%{BACULA_VOLUME:volume}\\\" on device \\\"%{BACULA_DEVICE:device}\\\" \\(%{BACULA_DEVICEPATH}\\)."}
  354. [2016-12-07T10:45:31,518][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_WROTE_LABEL"=>"Wrote label to prelabeled Volume \\\"%{BACULA_VOLUME:volume}\\\" on device \\\"%{BACULA_DEVICE}\\\" \\(%{BACULA_DEVICEPATH}\\)"}
  355. [2016-12-07T10:45:31,519][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_NEW_MOUNT"=>"New volume \\\"%{BACULA_VOLUME:volume}\\\" mounted on device \\\"%{BACULA_DEVICE:device}\\\" \\(%{BACULA_DEVICEPATH}\\) at %{MONTHDAY}-%{MONTH}-%{YEAR} %{HOUR}:%{MINUTE}."}
  356. [2016-12-07T10:45:31,519][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_NOOPEN"=>"\\s+Cannot open %{DATA}: ERR=%{GREEDYDATA:berror}"}
  357. [2016-12-07T10:45:31,527][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_NOOPENDIR"=>"\\s+Could not open directory %{DATA}: ERR=%{GREEDYDATA:berror}"}
  358. [2016-12-07T10:45:31,527][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_NOSTAT"=>"\\s+Could not stat %{DATA}: ERR=%{GREEDYDATA:berror}"}
  359. [2016-12-07T10:45:31,527][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_NOJOBS"=>"There are no more Jobs associated with Volume \\\"%{BACULA_VOLUME:volume}\\\". Marking it purged."}
  360. [2016-12-07T10:45:31,528][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_ALL_RECORDS_PRUNED"=>"All records pruned from Volume \\\"%{BACULA_VOLUME:volume}\\\"; marking it \\\"Purged\\\""}
  361. [2016-12-07T10:45:31,528][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_BEGIN_PRUNE_JOBS"=>"Begin pruning Jobs older than %{INT} month %{INT} days ."}
  362. [2016-12-07T10:45:31,528][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_BEGIN_PRUNE_FILES"=>"Begin pruning Files."}
  363. [2016-12-07T10:45:31,528][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_PRUNED_JOBS"=>"Pruned %{INT} Jobs* for client %{BACULA_HOST:client} from catalog."}
  364. [2016-12-07T10:45:31,528][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_PRUNED_FILES"=>"Pruned Files from %{INT} Jobs* for client %{BACULA_HOST:client} from catalog."}
  365. [2016-12-07T10:45:31,529][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_ENDPRUNE"=>"End auto prune."}
  366. [2016-12-07T10:45:31,529][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_STARTJOB"=>"Start Backup JobId %{INT}, Job=%{BACULA_JOB:job}"}
  367. [2016-12-07T10:45:31,529][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_STARTRESTORE"=>"Start Restore Job %{BACULA_JOB:job}"}
  368. [2016-12-07T10:45:31,529][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_USEDEVICE"=>"Using Device \\\"%{BACULA_DEVICE:device}\\\""}
  369. [2016-12-07T10:45:31,529][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_DIFF_FS"=>"\\s+%{UNIXPATH} is a different filesystem. Will not descend from %{UNIXPATH} into it."}
  370. [2016-12-07T10:45:31,530][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_JOBEND"=>"Job write elapsed time = %{DATA:elapsed}, Transfer rate = %{NUMBER} (K|M|G)? Bytes/second"}
  371. [2016-12-07T10:45:31,530][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_NOPRUNE_JOBS"=>"No Jobs found to prune."}
  372. [2016-12-07T10:45:31,530][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_NOPRUNE_FILES"=>"No Files found to prune."}
  373. [2016-12-07T10:45:31,530][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_VOLUME_PREVWRITTEN"=>"Volume \\\"%{BACULA_VOLUME:volume}\\\" previously written, moving to end of data."}
  374. [2016-12-07T10:45:31,530][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_READYAPPEND"=>"Ready to append to end of Volume \\\"%{BACULA_VOLUME:volume}\\\" size=%{INT}"}
  375. [2016-12-07T10:45:31,531][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_CANCELLING"=>"Cancelling duplicate JobId=%{INT}."}
  376. [2016-12-07T10:45:31,531][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_MARKCANCEL"=>"JobId %{INT}, Job %{BACULA_JOB:job} marked to be canceled."}
  377. [2016-12-07T10:45:31,531][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_CLIENT_RBJ"=>"shell command: run ClientRunBeforeJob \\\"%{GREEDYDATA:runjob}\\\""}
  378. [2016-12-07T10:45:31,531][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_VSS"=>"(Generate )?VSS (Writer)?"}
  379. [2016-12-07T10:45:31,531][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_MAXSTART"=>"Fatal error: Job canceled because max start delay time exceeded."}
  380. [2016-12-07T10:45:31,532][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_DUPLICATE"=>"Fatal error: JobId %{INT:duplicate} already running. Duplicate job not allowed."}
  381. [2016-12-07T10:45:31,532][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_NOJOBSTAT"=>"Fatal error: No Job status returned from FD."}
  382. [2016-12-07T10:45:31,534][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_FATAL_CONN"=>"Fatal error: bsock.c:133 Unable to connect to (Client: %{BACULA_HOST:client}|Storage daemon) on %{HOSTNAME}:%{POSINT}. ERR=(?<berror>%{GREEDYDATA})"}
  383. [2016-12-07T10:45:31,536][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_NO_CONNECT"=>"Warning: bsock.c:127 Could not connect to (Client: %{BACULA_HOST:client}|Storage daemon) on %{HOSTNAME}:%{POSINT}. ERR=(?<berror>%{GREEDYDATA})"}
  384. [2016-12-07T10:45:31,536][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_NO_AUTH"=>"Fatal error: Unable to authenticate with File daemon at %{HOSTNAME}. Possible causes:"}
  385. [2016-12-07T10:45:31,537][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_NOSUIT"=>"No prior or suitable Full backup found in catalog. Doing FULL backup."}
  386. [2016-12-07T10:45:31,537][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_NOPRIOR"=>"No prior Full backup Job record found."}
  387. [2016-12-07T10:45:31,537][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_JOB"=>"(Error: )?Bacula %{BACULA_HOST} %{BACULA_VERSION} \\(%{BACULA_VERSION}\\):"}
  388. [2016-12-07T10:45:31,537][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOGLINE"=>"%{BACULA_TIMESTAMP:bts} %{BACULA_HOST:hostname} JobId %{INT:jobid}: (%{BACULA_LOG_MAX_CAPACITY}|%{BACULA_LOG_END_VOLUME}|%{BACULA_LOG_NEW_VOLUME}|%{BACULA_LOG_NEW_LABEL}|%{BACULA_LOG_WROTE_LABEL}|%{BACULA_LOG_NEW_MOUNT}|%{BACULA_LOG_NOOPEN}|%{BACULA_LOG_NOOPENDIR}|%{BACULA_LOG_NOSTAT}|%{BACULA_LOG_NOJOBS}|%{BACULA_LOG_ALL_RECORDS_PRUNED}|%{BACULA_LOG_BEGIN_PRUNE_JOBS}|%{BACULA_LOG_BEGIN_PRUNE_FILES}|%{BACULA_LOG_PRUNED_JOBS}|%{BACULA_LOG_PRUNED_FILES}|%{BACULA_LOG_ENDPRUNE}|%{BACULA_LOG_STARTJOB}|%{BACULA_LOG_STARTRESTORE}|%{BACULA_LOG_USEDEVICE}|%{BACULA_LOG_DIFF_FS}|%{BACULA_LOG_JOBEND}|%{BACULA_LOG_NOPRUNE_JOBS}|%{BACULA_LOG_NOPRUNE_FILES}|%{BACULA_LOG_VOLUME_PREVWRITTEN}|%{BACULA_LOG_READYAPPEND}|%{BACULA_LOG_CANCELLING}|%{BACULA_LOG_MARKCANCEL}|%{BACULA_LOG_CLIENT_RBJ}|%{BACULA_LOG_VSS}|%{BACULA_LOG_MAXSTART}|%{BACULA_LOG_DUPLICATE}|%{BACULA_LOG_NOJOBSTAT}|%{BACULA_LOG_FATAL_CONN}|%{BACULA_LOG_NO_CONNECT}|%{BACULA_LOG_NO_AUTH}|%{BACULA_LOG_NOSUIT}|%{BACULA_LOG_JOB}|%{BACULA_LOG_NOPRIOR})"}
  389. [2016-12-07T10:45:31,538][DEBUG][logstash.filters.grok    ] Adding pattern {"BRO_HTTP"=>"%{NUMBER:ts}\\t%{NOTSPACE:uid}\\t%{IP:orig_h}\\t%{INT:orig_p}\\t%{IP:resp_h}\\t%{INT:resp_p}\\t%{INT:trans_depth}\\t%{GREEDYDATA:method}\\t%{GREEDYDATA:domain}\\t%{GREEDYDATA:uri}\\t%{GREEDYDATA:referrer}\\t%{GREEDYDATA:user_agent}\\t%{NUMBER:request_body_len}\\t%{NUMBER:response_body_len}\\t%{GREEDYDATA:status_code}\\t%{GREEDYDATA:status_msg}\\t%{GREEDYDATA:info_code}\\t%{GREEDYDATA:info_msg}\\t%{GREEDYDATA:filename}\\t%{GREEDYDATA:bro_tags}\\t%{GREEDYDATA:username}\\t%{GREEDYDATA:password}\\t%{GREEDYDATA:proxied}\\t%{GREEDYDATA:orig_fuids}\\t%{GREEDYDATA:orig_mime_types}\\t%{GREEDYDATA:resp_fuids}\\t%{GREEDYDATA:resp_mime_types}"}
  390. [2016-12-07T10:45:31,539][DEBUG][logstash.filters.grok    ] Adding pattern {"BRO_DNS"=>"%{NUMBER:ts}\\t%{NOTSPACE:uid}\\t%{IP:orig_h}\\t%{INT:orig_p}\\t%{IP:resp_h}\\t%{INT:resp_p}\\t%{WORD:proto}\\t%{INT:trans_id}\\t%{GREEDYDATA:query}\\t%{GREEDYDATA:qclass}\\t%{GREEDYDATA:qclass_name}\\t%{GREEDYDATA:qtype}\\t%{GREEDYDATA:qtype_name}\\t%{GREEDYDATA:rcode}\\t%{GREEDYDATA:rcode_name}\\t%{GREEDYDATA:AA}\\t%{GREEDYDATA:TC}\\t%{GREEDYDATA:RD}\\t%{GREEDYDATA:RA}\\t%{GREEDYDATA:Z}\\t%{GREEDYDATA:answers}\\t%{GREEDYDATA:TTLs}\\t%{GREEDYDATA:rejected}"}
  391. [2016-12-07T10:45:31,540][DEBUG][logstash.filters.grok    ] Adding pattern {"BRO_CONN"=>"%{NUMBER:ts}\\t%{NOTSPACE:uid}\\t%{IP:orig_h}\\t%{INT:orig_p}\\t%{IP:resp_h}\\t%{INT:resp_p}\\t%{WORD:proto}\\t%{GREEDYDATA:service}\\t%{NUMBER:duration}\\t%{NUMBER:orig_bytes}\\t%{NUMBER:resp_bytes}\\t%{GREEDYDATA:conn_state}\\t%{GREEDYDATA:local_orig}\\t%{GREEDYDATA:missed_bytes}\\t%{GREEDYDATA:history}\\t%{GREEDYDATA:orig_pkts}\\t%{GREEDYDATA:orig_ip_bytes}\\t%{GREEDYDATA:resp_pkts}\\t%{GREEDYDATA:resp_ip_bytes}\\t%{GREEDYDATA:tunnel_parents}"}
  392. [2016-12-07T10:45:31,540][DEBUG][logstash.filters.grok    ] Adding pattern {"BRO_FILES"=>"%{NUMBER:ts}\\t%{NOTSPACE:fuid}\\t%{IP:tx_hosts}\\t%{IP:rx_hosts}\\t%{NOTSPACE:conn_uids}\\t%{GREEDYDATA:source}\\t%{GREEDYDATA:depth}\\t%{GREEDYDATA:analyzers}\\t%{GREEDYDATA:mime_type}\\t%{GREEDYDATA:filename}\\t%{GREEDYDATA:duration}\\t%{GREEDYDATA:local_orig}\\t%{GREEDYDATA:is_orig}\\t%{GREEDYDATA:seen_bytes}\\t%{GREEDYDATA:total_bytes}\\t%{GREEDYDATA:missing_bytes}\\t%{GREEDYDATA:overflow_bytes}\\t%{GREEDYDATA:timedout}\\t%{GREEDYDATA:parent_fuid}\\t%{GREEDYDATA:md5}\\t%{GREEDYDATA:sha1}\\t%{GREEDYDATA:sha256}\\t%{GREEDYDATA:extracted}"}
  393. [2016-12-07T10:45:31,540][DEBUG][logstash.filters.grok    ] Adding pattern {"EXIM_MSGID"=>"[0-9A-Za-z]{6}-[0-9A-Za-z]{6}-[0-9A-Za-z]{2}"}
  394. [2016-12-07T10:45:31,540][DEBUG][logstash.filters.grok    ] Adding pattern {"EXIM_FLAGS"=>"(<=|[-=>*]>|[*]{2}|==)"}
  395. [2016-12-07T10:45:31,541][DEBUG][logstash.filters.grok    ] Adding pattern {"EXIM_DATE"=>"%{YEAR:exim_year}-%{MONTHNUM:exim_month}-%{MONTHDAY:exim_day} %{TIME:exim_time}"}
  396. [2016-12-07T10:45:31,541][DEBUG][logstash.filters.grok    ] Adding pattern {"EXIM_PID"=>"\\[%{POSINT}\\]"}
  397. [2016-12-07T10:45:31,541][DEBUG][logstash.filters.grok    ] Adding pattern {"EXIM_QT"=>"((\\d+y)?(\\d+w)?(\\d+d)?(\\d+h)?(\\d+m)?(\\d+s)?)"}
  398. [2016-12-07T10:45:31,541][DEBUG][logstash.filters.grok    ] Adding pattern {"EXIM_EXCLUDE_TERMS"=>"(Message is frozen|(Start|End) queue run| Warning: | retry time not reached | no (IP address|host name) found for (IP address|host) | unexpected disconnection while reading SMTP command | no immediate delivery: |another process is handling this message)"}
  399. [2016-12-07T10:45:31,541][DEBUG][logstash.filters.grok    ] Adding pattern {"EXIM_REMOTE_HOST"=>"(H=(%{NOTSPACE:remote_hostname} )?(\\(%{NOTSPACE:remote_heloname}\\) )?\\[%{IP:remote_host}\\])"}
  400. [2016-12-07T10:45:31,542][DEBUG][logstash.filters.grok    ] Adding pattern {"EXIM_INTERFACE"=>"(I=\\[%{IP:exim_interface}\\](:%{NUMBER:exim_interface_port}))"}
  401. [2016-12-07T10:45:31,542][DEBUG][logstash.filters.grok    ] Adding pattern {"EXIM_PROTOCOL"=>"(P=%{NOTSPACE:protocol})"}
  402. [2016-12-07T10:45:31,543][DEBUG][logstash.filters.grok    ] Adding pattern {"EXIM_MSG_SIZE"=>"(S=%{NUMBER:exim_msg_size})"}
  403. [2016-12-07T10:45:31,543][DEBUG][logstash.filters.grok    ] Adding pattern {"EXIM_HEADER_ID"=>"(id=%{NOTSPACE:exim_header_id})"}
  404. [2016-12-07T10:45:31,543][DEBUG][logstash.filters.grok    ] Adding pattern {"EXIM_SUBJECT"=>"(T=%{QS:exim_subject})"}
  405. [2016-12-07T10:45:31,547][DEBUG][logstash.filters.grok    ] Adding pattern {"NETSCREENSESSIONLOG"=>"%{SYSLOGTIMESTAMP:date} %{IPORHOST:device} %{IPORHOST}: NetScreen device_id=%{WORD:device_id}%{DATA}: start_time=%{QUOTEDSTRING:start_time} duration=%{INT:duration} policy_id=%{INT:policy_id} service=%{DATA:service} proto=%{INT:proto} src zone=%{WORD:src_zone} dst zone=%{WORD:dst_zone} action=%{WORD:action} sent=%{INT:sent} rcvd=%{INT:rcvd} src=%{IPORHOST:src_ip} dst=%{IPORHOST:dst_ip} src_port=%{INT:src_port} dst_port=%{INT:dst_port} src-xlated ip=%{IPORHOST:src_xlated_ip} port=%{INT:src_xlated_port} dst-xlated ip=%{IPORHOST:dst_xlated_ip} port=%{INT:dst_xlated_port} session_id=%{INT:session_id} reason=%{GREEDYDATA:reason}"}
  406. [2016-12-07T10:45:31,547][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCO_TAGGED_SYSLOG"=>"^<%{POSINT:syslog_pri}>%{CISCOTIMESTAMP:timestamp}( %{SYSLOGHOST:sysloghost})? ?: %%{CISCOTAG:ciscotag}:"}
  407. [2016-12-07T10:45:31,548][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOTIMESTAMP"=>"%{MONTH} +%{MONTHDAY}(?: %{YEAR})? %{TIME}"}
  408. [2016-12-07T10:45:31,548][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOTAG"=>"[A-Z0-9]+-%{INT}-(?:[A-Z0-9_]+)"}
  409. [2016-12-07T10:45:31,548][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCO_ACTION"=>"Built|Teardown|Deny|Denied|denied|requested|permitted|denied by ACL|discarded|est-allowed|Dropping|created|deleted"}
  410. [2016-12-07T10:45:31,550][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCO_REASON"=>"Duplicate TCP SYN|Failed to locate egress interface|Invalid transport field|No matching connection|DNS Response|DNS Query|(?:%{WORD}\\s*)*"}
  411. [2016-12-07T10:45:31,550][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCO_DIRECTION"=>"Inbound|inbound|Outbound|outbound"}
  412. [2016-12-07T10:45:31,551][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCO_INTERVAL"=>"first hit|%{INT}-second interval"}
  413. [2016-12-07T10:45:31,551][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCO_XLATE_TYPE"=>"static|dynamic"}
  414. [2016-12-07T10:45:31,551][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW104001"=>"\\((?:Primary|Secondary)\\) Switching to ACTIVE - %{GREEDYDATA:switch_reason}"}
  415. [2016-12-07T10:45:31,552][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW104002"=>"\\((?:Primary|Secondary)\\) Switching to STANDBY - %{GREEDYDATA:switch_reason}"}
  416. [2016-12-07T10:45:31,552][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW104003"=>"\\((?:Primary|Secondary)\\) Switching to FAILED\\."}
  417. [2016-12-07T10:45:31,552][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW104004"=>"\\((?:Primary|Secondary)\\) Switching to OK\\."}
  418. [2016-12-07T10:45:31,552][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW105003"=>"\\((?:Primary|Secondary)\\) Monitoring on [Ii]nterface %{GREEDYDATA:interface_name} waiting"}
  419. [2016-12-07T10:45:31,552][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW105004"=>"\\((?:Primary|Secondary)\\) Monitoring on [Ii]nterface %{GREEDYDATA:interface_name} normal"}
  420. [2016-12-07T10:45:31,552][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW105005"=>"\\((?:Primary|Secondary)\\) Lost Failover communications with mate on [Ii]nterface %{GREEDYDATA:interface_name}"}
  421. [2016-12-07T10:45:31,553][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW105008"=>"\\((?:Primary|Secondary)\\) Testing [Ii]nterface %{GREEDYDATA:interface_name}"}
  422. [2016-12-07T10:45:31,553][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW105009"=>"\\((?:Primary|Secondary)\\) Testing on [Ii]nterface %{GREEDYDATA:interface_name} (?:Passed|Failed)"}
  423. [2016-12-07T10:45:31,553][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW106001"=>"%{CISCO_DIRECTION:direction} %{WORD:protocol} connection %{CISCO_ACTION:action} from %{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port} flags %{GREEDYDATA:tcp_flags} on interface %{GREEDYDATA:interface}"}
  424. [2016-12-07T10:45:31,553][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW106006_106007_106010"=>"%{CISCO_ACTION:action} %{CISCO_DIRECTION:direction} %{WORD:protocol} (?:from|src) %{IP:src_ip}/%{INT:src_port}(\\(%{DATA:src_fwuser}\\))? (?:to|dst) %{IP:dst_ip}/%{INT:dst_port}(\\(%{DATA:dst_fwuser}\\))? (?:on interface %{DATA:interface}|due to %{CISCO_REASON:reason})"}
  425. [2016-12-07T10:45:31,553][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW106014"=>"%{CISCO_ACTION:action} %{CISCO_DIRECTION:direction} %{WORD:protocol} src %{DATA:src_interface}:%{IP:src_ip}(\\(%{DATA:src_fwuser}\\))? dst %{DATA:dst_interface}:%{IP:dst_ip}(\\(%{DATA:dst_fwuser}\\))? \\(type %{INT:icmp_type}, code %{INT:icmp_code}\\)"}
  426. [2016-12-07T10:45:31,554][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW106015"=>"%{CISCO_ACTION:action} %{WORD:protocol} \\(%{DATA:policy_id}\\) from %{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port} flags %{DATA:tcp_flags}  on interface %{GREEDYDATA:interface}"}
  427. [2016-12-07T10:45:31,554][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW106021"=>"%{CISCO_ACTION:action} %{WORD:protocol} reverse path check from %{IP:src_ip} to %{IP:dst_ip} on interface %{GREEDYDATA:interface}"}
  428. [2016-12-07T10:45:31,554][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW106023"=>"%{CISCO_ACTION:action}( protocol)? %{WORD:protocol} src %{DATA:src_interface}:%{DATA:src_ip}(/%{INT:src_port})?(\\(%{DATA:src_fwuser}\\))? dst %{DATA:dst_interface}:%{DATA:dst_ip}(/%{INT:dst_port})?(\\(%{DATA:dst_fwuser}\\))?( \\(type %{INT:icmp_type}, code %{INT:icmp_code}\\))? by access-group \"?%{DATA:policy_id}\"? \\[%{DATA:hashcode1}, %{DATA:hashcode2}\\]"}
  429. [2016-12-07T10:45:31,554][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW106100_2_3"=>"access-list %{NOTSPACE:policy_id} %{CISCO_ACTION:action} %{WORD:protocol} for user '%{DATA:src_fwuser}' %{DATA:src_interface}/%{IP:src_ip}\\(%{INT:src_port}\\) -> %{DATA:dst_interface}/%{IP:dst_ip}\\(%{INT:dst_port}\\) hit-cnt %{INT:hit_count} %{CISCO_INTERVAL:interval} \\[%{DATA:hashcode1}, %{DATA:hashcode2}\\]"}
  430. [2016-12-07T10:45:31,554][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW106100"=>"access-list %{NOTSPACE:policy_id} %{CISCO_ACTION:action} %{WORD:protocol} %{DATA:src_interface}/%{IP:src_ip}\\(%{INT:src_port}\\)(\\(%{DATA:src_fwuser}\\))? -> %{DATA:dst_interface}/%{IP:dst_ip}\\(%{INT:dst_port}\\)(\\(%{DATA:src_fwuser}\\))? hit-cnt %{INT:hit_count} %{CISCO_INTERVAL:interval} \\[%{DATA:hashcode1}, %{DATA:hashcode2}\\]"}
  431. [2016-12-07T10:45:31,555][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW110002"=>"%{CISCO_REASON:reason} for %{WORD:protocol} from %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port}"}
  432. [2016-12-07T10:45:31,555][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW302010"=>"%{INT:connection_count} in use, %{INT:connection_count_max} most used"}
  433. [2016-12-07T10:45:31,555][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW302013_302014_302015_302016"=>"%{CISCO_ACTION:action}(?: %{CISCO_DIRECTION:direction})? %{WORD:protocol} connection %{INT:connection_id} for %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port}( \\(%{IP:src_mapped_ip}/%{INT:src_mapped_port}\\))?(\\(%{DATA:src_fwuser}\\))? to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port}( \\(%{IP:dst_mapped_ip}/%{INT:dst_mapped_port}\\))?(\\(%{DATA:dst_fwuser}\\))?( duration %{TIME:duration} bytes %{INT:bytes})?(?: %{CISCO_REASON:reason})?( \\(%{DATA:user}\\))?"}
  434. [2016-12-07T10:45:31,555][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW302020_302021"=>"%{CISCO_ACTION:action}(?: %{CISCO_DIRECTION:direction})? %{WORD:protocol} connection for faddr %{IP:dst_ip}/%{INT:icmp_seq_num}(?:\\(%{DATA:fwuser}\\))? gaddr %{IP:src_xlated_ip}/%{INT:icmp_code_xlated} laddr %{IP:src_ip}/%{INT:icmp_code}( \\(%{DATA:user}\\))?"}
  435. [2016-12-07T10:45:31,555][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW305011"=>"%{CISCO_ACTION:action} %{CISCO_XLATE_TYPE:xlate_type} %{WORD:protocol} translation from %{DATA:src_interface}:%{IP:src_ip}(/%{INT:src_port})?(\\(%{DATA:src_fwuser}\\))? to %{DATA:src_xlated_interface}:%{IP:src_xlated_ip}/%{DATA:src_xlated_port}"}
  436. [2016-12-07T10:45:31,556][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW313001_313004_313008"=>"%{CISCO_ACTION:action} %{WORD:protocol} type=%{INT:icmp_type}, code=%{INT:icmp_code} from %{IP:src_ip} on interface %{DATA:interface}( to %{IP:dst_ip})?"}
  437. [2016-12-07T10:45:31,556][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW313005"=>"%{CISCO_REASON:reason} for %{WORD:protocol} error message: %{WORD:err_protocol} src %{DATA:err_src_interface}:%{IP:err_src_ip}(\\(%{DATA:err_src_fwuser}\\))? dst %{DATA:err_dst_interface}:%{IP:err_dst_ip}(\\(%{DATA:err_dst_fwuser}\\))? \\(type %{INT:err_icmp_type}, code %{INT:err_icmp_code}\\) on %{DATA:interface} interface\\.  Original IP payload: %{WORD:protocol} src %{IP:orig_src_ip}/%{INT:orig_src_port}(\\(%{DATA:orig_src_fwuser}\\))? dst %{IP:orig_dst_ip}/%{INT:orig_dst_port}(\\(%{DATA:orig_dst_fwuser}\\))?"}
  438. [2016-12-07T10:45:31,556][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW321001"=>"Resource '%{WORD:resource_name}' limit of %{POSINT:resource_limit} reached for system"}
  439. [2016-12-07T10:45:31,556][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW402117"=>"%{WORD:protocol}: Received a non-IPSec packet \\(protocol= %{WORD:orig_protocol}\\) from %{IP:src_ip} to %{IP:dst_ip}"}
  440. [2016-12-07T10:45:31,556][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW402119"=>"%{WORD:protocol}: Received an %{WORD:orig_protocol} packet \\(SPI= %{DATA:spi}, sequence number= %{DATA:seq_num}\\) from %{IP:src_ip} \\(user= %{DATA:user}\\) to %{IP:dst_ip} that failed anti-replay checking"}
  441. [2016-12-07T10:45:31,557][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW419001"=>"%{CISCO_ACTION:action} %{WORD:protocol} packet from %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port}, reason: %{GREEDYDATA:reason}"}
  442. [2016-12-07T10:45:31,557][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW419002"=>"%{CISCO_REASON:reason} from %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port} with different initial sequence number"}
  443. [2016-12-07T10:45:31,557][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW500004"=>"%{CISCO_REASON:reason} for protocol=%{WORD:protocol}, from %{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port}"}
  444. [2016-12-07T10:45:31,557][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW602303_602304"=>"%{WORD:protocol}: An %{CISCO_DIRECTION:direction} %{GREEDYDATA:tunnel_type} SA \\(SPI= %{DATA:spi}\\) between %{IP:src_ip} and %{IP:dst_ip} \\(user= %{DATA:user}\\) has been %{CISCO_ACTION:action}"}
  445. [2016-12-07T10:45:31,557][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW710001_710002_710003_710005_710006"=>"%{WORD:protocol} (?:request|access) %{CISCO_ACTION:action} from %{IP:src_ip}/%{INT:src_port} to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port}"}
  446. [2016-12-07T10:45:31,558][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW713172"=>"Group = %{GREEDYDATA:group}, IP = %{IP:src_ip}, Automatic NAT Detection Status:\\s+Remote end\\s*%{DATA:is_remote_natted}\\s*behind a NAT device\\s+This\\s+end\\s*%{DATA:is_local_natted}\\s*behind a NAT device"}
  447. [2016-12-07T10:45:31,558][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW733100"=>"\\[\\s*%{DATA:drop_type}\\s*\\] drop %{DATA:drop_rate_id} exceeded. Current burst rate is %{INT:drop_rate_current_burst} per second, max configured rate is %{INT:drop_rate_max_burst}; Current average rate is %{INT:drop_rate_current_avg} per second, max configured rate is %{INT:drop_rate_max_avg}; Cumulative total count is %{INT:drop_total_count}"}
  448. [2016-12-07T10:45:31,558][DEBUG][logstash.filters.grok    ] Adding pattern {"SHOREWALL"=>"(%{SYSLOGTIMESTAMP:timestamp}) (%{WORD:nf_host}) kernel:.*Shorewall:(%{WORD:nf_action1})?:(%{WORD:nf_action2})?.*IN=(%{USERNAME:nf_in_interface})?.*(OUT= *MAC=(%{COMMONMAC:nf_dst_mac}):(%{COMMONMAC:nf_src_mac})?|OUT=%{USERNAME:nf_out_interface}).*SRC=(%{IPV4:nf_src_ip}).*DST=(%{IPV4:nf_dst_ip}).*LEN=(%{WORD:nf_len}).?*TOS=(%{WORD:nf_tos}).?*PREC=(%{WORD:nf_prec}).?*TTL=(%{INT:nf_ttl}).?*ID=(%{INT:nf_id}).?*PROTO=(%{WORD:nf_protocol}).?*SPT=(%{INT:nf_src_port}?.*DPT=%{INT:nf_dst_port}?.*)"}
  449. [2016-12-07T10:45:31,559][DEBUG][logstash.filters.grok    ] Adding pattern {"USERNAME"=>"[a-zA-Z0-9._-]+"}
  450. [2016-12-07T10:45:31,559][DEBUG][logstash.filters.grok    ] Adding pattern {"USER"=>"%{USERNAME}"}
  451. [2016-12-07T10:45:31,559][DEBUG][logstash.filters.grok    ] Adding pattern {"EMAILLOCALPART"=>"[a-zA-Z][a-zA-Z0-9_.+-=:]+"}
  452. [2016-12-07T10:45:31,559][DEBUG][logstash.filters.grok    ] Adding pattern {"EMAILADDRESS"=>"%{EMAILLOCALPART}@%{HOSTNAME}"}
  453. [2016-12-07T10:45:31,559][DEBUG][logstash.filters.grok    ] Adding pattern {"HTTPDUSER"=>"%{EMAILADDRESS}|%{USER}"}
  454. [2016-12-07T10:45:31,559][DEBUG][logstash.filters.grok    ] Adding pattern {"INT"=>"(?:[+-]?(?:[0-9]+))"}
  455. [2016-12-07T10:45:31,560][DEBUG][logstash.filters.grok    ] Adding pattern {"BASE10NUM"=>"(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\\.[0-9]+)?)|(?:\\.[0-9]+)))"}
  456. [2016-12-07T10:45:31,560][DEBUG][logstash.filters.grok    ] Adding pattern {"NUMBER"=>"(?:%{BASE10NUM})"}
  457. [2016-12-07T10:45:31,560][DEBUG][logstash.filters.grok    ] Adding pattern {"BASE16NUM"=>"(?<![0-9A-Fa-f])(?:[+-]?(?:0x)?(?:[0-9A-Fa-f]+))"}
  458. [2016-12-07T10:45:31,560][DEBUG][logstash.filters.grok    ] Adding pattern {"BASE16FLOAT"=>"\\b(?<![0-9A-Fa-f.])(?:[+-]?(?:0x)?(?:(?:[0-9A-Fa-f]+(?:\\.[0-9A-Fa-f]*)?)|(?:\\.[0-9A-Fa-f]+)))\\b"}
  459. [2016-12-07T10:45:31,560][DEBUG][logstash.filters.grok    ] Adding pattern {"POSINT"=>"\\b(?:[1-9][0-9]*)\\b"}
  460. [2016-12-07T10:45:31,560][DEBUG][logstash.filters.grok    ] Adding pattern {"NONNEGINT"=>"\\b(?:[0-9]+)\\b"}
  461. [2016-12-07T10:45:31,561][DEBUG][logstash.filters.grok    ] Adding pattern {"WORD"=>"\\b\\w+\\b"}
  462. [2016-12-07T10:45:31,561][DEBUG][logstash.filters.grok    ] Adding pattern {"NOTSPACE"=>"\\S+"}
  463. [2016-12-07T10:45:31,561][DEBUG][logstash.filters.grok    ] Adding pattern {"SPACE"=>"\\s*"}
  464. [2016-12-07T10:45:31,561][DEBUG][logstash.filters.grok    ] Adding pattern {"DATA"=>".*?"}
  465. [2016-12-07T10:45:31,561][DEBUG][logstash.filters.grok    ] Adding pattern {"GREEDYDATA"=>".*"}
  466. [2016-12-07T10:45:31,562][DEBUG][logstash.filters.grok    ] Adding pattern {"QUOTEDSTRING"=>"(?>(?<!\\\\)(?>\"(?>\\\\.|[^\\\\\"]+)+\"|\"\"|(?>'(?>\\\\.|[^\\\\']+)+')|''|(?>`(?>\\\\.|[^\\\\`]+)+`)|``))"}
  467. [2016-12-07T10:45:31,562][DEBUG][logstash.filters.grok    ] Adding pattern {"UUID"=>"[A-Fa-f0-9]{8}-(?:[A-Fa-f0-9]{4}-){3}[A-Fa-f0-9]{12}"}
  468. [2016-12-07T10:45:31,562][DEBUG][logstash.filters.grok    ] Adding pattern {"URN"=>"urn:[0-9A-Za-z][0-9A-Za-z-]{0,31}:(?:%[0-9a-fA-F]{2}|[0-9A-Za-z()+,.:=@;$_!*'/?#-])+"}
  469. [2016-12-07T10:45:31,562][DEBUG][logstash.filters.grok    ] Adding pattern {"MAC"=>"(?:%{CISCOMAC}|%{WINDOWSMAC}|%{COMMONMAC})"}
  470. [2016-12-07T10:45:31,562][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOMAC"=>"(?:(?:[A-Fa-f0-9]{4}\\.){2}[A-Fa-f0-9]{4})"}
  471. [2016-12-07T10:45:31,562][DEBUG][logstash.filters.grok    ] Adding pattern {"WINDOWSMAC"=>"(?:(?:[A-Fa-f0-9]{2}-){5}[A-Fa-f0-9]{2})"}
  472. [2016-12-07T10:45:31,564][DEBUG][logstash.filters.grok    ] Adding pattern {"COMMONMAC"=>"(?:(?:[A-Fa-f0-9]{2}:){5}[A-Fa-f0-9]{2})"}
  473. [2016-12-07T10:45:31,564][DEBUG][logstash.filters.grok    ] Adding pattern {"IPV6"=>"((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:)))(%.+)?"}
  474. [2016-12-07T10:45:31,564][DEBUG][logstash.filters.grok    ] Adding pattern {"IPV4"=>"(?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]))(?![0-9])"}
  475. [2016-12-07T10:45:31,564][DEBUG][logstash.filters.grok    ] Adding pattern {"IP"=>"(?:%{IPV6}|%{IPV4})"}
  476. [2016-12-07T10:45:31,564][DEBUG][logstash.filters.grok    ] Adding pattern {"HOSTNAME"=>"\\b(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\\b)"}
  477. [2016-12-07T10:45:31,565][DEBUG][logstash.filters.grok    ] Adding pattern {"IPORHOST"=>"(?:%{IP}|%{HOSTNAME})"}
  478. [2016-12-07T10:45:31,565][DEBUG][logstash.filters.grok    ] Adding pattern {"HOSTPORT"=>"%{IPORHOST}:%{POSINT}"}
  479. [2016-12-07T10:45:31,565][DEBUG][logstash.filters.grok    ] Adding pattern {"PATH"=>"(?:%{UNIXPATH}|%{WINPATH})"}
  480. [2016-12-07T10:45:31,565][DEBUG][logstash.filters.grok    ] Adding pattern {"UNIXPATH"=>"(/([\\w_%!$@:.,+~-]+|\\\\.)*)+"}
  481. [2016-12-07T10:45:31,565][DEBUG][logstash.filters.grok    ] Adding pattern {"TTY"=>"(?:/dev/(pts|tty([pq])?)(\\w+)?/?(?:[0-9]+))"}
  482. [2016-12-07T10:45:31,565][DEBUG][logstash.filters.grok    ] Adding pattern {"WINPATH"=>"(?>[A-Za-z]+:|\\\\)(?:\\\\[^\\\\?*]*)+"}
  483. [2016-12-07T10:45:31,566][DEBUG][logstash.filters.grok    ] Adding pattern {"URIPROTO"=>"[A-Za-z]+(\\+[A-Za-z+]+)?"}
  484. [2016-12-07T10:45:31,566][DEBUG][logstash.filters.grok    ] Adding pattern {"URIHOST"=>"%{IPORHOST}(?::%{POSINT:port})?"}
  485. [2016-12-07T10:45:31,566][DEBUG][logstash.filters.grok    ] Adding pattern {"URIPATH"=>"(?:/[A-Za-z0-9$.+!*'(){},~:;=@#%&_\\-]*)+"}
  486. [2016-12-07T10:45:31,566][DEBUG][logstash.filters.grok    ] Adding pattern {"URIPARAM"=>"\\?[A-Za-z0-9$.+!*'|(){},~@#%&/=:;_?\\-\\[\\]<>]*"}
  487. [2016-12-07T10:45:31,566][DEBUG][logstash.filters.grok    ] Adding pattern {"URIPATHPARAM"=>"%{URIPATH}(?:%{URIPARAM})?"}
  488. [2016-12-07T10:45:31,566][DEBUG][logstash.filters.grok    ] Adding pattern {"URI"=>"%{URIPROTO}://(?:%{USER}(?::[^@]*)?@)?(?:%{URIHOST})?(?:%{URIPATHPARAM})?"}
  489. [2016-12-07T10:45:31,567][DEBUG][logstash.filters.grok    ] Adding pattern {"MONTH"=>"\\b(?:[Jj]an(?:uary|uar)?|[Ff]eb(?:ruary|ruar)?|[Mm](?:a|ä)?r(?:ch|z)?|[Aa]pr(?:il)?|[Mm]a(?:y|i)?|[Jj]un(?:e|i)?|[Jj]ul(?:y)?|[Aa]ug(?:ust)?|[Ss]ep(?:tember)?|[Oo](?:c|k)?t(?:ober)?|[Nn]ov(?:ember)?|[Dd]e(?:c|z)(?:ember)?)\\b"}
  490. [2016-12-07T10:45:31,567][DEBUG][logstash.filters.grok    ] Adding pattern {"MONTHNUM"=>"(?:0?[1-9]|1[0-2])"}
  491. [2016-12-07T10:45:31,567][DEBUG][logstash.filters.grok    ] Adding pattern {"MONTHNUM2"=>"(?:0[1-9]|1[0-2])"}
  492. [2016-12-07T10:45:31,567][DEBUG][logstash.filters.grok    ] Adding pattern {"MONTHDAY"=>"(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9])"}
  493. [2016-12-07T10:45:31,568][DEBUG][logstash.filters.grok    ] Adding pattern {"DAY"=>"(?:Mon(?:day)?|Tue(?:sday)?|Wed(?:nesday)?|Thu(?:rsday)?|Fri(?:day)?|Sat(?:urday)?|Sun(?:day)?)"}
  494. [2016-12-07T10:45:31,568][DEBUG][logstash.filters.grok    ] Adding pattern {"YEAR"=>"(?>\\d\\d){1,2}"}
  495. [2016-12-07T10:45:31,568][DEBUG][logstash.filters.grok    ] Adding pattern {"HOUR"=>"(?:2[0123]|[01]?[0-9])"}
  496. [2016-12-07T10:45:31,568][DEBUG][logstash.filters.grok    ] Adding pattern {"MINUTE"=>"(?:[0-5][0-9])"}
  497. [2016-12-07T10:45:31,568][DEBUG][logstash.filters.grok    ] Adding pattern {"SECOND"=>"(?:(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?)"}
  498. [2016-12-07T10:45:31,569][DEBUG][logstash.filters.grok    ] Adding pattern {"TIME"=>"(?!<[0-9])%{HOUR}:%{MINUTE}(?::%{SECOND})(?![0-9])"}
  499. [2016-12-07T10:45:31,569][DEBUG][logstash.filters.grok    ] Adding pattern {"DATE_US"=>"%{MONTHNUM}[/-]%{MONTHDAY}[/-]%{YEAR}"}
  500. [2016-12-07T10:45:31,569][DEBUG][logstash.filters.grok    ] Adding pattern {"DATE_EU"=>"%{MONTHDAY}[./-]%{MONTHNUM}[./-]%{YEAR}"}
  501. [2016-12-07T10:45:31,569][DEBUG][logstash.filters.grok    ] Adding pattern {"ISO8601_TIMEZONE"=>"(?:Z|[+-]%{HOUR}(?::?%{MINUTE}))"}
  502. [2016-12-07T10:45:31,569][DEBUG][logstash.filters.grok    ] Adding pattern {"ISO8601_SECOND"=>"(?:%{SECOND}|60)"}
  503. [2016-12-07T10:45:31,569][DEBUG][logstash.filters.grok    ] Adding pattern {"TIMESTAMP_ISO8601"=>"%{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?%{ISO8601_TIMEZONE}?"}
  504. [2016-12-07T10:45:31,570][DEBUG][logstash.filters.grok    ] Adding pattern {"DATE"=>"%{DATE_US}|%{DATE_EU}"}
  505. [2016-12-07T10:45:31,570][DEBUG][logstash.filters.grok    ] Adding pattern {"DATESTAMP"=>"%{DATE}[- ]%{TIME}"}
  506. [2016-12-07T10:45:31,570][DEBUG][logstash.filters.grok    ] Adding pattern {"TZ"=>"(?:[APMCE][SD]T|UTC)"}
  507. [2016-12-07T10:45:31,570][DEBUG][logstash.filters.grok    ] Adding pattern {"DATESTAMP_RFC822"=>"%{DAY} %{MONTH} %{MONTHDAY} %{YEAR} %{TIME} %{TZ}"}
  508. [2016-12-07T10:45:31,570][DEBUG][logstash.filters.grok    ] Adding pattern {"DATESTAMP_RFC2822"=>"%{DAY}, %{MONTHDAY} %{MONTH} %{YEAR} %{TIME} %{ISO8601_TIMEZONE}"}
  509. [2016-12-07T10:45:31,570][DEBUG][logstash.filters.grok    ] Adding pattern {"DATESTAMP_OTHER"=>"%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{TZ} %{YEAR}"}
  510. [2016-12-07T10:45:31,570][DEBUG][logstash.filters.grok    ] Adding pattern {"DATESTAMP_EVENTLOG"=>"%{YEAR}%{MONTHNUM2}%{MONTHDAY}%{HOUR}%{MINUTE}%{SECOND}"}
  511. [2016-12-07T10:45:31,571][DEBUG][logstash.filters.grok    ] Adding pattern {"HTTPDERROR_DATE"=>"%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR}"}
  512. [2016-12-07T10:45:31,571][DEBUG][logstash.filters.grok    ] Adding pattern {"SYSLOGTIMESTAMP"=>"%{MONTH} +%{MONTHDAY} %{TIME}"}
  513. [2016-12-07T10:45:31,571][DEBUG][logstash.filters.grok    ] Adding pattern {"PROG"=>"[\\x21-\\x5a\\x5c\\x5e-\\x7e]+"}
  514. [2016-12-07T10:45:31,571][DEBUG][logstash.filters.grok    ] Adding pattern {"SYSLOGPROG"=>"%{PROG:program}(?:\\[%{POSINT:pid}\\])?"}
  515. [2016-12-07T10:45:31,571][DEBUG][logstash.filters.grok    ] Adding pattern {"SYSLOGHOST"=>"%{IPORHOST}"}
  516. [2016-12-07T10:45:31,571][DEBUG][logstash.filters.grok    ] Adding pattern {"SYSLOGFACILITY"=>"<%{NONNEGINT:facility}.%{NONNEGINT:priority}>"}
  517. [2016-12-07T10:45:31,572][DEBUG][logstash.filters.grok    ] Adding pattern {"HTTPDATE"=>"%{MONTHDAY}/%{MONTH}/%{YEAR}:%{TIME} %{INT}"}
  518. [2016-12-07T10:45:31,572][DEBUG][logstash.filters.grok    ] Adding pattern {"QS"=>"%{QUOTEDSTRING}"}
  519. [2016-12-07T10:45:31,572][DEBUG][logstash.filters.grok    ] Adding pattern {"SYSLOGBASE"=>"%{SYSLOGTIMESTAMP:timestamp} (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource} %{SYSLOGPROG}:"}
  520. [2016-12-07T10:45:31,573][DEBUG][logstash.filters.grok    ] Adding pattern {"COMMONAPACHELOG"=>"%{IPORHOST:clientip} %{HTTPDUSER:ident} %{USER:auth} \\[%{HTTPDATE:timestamp}\\] \"(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})\" %{NUMBER:response} (?:%{NUMBER:bytes}|-)"}
  521. [2016-12-07T10:45:31,573][DEBUG][logstash.filters.grok    ] Adding pattern {"COMBINEDAPACHELOG"=>"%{COMMONAPACHELOG} %{QS:referrer} %{QS:agent}"}
  522. [2016-12-07T10:45:31,573][DEBUG][logstash.filters.grok    ] Adding pattern {"HTTPD20_ERRORLOG"=>"\\[%{HTTPDERROR_DATE:timestamp}\\] \\[%{LOGLEVEL:loglevel}\\] (?:\\[client %{IPORHOST:clientip}\\] ){0,1}%{GREEDYDATA:errormsg}"}
  523. [2016-12-07T10:45:31,573][DEBUG][logstash.filters.grok    ] Adding pattern {"HTTPD24_ERRORLOG"=>"\\[%{HTTPDERROR_DATE:timestamp}\\] \\[%{WORD:module}:%{LOGLEVEL:loglevel}\\] \\[pid %{POSINT:pid}:tid %{NUMBER:tid}\\]( \\(%{POSINT:proxy_errorcode}\\)%{DATA:proxy_errormessage}:)?( \\[client %{IPORHOST:client}:%{POSINT:clientport}\\])? %{DATA:errorcode}: %{GREEDYDATA:message}"}
  524. [2016-12-07T10:45:31,573][DEBUG][logstash.filters.grok    ] Adding pattern {"HTTPD_ERRORLOG"=>"%{HTTPD20_ERRORLOG}|%{HTTPD24_ERRORLOG}"}
  525. [2016-12-07T10:45:31,574][DEBUG][logstash.filters.grok    ] Adding pattern {"LOGLEVEL"=>"([Aa]lert|ALERT|[Tt]race|TRACE|[Dd]ebug|DEBUG|[Nn]otice|NOTICE|[Ii]nfo|INFO|[Ww]arn?(?:ing)?|WARN?(?:ING)?|[Ee]rr?(?:or)?|ERR?(?:OR)?|[Cc]rit?(?:ical)?|CRIT?(?:ICAL)?|[Ff]atal|FATAL|[Ss]evere|SEVERE|EMERG(?:ENCY)?|[Ee]merg(?:ency)?)"}
  526. [2016-12-07T10:45:31,574][DEBUG][logstash.filters.grok    ] Adding pattern {"HAPROXYTIME"=>"(?!<[0-9])%{HOUR:haproxy_hour}:%{MINUTE:haproxy_minute}(?::%{SECOND:haproxy_second})(?![0-9])"}
  527. [2016-12-07T10:45:31,574][DEBUG][logstash.filters.grok    ] Adding pattern {"HAPROXYDATE"=>"%{MONTHDAY:haproxy_monthday}/%{MONTH:haproxy_month}/%{YEAR:haproxy_year}:%{HAPROXYTIME:haproxy_time}.%{INT:haproxy_milliseconds}"}
  528. [2016-12-07T10:45:31,575][DEBUG][logstash.filters.grok    ] Adding pattern {"HAPROXYCAPTUREDREQUESTHEADERS"=>"%{DATA:captured_request_headers}"}
  529. [2016-12-07T10:45:31,575][DEBUG][logstash.filters.grok    ] Adding pattern {"HAPROXYCAPTUREDRESPONSEHEADERS"=>"%{DATA:captured_response_headers}"}
  530. [2016-12-07T10:45:31,575][DEBUG][logstash.filters.grok    ] Adding pattern {"HAPROXYHTTPBASE"=>"%{IP:client_ip}:%{INT:client_port} \\[%{HAPROXYDATE:accept_date}\\] %{NOTSPACE:frontend_name} %{NOTSPACE:backend_name}/%{NOTSPACE:server_name} %{INT:time_request}/%{INT:time_queue}/%{INT:time_backend_connect}/%{INT:time_backend_response}/%{NOTSPACE:time_duration} %{INT:http_status_code} %{NOTSPACE:bytes_read} %{DATA:captured_request_cookie} %{DATA:captured_response_cookie} %{NOTSPACE:termination_state} %{INT:actconn}/%{INT:feconn}/%{INT:beconn}/%{INT:srvconn}/%{NOTSPACE:retries} %{INT:srv_queue}/%{INT:backend_queue} (\\{%{HAPROXYCAPTUREDREQUESTHEADERS}\\})?( )?(\\{%{HAPROXYCAPTUREDRESPONSEHEADERS}\\})?( )?\"(<BADREQ>|(%{WORD:http_verb} (%{URIPROTO:http_proto}://)?(?:%{USER:http_user}(?::[^@]*)?@)?(?:%{URIHOST:http_host})?(?:%{URIPATHPARAM:http_request})?( HTTP/%{NUMBER:http_version})?))?\""}
  531. [2016-12-07T10:45:31,575][DEBUG][logstash.filters.grok    ] Adding pattern {"HAPROXYHTTP"=>"(?:%{SYSLOGTIMESTAMP:syslog_timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) %{IPORHOST:syslog_server} %{SYSLOGPROG}: %{HAPROXYHTTPBASE}"}
  532. [2016-12-07T10:45:31,576][DEBUG][logstash.filters.grok    ] Adding pattern {"HAPROXYTCP"=>"(?:%{SYSLOGTIMESTAMP:syslog_timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) %{IPORHOST:syslog_server} %{SYSLOGPROG}: %{IP:client_ip}:%{INT:client_port} \\[%{HAPROXYDATE:accept_date}\\] %{NOTSPACE:frontend_name} %{NOTSPACE:backend_name}/%{NOTSPACE:server_name} %{INT:time_queue}/%{INT:time_backend_connect}/%{NOTSPACE:time_duration} %{NOTSPACE:bytes_read} %{NOTSPACE:termination_state} %{INT:actconn}/%{INT:feconn}/%{INT:beconn}/%{INT:srvconn}/%{NOTSPACE:retries} %{INT:srv_queue}/%{INT:backend_queue}"}
  533. [2016-12-07T10:45:31,576][DEBUG][logstash.filters.grok    ] Adding pattern {"JAVACLASS"=>"(?:[a-zA-Z$_][a-zA-Z$_0-9]*\\.)*[a-zA-Z$_][a-zA-Z$_0-9]*"}
  534. [2016-12-07T10:45:31,576][DEBUG][logstash.filters.grok    ] Adding pattern {"JAVAFILE"=>"(?:[A-Za-z0-9_. -]+)"}
  535. [2016-12-07T10:45:31,576][DEBUG][logstash.filters.grok    ] Adding pattern {"JAVAMETHOD"=>"(?:(<(?:cl)?init>)|[a-zA-Z$_][a-zA-Z$_0-9]*)"}
  536. [2016-12-07T10:45:31,576][DEBUG][logstash.filters.grok    ] Adding pattern {"JAVASTACKTRACEPART"=>"%{SPACE}at %{JAVACLASS:class}\\.%{JAVAMETHOD:method}\\(%{JAVAFILE:file}(?::%{NUMBER:line})?\\)"}
  537. [2016-12-07T10:45:31,577][DEBUG][logstash.filters.grok    ] Adding pattern {"JAVATHREAD"=>"(?:[A-Z]{2}-Processor[\\d]+)"}
  538. [2016-12-07T10:45:31,577][DEBUG][logstash.filters.grok    ] Adding pattern {"JAVACLASS"=>"(?:[a-zA-Z0-9-]+\\.)+[A-Za-z0-9$]+"}
  539. [2016-12-07T10:45:31,577][DEBUG][logstash.filters.grok    ] Adding pattern {"JAVAFILE"=>"(?:[A-Za-z0-9_.-]+)"}
  540. [2016-12-07T10:45:31,577][DEBUG][logstash.filters.grok    ] Adding pattern {"JAVASTACKTRACEPART"=>"at %{JAVACLASS:class}\\.%{WORD:method}\\(%{JAVAFILE:file}:%{NUMBER:line}\\)"}
  541. [2016-12-07T10:45:31,577][DEBUG][logstash.filters.grok    ] Adding pattern {"JAVALOGMESSAGE"=>"(.*)"}
  542. [2016-12-07T10:45:31,577][DEBUG][logstash.filters.grok    ] Adding pattern {"CATALINA_DATESTAMP"=>"%{MONTH} %{MONTHDAY}, 20%{YEAR} %{HOUR}:?%{MINUTE}(?::?%{SECOND}) (?:AM|PM)"}
  543. [2016-12-07T10:45:31,578][DEBUG][logstash.filters.grok    ] Adding pattern {"TOMCAT_DATESTAMP"=>"20%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{HOUR}:?%{MINUTE}(?::?%{SECOND}) %{ISO8601_TIMEZONE}"}
  544. [2016-12-07T10:45:31,578][DEBUG][logstash.filters.grok    ] Adding pattern {"CATALINALOG"=>"%{CATALINA_DATESTAMP:timestamp} %{JAVACLASS:class} %{JAVALOGMESSAGE:logmessage}"}
  545. [2016-12-07T10:45:31,578][DEBUG][logstash.filters.grok    ] Adding pattern {"TOMCATLOG"=>"%{TOMCAT_DATESTAMP:timestamp} \\| %{LOGLEVEL:level} \\| %{JAVACLASS:class} - %{JAVALOGMESSAGE:logmessage}"}
  546. [2016-12-07T10:45:31,578][DEBUG][logstash.filters.grok    ] Adding pattern {"RT_FLOW_EVENT"=>"(RT_FLOW_SESSION_CREATE|RT_FLOW_SESSION_CLOSE|RT_FLOW_SESSION_DENY)"}
  547. [2016-12-07T10:45:31,579][DEBUG][logstash.filters.grok    ] Adding pattern {"RT_FLOW1"=>"%{RT_FLOW_EVENT:event}: %{GREEDYDATA:close-reason}: %{IP:src-ip}/%{INT:src-port}->%{IP:dst-ip}/%{INT:dst-port} %{DATA:service} %{IP:nat-src-ip}/%{INT:nat-src-port}->%{IP:nat-dst-ip}/%{INT:nat-dst-port} %{DATA:src-nat-rule-name} %{DATA:dst-nat-rule-name} %{INT:protocol-id} %{DATA:policy-name} %{DATA:from-zone} %{DATA:to-zone} %{INT:session-id} \\d+\\(%{DATA:sent}\\) \\d+\\(%{DATA:received}\\) %{INT:elapsed-time} .*"}
  548. [2016-12-07T10:45:31,579][DEBUG][logstash.filters.grok    ] Adding pattern {"RT_FLOW2"=>"%{RT_FLOW_EVENT:event}: session created %{IP:src-ip}/%{INT:src-port}->%{IP:dst-ip}/%{INT:dst-port} %{DATA:service} %{IP:nat-src-ip}/%{INT:nat-src-port}->%{IP:nat-dst-ip}/%{INT:nat-dst-port} %{DATA:src-nat-rule-name} %{DATA:dst-nat-rule-name} %{INT:protocol-id} %{DATA:policy-name} %{DATA:from-zone} %{DATA:to-zone} %{INT:session-id} .*"}
  549. [2016-12-07T10:45:31,579][DEBUG][logstash.filters.grok    ] Adding pattern {"RT_FLOW3"=>"%{RT_FLOW_EVENT:event}: session denied %{IP:src-ip}/%{INT:src-port}->%{IP:dst-ip}/%{INT:dst-port} %{DATA:service} %{INT:protocol-id}\\(\\d\\) %{DATA:policy-name} %{DATA:from-zone} %{DATA:to-zone} .*"}
  550. [2016-12-07T10:45:31,580][DEBUG][logstash.filters.grok    ] Adding pattern {"SYSLOG5424PRINTASCII"=>"[!-~]+"}
  551. [2016-12-07T10:45:31,580][DEBUG][logstash.filters.grok    ] Adding pattern {"SYSLOGBASE2"=>"(?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource}+(?: %{SYSLOGPROG}:|)"}
  552. [2016-12-07T10:45:31,580][DEBUG][logstash.filters.grok    ] Adding pattern {"SYSLOGPAMSESSION"=>"%{SYSLOGBASE} (?=%{GREEDYDATA:message})%{WORD:pam_module}\\(%{DATA:pam_caller}\\): session %{WORD:pam_session_state} for user %{USERNAME:username}(?: by %{GREEDYDATA:pam_by})?"}
  553. [2016-12-07T10:45:31,580][DEBUG][logstash.filters.grok    ] Adding pattern {"CRON_ACTION"=>"[A-Z ]+"}
  554. [2016-12-07T10:45:31,580][DEBUG][logstash.filters.grok    ] Adding pattern {"CRONLOG"=>"%{SYSLOGBASE} \\(%{USER:user}\\) %{CRON_ACTION:action} \\(%{DATA:message}\\)"}
  555. [2016-12-07T10:45:31,580][DEBUG][logstash.filters.grok    ] Adding pattern {"SYSLOGLINE"=>"%{SYSLOGBASE2} %{GREEDYDATA:message}"}
  556. [2016-12-07T10:45:31,581][DEBUG][logstash.filters.grok    ] Adding pattern {"SYSLOG5424PRI"=>"<%{NONNEGINT:syslog5424_pri}>"}
  557. [2016-12-07T10:45:31,581][DEBUG][logstash.filters.grok    ] Adding pattern {"SYSLOG5424SD"=>"\\[%{DATA}\\]+"}
  558. [2016-12-07T10:45:31,581][DEBUG][logstash.filters.grok    ] Adding pattern {"SYSLOG5424BASE"=>"%{SYSLOG5424PRI}%{NONNEGINT:syslog5424_ver} +(?:%{TIMESTAMP_ISO8601:syslog5424_ts}|-) +(?:%{HOSTNAME:syslog5424_host}|-) +(-|%{SYSLOG5424PRINTASCII:syslog5424_app}) +(-|%{SYSLOG5424PRINTASCII:syslog5424_proc}) +(-|%{SYSLOG5424PRINTASCII:syslog5424_msgid}) +(?:%{SYSLOG5424SD:syslog5424_sd}|-|)"}
  559. [2016-12-07T10:45:31,581][DEBUG][logstash.filters.grok    ] Adding pattern {"SYSLOG5424LINE"=>"%{SYSLOG5424BASE} +%{GREEDYDATA:syslog5424_msg}"}
  560. [2016-12-07T10:45:31,582][DEBUG][logstash.filters.grok    ] Adding pattern {"MCOLLECTIVEAUDIT"=>"%{TIMESTAMP_ISO8601:timestamp}:"}
  561. [2016-12-07T10:45:31,582][DEBUG][logstash.filters.grok    ] Adding pattern {"MCOLLECTIVE"=>"., \\[%{TIMESTAMP_ISO8601:timestamp} #%{POSINT:pid}\\]%{SPACE}%{LOGLEVEL:event_level}"}
  562. [2016-12-07T10:45:31,582][DEBUG][logstash.filters.grok    ] Adding pattern {"MCOLLECTIVEAUDIT"=>"%{TIMESTAMP_ISO8601:timestamp}:"}
  563. [2016-12-07T10:45:31,583][DEBUG][logstash.filters.grok    ] Adding pattern {"MONGO_LOG"=>"%{SYSLOGTIMESTAMP:timestamp} \\[%{WORD:component}\\] %{GREEDYDATA:message}"}
  564. [2016-12-07T10:45:31,583][DEBUG][logstash.filters.grok    ] Adding pattern {"MONGO_QUERY"=>"\\{ (?<={ ).*(?= } ntoreturn:) \\}"}
  565. [2016-12-07T10:45:31,583][DEBUG][logstash.filters.grok    ] Adding pattern {"MONGO_SLOWQUERY"=>"%{WORD} %{MONGO_WORDDASH:database}\\.%{MONGO_WORDDASH:collection} %{WORD}: %{MONGO_QUERY:query} %{WORD}:%{NONNEGINT:ntoreturn} %{WORD}:%{NONNEGINT:ntoskip} %{WORD}:%{NONNEGINT:nscanned}.*nreturned:%{NONNEGINT:nreturned}..+ (?<duration>[0-9]+)ms"}
  566. [2016-12-07T10:45:31,583][DEBUG][logstash.filters.grok    ] Adding pattern {"MONGO_WORDDASH"=>"\\b[\\w-]+\\b"}
  567. [2016-12-07T10:45:31,583][DEBUG][logstash.filters.grok    ] Adding pattern {"MONGO3_SEVERITY"=>"\\w"}
  568. [2016-12-07T10:45:31,584][DEBUG][logstash.filters.grok    ] Adding pattern {"MONGO3_COMPONENT"=>"%{WORD}|-"}
  569. [2016-12-07T10:45:31,584][DEBUG][logstash.filters.grok    ] Adding pattern {"MONGO3_LOG"=>"%{TIMESTAMP_ISO8601:timestamp} %{MONGO3_SEVERITY:severity} %{MONGO3_COMPONENT:component}%{SPACE}(?:\\[%{DATA:context}\\])? %{GREEDYDATA:message}"}
  570. [2016-12-07T10:45:31,584][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOSTIME"=>"\\[%{NUMBER:nagios_epoch}\\]"}
  571. [2016-12-07T10:45:31,584][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_TYPE_CURRENT_SERVICE_STATE"=>"CURRENT SERVICE STATE"}
  572. [2016-12-07T10:45:31,585][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_TYPE_CURRENT_HOST_STATE"=>"CURRENT HOST STATE"}
  573. [2016-12-07T10:45:31,585][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_TYPE_SERVICE_NOTIFICATION"=>"SERVICE NOTIFICATION"}
  574. [2016-12-07T10:45:31,585][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_TYPE_HOST_NOTIFICATION"=>"HOST NOTIFICATION"}
  575. [2016-12-07T10:45:31,585][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_TYPE_SERVICE_ALERT"=>"SERVICE ALERT"}
  576. [2016-12-07T10:45:31,585][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_TYPE_HOST_ALERT"=>"HOST ALERT"}
  577. [2016-12-07T10:45:31,585][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_TYPE_SERVICE_FLAPPING_ALERT"=>"SERVICE FLAPPING ALERT"}
  578. [2016-12-07T10:45:31,586][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_TYPE_HOST_FLAPPING_ALERT"=>"HOST FLAPPING ALERT"}
  579. [2016-12-07T10:45:31,586][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_TYPE_SERVICE_DOWNTIME_ALERT"=>"SERVICE DOWNTIME ALERT"}
  580. [2016-12-07T10:45:31,586][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_TYPE_HOST_DOWNTIME_ALERT"=>"HOST DOWNTIME ALERT"}
  581. [2016-12-07T10:45:31,586][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_TYPE_PASSIVE_SERVICE_CHECK"=>"PASSIVE SERVICE CHECK"}
  582. [2016-12-07T10:45:31,586][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_TYPE_PASSIVE_HOST_CHECK"=>"PASSIVE HOST CHECK"}
  583. [2016-12-07T10:45:31,586][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_TYPE_SERVICE_EVENT_HANDLER"=>"SERVICE EVENT HANDLER"}
  584. [2016-12-07T10:45:31,587][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_TYPE_HOST_EVENT_HANDLER"=>"HOST EVENT HANDLER"}
  585. [2016-12-07T10:45:31,587][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_TYPE_EXTERNAL_COMMAND"=>"EXTERNAL COMMAND"}
  586. [2016-12-07T10:45:31,587][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_TYPE_TIMEPERIOD_TRANSITION"=>"TIMEPERIOD TRANSITION"}
  587. [2016-12-07T10:45:31,587][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_DISABLE_SVC_CHECK"=>"DISABLE_SVC_CHECK"}
  588. [2016-12-07T10:45:31,587][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_ENABLE_SVC_CHECK"=>"ENABLE_SVC_CHECK"}
  589. [2016-12-07T10:45:31,587][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_DISABLE_HOST_CHECK"=>"DISABLE_HOST_CHECK"}
  590. [2016-12-07T10:45:31,588][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_ENABLE_HOST_CHECK"=>"ENABLE_HOST_CHECK"}
  591. [2016-12-07T10:45:31,588][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_PROCESS_SERVICE_CHECK_RESULT"=>"PROCESS_SERVICE_CHECK_RESULT"}
  592. [2016-12-07T10:45:31,588][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_PROCESS_HOST_CHECK_RESULT"=>"PROCESS_HOST_CHECK_RESULT"}
  593. [2016-12-07T10:45:31,588][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_SCHEDULE_SERVICE_DOWNTIME"=>"SCHEDULE_SERVICE_DOWNTIME"}
  594. [2016-12-07T10:45:31,588][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_SCHEDULE_HOST_DOWNTIME"=>"SCHEDULE_HOST_DOWNTIME"}
  595. [2016-12-07T10:45:31,588][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_DISABLE_HOST_SVC_NOTIFICATIONS"=>"DISABLE_HOST_SVC_NOTIFICATIONS"}
  596. [2016-12-07T10:45:31,588][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_ENABLE_HOST_SVC_NOTIFICATIONS"=>"ENABLE_HOST_SVC_NOTIFICATIONS"}
  597. [2016-12-07T10:45:31,589][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_DISABLE_HOST_NOTIFICATIONS"=>"DISABLE_HOST_NOTIFICATIONS"}
  598. [2016-12-07T10:45:31,589][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_ENABLE_HOST_NOTIFICATIONS"=>"ENABLE_HOST_NOTIFICATIONS"}
  599. [2016-12-07T10:45:31,589][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_DISABLE_SVC_NOTIFICATIONS"=>"DISABLE_SVC_NOTIFICATIONS"}
  600. [2016-12-07T10:45:31,589][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_ENABLE_SVC_NOTIFICATIONS"=>"ENABLE_SVC_NOTIFICATIONS"}
  601. [2016-12-07T10:45:31,589][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_WARNING"=>"Warning:%{SPACE}%{GREEDYDATA:nagios_message}"}
  602. [2016-12-07T10:45:31,589][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_CURRENT_SERVICE_STATE"=>"%{NAGIOS_TYPE_CURRENT_SERVICE_STATE:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{DATA:nagios_statetype};%{DATA:nagios_statecode};%{GREEDYDATA:nagios_message}"}
  603. [2016-12-07T10:45:31,590][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_CURRENT_HOST_STATE"=>"%{NAGIOS_TYPE_CURRENT_HOST_STATE:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{DATA:nagios_statetype};%{DATA:nagios_statecode};%{GREEDYDATA:nagios_message}"}
  604. [2016-12-07T10:45:31,590][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_SERVICE_NOTIFICATION"=>"%{NAGIOS_TYPE_SERVICE_NOTIFICATION:nagios_type}: %{DATA:nagios_notifyname};%{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{DATA:nagios_contact};%{GREEDYDATA:nagios_message}"}
  605. [2016-12-07T10:45:31,590][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_HOST_NOTIFICATION"=>"%{NAGIOS_TYPE_HOST_NOTIFICATION:nagios_type}: %{DATA:nagios_notifyname};%{DATA:nagios_hostname};%{DATA:nagios_state};%{DATA:nagios_contact};%{GREEDYDATA:nagios_message}"}
  606. [2016-12-07T10:45:31,590][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_SERVICE_ALERT"=>"%{NAGIOS_TYPE_SERVICE_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{DATA:nagios_statelevel};%{NUMBER:nagios_attempt};%{GREEDYDATA:nagios_message}"}
  607. [2016-12-07T10:45:31,590][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_HOST_ALERT"=>"%{NAGIOS_TYPE_HOST_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{DATA:nagios_statelevel};%{NUMBER:nagios_attempt};%{GREEDYDATA:nagios_message}"}
  608. [2016-12-07T10:45:31,591][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_SERVICE_FLAPPING_ALERT"=>"%{NAGIOS_TYPE_SERVICE_FLAPPING_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{GREEDYDATA:nagios_message}"}
  609. [2016-12-07T10:45:31,591][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_HOST_FLAPPING_ALERT"=>"%{NAGIOS_TYPE_HOST_FLAPPING_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{GREEDYDATA:nagios_message}"}
  610. [2016-12-07T10:45:31,591][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_SERVICE_DOWNTIME_ALERT"=>"%{NAGIOS_TYPE_SERVICE_DOWNTIME_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{GREEDYDATA:nagios_comment}"}
  611. [2016-12-07T10:45:31,591][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_HOST_DOWNTIME_ALERT"=>"%{NAGIOS_TYPE_HOST_DOWNTIME_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{GREEDYDATA:nagios_comment}"}
  612. [2016-12-07T10:45:31,591][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_PASSIVE_SERVICE_CHECK"=>"%{NAGIOS_TYPE_PASSIVE_SERVICE_CHECK:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{GREEDYDATA:nagios_comment}"}
  613. [2016-12-07T10:45:31,592][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_PASSIVE_HOST_CHECK"=>"%{NAGIOS_TYPE_PASSIVE_HOST_CHECK:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{GREEDYDATA:nagios_comment}"}
  614. [2016-12-07T10:45:31,592][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_SERVICE_EVENT_HANDLER"=>"%{NAGIOS_TYPE_SERVICE_EVENT_HANDLER:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{DATA:nagios_statelevel};%{DATA:nagios_event_handler_name}"}
  615. [2016-12-07T10:45:31,592][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_HOST_EVENT_HANDLER"=>"%{NAGIOS_TYPE_HOST_EVENT_HANDLER:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{DATA:nagios_statelevel};%{DATA:nagios_event_handler_name}"}
  616. [2016-12-07T10:45:31,593][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_TIMEPERIOD_TRANSITION"=>"%{NAGIOS_TYPE_TIMEPERIOD_TRANSITION:nagios_type}: %{DATA:nagios_service};%{DATA:nagios_unknown1};%{DATA:nagios_unknown2}"}
  617. [2016-12-07T10:45:31,593][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_LINE_DISABLE_SVC_CHECK"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_DISABLE_SVC_CHECK:nagios_command};%{DATA:nagios_hostname};%{DATA:nagios_service}"}
  618. [2016-12-07T10:45:31,593][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_LINE_DISABLE_HOST_CHECK"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_DISABLE_HOST_CHECK:nagios_command};%{DATA:nagios_hostname}"}
  619. [2016-12-07T10:45:31,593][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_LINE_ENABLE_SVC_CHECK"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_ENABLE_SVC_CHECK:nagios_command};%{DATA:nagios_hostname};%{DATA:nagios_service}"}
  620. [2016-12-07T10:45:31,593][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_LINE_ENABLE_HOST_CHECK"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_ENABLE_HOST_CHECK:nagios_command};%{DATA:nagios_hostname}"}
  621. [2016-12-07T10:45:31,594][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_LINE_PROCESS_SERVICE_CHECK_RESULT"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_PROCESS_SERVICE_CHECK_RESULT:nagios_command};%{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{GREEDYDATA:nagios_check_result}"}
  622. [2016-12-07T10:45:31,594][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_LINE_PROCESS_HOST_CHECK_RESULT"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_PROCESS_HOST_CHECK_RESULT:nagios_command};%{DATA:nagios_hostname};%{DATA:nagios_state};%{GREEDYDATA:nagios_check_result}"}
  623. [2016-12-07T10:45:31,594][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_LINE_DISABLE_HOST_SVC_NOTIFICATIONS"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_DISABLE_HOST_SVC_NOTIFICATIONS:nagios_command};%{GREEDYDATA:nagios_hostname}"}
  624. [2016-12-07T10:45:31,594][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_LINE_DISABLE_HOST_NOTIFICATIONS"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_DISABLE_HOST_NOTIFICATIONS:nagios_command};%{GREEDYDATA:nagios_hostname}"}
  625. [2016-12-07T10:45:31,594][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_LINE_DISABLE_SVC_NOTIFICATIONS"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_DISABLE_SVC_NOTIFICATIONS:nagios_command};%{DATA:nagios_hostname};%{GREEDYDATA:nagios_service}"}
  626. [2016-12-07T10:45:31,595][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_LINE_ENABLE_HOST_SVC_NOTIFICATIONS"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_ENABLE_HOST_SVC_NOTIFICATIONS:nagios_command};%{GREEDYDATA:nagios_hostname}"}
  627. [2016-12-07T10:45:31,595][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_LINE_ENABLE_HOST_NOTIFICATIONS"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_ENABLE_HOST_NOTIFICATIONS:nagios_command};%{GREEDYDATA:nagios_hostname}"}
  628. [2016-12-07T10:45:31,595][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_LINE_ENABLE_SVC_NOTIFICATIONS"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_ENABLE_SVC_NOTIFICATIONS:nagios_command};%{DATA:nagios_hostname};%{GREEDYDATA:nagios_service}"}
  629. [2016-12-07T10:45:31,595][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_LINE_SCHEDULE_HOST_DOWNTIME"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_SCHEDULE_HOST_DOWNTIME:nagios_command};%{DATA:nagios_hostname};%{NUMBER:nagios_start_time};%{NUMBER:nagios_end_time};%{NUMBER:nagios_fixed};%{NUMBER:nagios_trigger_id};%{NUMBER:nagios_duration};%{DATA:author};%{DATA:comment}"}
  630. [2016-12-07T10:45:31,595][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOSLOGLINE"=>"%{NAGIOSTIME} (?:%{NAGIOS_WARNING}|%{NAGIOS_CURRENT_SERVICE_STATE}|%{NAGIOS_CURRENT_HOST_STATE}|%{NAGIOS_SERVICE_NOTIFICATION}|%{NAGIOS_HOST_NOTIFICATION}|%{NAGIOS_SERVICE_ALERT}|%{NAGIOS_HOST_ALERT}|%{NAGIOS_SERVICE_FLAPPING_ALERT}|%{NAGIOS_HOST_FLAPPING_ALERT}|%{NAGIOS_SERVICE_DOWNTIME_ALERT}|%{NAGIOS_HOST_DOWNTIME_ALERT}|%{NAGIOS_PASSIVE_SERVICE_CHECK}|%{NAGIOS_PASSIVE_HOST_CHECK}|%{NAGIOS_SERVICE_EVENT_HANDLER}|%{NAGIOS_HOST_EVENT_HANDLER}|%{NAGIOS_TIMEPERIOD_TRANSITION}|%{NAGIOS_EC_LINE_DISABLE_SVC_CHECK}|%{NAGIOS_EC_LINE_ENABLE_SVC_CHECK}|%{NAGIOS_EC_LINE_DISABLE_HOST_CHECK}|%{NAGIOS_EC_LINE_ENABLE_HOST_CHECK}|%{NAGIOS_EC_LINE_PROCESS_HOST_CHECK_RESULT}|%{NAGIOS_EC_LINE_PROCESS_SERVICE_CHECK_RESULT}|%{NAGIOS_EC_LINE_SCHEDULE_HOST_DOWNTIME}|%{NAGIOS_EC_LINE_DISABLE_HOST_SVC_NOTIFICATIONS}|%{NAGIOS_EC_LINE_ENABLE_HOST_SVC_NOTIFICATIONS}|%{NAGIOS_EC_LINE_DISABLE_HOST_NOTIFICATIONS}|%{NAGIOS_EC_LINE_ENABLE_HOST_NOTIFICATIONS}|%{NAGIOS_EC_LINE_DISABLE_SVC_NOTIFICATIONS}|%{NAGIOS_EC_LINE_ENABLE_SVC_NOTIFICATIONS})"}
  631. [2016-12-07T10:45:31,596][DEBUG][logstash.filters.grok    ] Adding pattern {"POSTGRESQL"=>"%{DATESTAMP:timestamp} %{TZ} %{DATA:user_id} %{GREEDYDATA:connection_id} %{POSINT:pid}"}
  632. [2016-12-07T10:45:31,596][DEBUG][logstash.filters.grok    ] Adding pattern {"RUUID"=>"\\h{32}"}
  633. [2016-12-07T10:45:31,597][DEBUG][logstash.filters.grok    ] Adding pattern {"RCONTROLLER"=>"(?<controller>[^#]+)#(?<action>\\w+)"}
  634. [2016-12-07T10:45:31,597][DEBUG][logstash.filters.grok    ] Adding pattern {"RAILS3HEAD"=>"(?m)Started %{WORD:verb} \"%{URIPATHPARAM:request}\" for %{IPORHOST:clientip} at (?<timestamp>%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{HOUR}:%{MINUTE}:%{SECOND} %{ISO8601_TIMEZONE})"}
  635. [2016-12-07T10:45:31,597][DEBUG][logstash.filters.grok    ] Adding pattern {"RPROCESSING"=>"\\W*Processing by %{RCONTROLLER} as (?<format>\\S+)(?:\\W*Parameters: {%{DATA:params}}\\W*)?"}
  636. [2016-12-07T10:45:31,597][DEBUG][logstash.filters.grok    ] Adding pattern {"RAILS3FOOT"=>"Completed %{NUMBER:response}%{DATA} in %{NUMBER:totalms}ms %{RAILS3PROFILE}%{GREEDYDATA}"}
  637. [2016-12-07T10:45:31,597][DEBUG][logstash.filters.grok    ] Adding pattern {"RAILS3PROFILE"=>"(?:\\(Views: %{NUMBER:viewms}ms \\| ActiveRecord: %{NUMBER:activerecordms}ms|\\(ActiveRecord: %{NUMBER:activerecordms}ms)?"}
  638. [2016-12-07T10:45:31,597][DEBUG][logstash.filters.grok    ] Adding pattern {"RAILS3"=>"%{RAILS3HEAD}(?:%{RPROCESSING})?(?<context>(?:%{DATA}\\n)*)(?:%{RAILS3FOOT})?"}
  639. [2016-12-07T10:45:31,598][DEBUG][logstash.filters.grok    ] Adding pattern {"REDISTIMESTAMP"=>"%{MONTHDAY} %{MONTH} %{TIME}"}
  640. [2016-12-07T10:45:31,598][DEBUG][logstash.filters.grok    ] Adding pattern {"REDISLOG"=>"\\[%{POSINT:pid}\\] %{REDISTIMESTAMP:timestamp} \\* "}
  641. [2016-12-07T10:45:31,598][DEBUG][logstash.filters.grok    ] Adding pattern {"RUBY_LOGLEVEL"=>"(?:DEBUG|FATAL|ERROR|WARN|INFO)"}
  642. [2016-12-07T10:45:31,599][DEBUG][logstash.filters.grok    ] Adding pattern {"RUBY_LOGGER"=>"[DFEWI], \\[%{TIMESTAMP_ISO8601:timestamp} #%{POSINT:pid}\\] *%{RUBY_LOGLEVEL:loglevel} -- +%{DATA:progname}: %{GREEDYDATA:message}"}
  643. [2016-12-07T10:45:31,600][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:%{COMMONAPACHELOG} %{QS:referrer} %{QS:agent})
  644. [2016-12-07T10:45:31,600][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:%{IPORHOST:clientip} %{HTTPDUSER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" %{NUMBER:response} (?:%{NUMBER:bytes}|-))
  645. [2016-12-07T10:45:31,600][DEBUG][logstash.filters.grok    ] replacement_pattern => (?<IPORHOST:clientip>(?:%{IP}|%{HOSTNAME}))
  646. [2016-12-07T10:45:31,600][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:(?:%{IPV6}|%{IPV4}))
  647. [2016-12-07T10:45:31,600][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?)
  648. [2016-12-07T10:45:31,601][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:(?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]))(?![0-9]))
  649. [2016-12-07T10:45:31,601][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:\b(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\.?|\b))
  650. [2016-12-07T10:45:31,601][DEBUG][logstash.filters.grok    ] replacement_pattern => (?<HTTPDUSER:ident>%{EMAILADDRESS}|%{USER})
  651. [2016-12-07T10:45:31,601][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:%{EMAILLOCALPART}@%{HOSTNAME})
  652. [2016-12-07T10:45:31,602][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:[a-zA-Z][a-zA-Z0-9_.+-=:]+)
  653. [2016-12-07T10:45:31,602][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:\b(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\.?|\b))
  654. [2016-12-07T10:45:31,603][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:%{USERNAME})
  655. [2016-12-07T10:45:31,603][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:[a-zA-Z0-9._-]+)
  656. [2016-12-07T10:45:31,603][DEBUG][logstash.filters.grok    ] replacement_pattern => (?<USER:auth>%{USERNAME})
  657. [2016-12-07T10:45:31,603][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:[a-zA-Z0-9._-]+)
  658. [2016-12-07T10:45:31,604][DEBUG][logstash.filters.grok    ] replacement_pattern => (?<HTTPDATE:timestamp>%{MONTHDAY}/%{MONTH}/%{YEAR}:%{TIME} %{INT})
  659. [2016-12-07T10:45:31,604][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9]))
  660. [2016-12-07T10:45:31,604][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:\b(?:[Jj]an(?:uary|uar)?|[Ff]eb(?:ruary|ruar)?|[Mm](?:a|ä)?r(?:ch|z)?|[Aa]pr(?:il)?|[Mm]a(?:y|i)?|[Jj]un(?:e|i)?|[Jj]ul(?:y)?|[Aa]ug(?:ust)?|[Ss]ep(?:tember)?|[Oo](?:c|k)?t(?:ober)?|[Nn]ov(?:ember)?|[Dd]e(?:c|z)(?:ember)?)\b)
  661. [2016-12-07T10:45:31,604][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:(?>\d\d){1,2})
  662. [2016-12-07T10:45:31,605][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:(?!<[0-9])%{HOUR}:%{MINUTE}(?::%{SECOND})(?![0-9]))
  663. [2016-12-07T10:45:31,605][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:(?:2[0123]|[01]?[0-9]))
  664. [2016-12-07T10:45:31,605][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:(?:[0-5][0-9]))
  665. [2016-12-07T10:45:31,605][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:(?:(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?))
  666. [2016-12-07T10:45:31,605][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:(?:[+-]?(?:[0-9]+)))
  667. [2016-12-07T10:45:31,606][DEBUG][logstash.filters.grok    ] replacement_pattern => (?<WORD:verb>\b\w+\b)
  668. [2016-12-07T10:45:31,606][DEBUG][logstash.filters.grok    ] replacement_pattern => (?<NOTSPACE:request>\S+)
  669. [2016-12-07T10:45:31,606][DEBUG][logstash.filters.grok    ] replacement_pattern => (?<NUMBER:httpversion>(?:%{BASE10NUM}))
  670. [2016-12-07T10:45:31,606][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))
  671. [2016-12-07T10:45:31,606][DEBUG][logstash.filters.grok    ] replacement_pattern => (?<DATA:rawrequest>.*?)
  672. [2016-12-07T10:45:31,607][DEBUG][logstash.filters.grok    ] replacement_pattern => (?<NUMBER:response>(?:%{BASE10NUM}))
  673. [2016-12-07T10:45:31,607][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))
  674. [2016-12-07T10:45:31,607][DEBUG][logstash.filters.grok    ] replacement_pattern => (?<NUMBER:bytes>(?:%{BASE10NUM}))
  675. [2016-12-07T10:45:31,607][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))
  676. [2016-12-07T10:45:31,608][DEBUG][logstash.filters.grok    ] replacement_pattern => (?<QS:referrer>%{QUOTEDSTRING})
  677. [2016-12-07T10:45:31,608][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:(?>(?<!\\)(?>"(?>\\.|[^\\"]+)+"|""|(?>'(?>\\.|[^\\']+)+')|''|(?>`(?>\\.|[^\\`]+)+`)|``)))
  678. [2016-12-07T10:45:31,608][DEBUG][logstash.filters.grok    ] replacement_pattern => (?<QS:agent>%{QUOTEDSTRING})
  679. [2016-12-07T10:45:31,608][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:(?>(?<!\\)(?>"(?>\\.|[^\\"]+)+"|""|(?>'(?>\\.|[^\\']+)+')|''|(?>`(?>\\.|[^\\`]+)+`)|``)))
  680. [2016-12-07T10:45:31,612][DEBUG][logstash.filters.grok    ] Grok compiled OK {:pattern=>"%{COMBINEDAPACHELOG}", :expanded_pattern=>"(?:(?:(?<IPORHOST:clientip>(?:(?:(?:(?:((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:)))(%.+)?)|(?:(?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]))(?![0-9]))))|(?:\\b(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\\b)))) (?<HTTPDUSER:ident>(?:(?:[a-zA-Z][a-zA-Z0-9_.+-=:]+)@(?:\\b(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\\b)))|(?:(?:[a-zA-Z0-9._-]+))) (?<USER:auth>(?:[a-zA-Z0-9._-]+)) \\[(?<HTTPDATE:timestamp>(?:(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9]))/(?:\\b(?:[Jj]an(?:uary|uar)?|[Ff]eb(?:ruary|ruar)?|[Mm](?:a|ä)?r(?:ch|z)?|[Aa]pr(?:il)?|[Mm]a(?:y|i)?|[Jj]un(?:e|i)?|[Jj]ul(?:y)?|[Aa]ug(?:ust)?|[Ss]ep(?:tember)?|[Oo](?:c|k)?t(?:ober)?|[Nn]ov(?:ember)?|[Dd]e(?:c|z)(?:ember)?)\\b)/(?:(?>\\d\\d){1,2}):(?:(?!<[0-9])(?:(?:2[0123]|[01]?[0-9])):(?:(?:[0-5][0-9]))(?::(?:(?:(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?)))(?![0-9])) (?:(?:[+-]?(?:[0-9]+))))\\] \"(?:(?<WORD:verb>\\b\\w+\\b) (?<NOTSPACE:request>\\S+)(?: HTTP/(?<NUMBER:httpversion>(?:(?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\\.[0-9]+)?)|(?:\\.[0-9]+)))))))?|(?<DATA:rawrequest>.*?))\" (?<NUMBER:response>(?:(?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\\.[0-9]+)?)|(?:\\.[0-9]+)))))) (?:(?<NUMBER:bytes>(?:(?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\\.[0-9]+)?)|(?:\\.[0-9]+))))))|-)) (?<QS:referrer>(?:(?>(?<!\\\\)(?>\"(?>\\\\.|[^\\\\\"]+)+\"|\"\"|(?>'(?>\\\\.|[^\\\\']+)+')|''|(?>`(?>\\\\.|[^\\\\`]+)+`)|``)))) (?<QS:agent>(?:(?>(?<!\\\\)(?>\"(?>\\\\.|[^\\\\\"]+)+\"|\"\"|(?>'(?>\\\\.|[^\\\\']+)+')|''|(?>`(?>\\\\.|[^\\\\`]+)+`)|``)))))"}
  681. [2016-12-07T10:45:31,614][WARN ][logstash.filters.date    ] Date filter now use BCP47 format for locale, replacing underscore with dash
  682. [2016-12-07T10:45:31,625][DEBUG][logstash.filters.date    ] Adding type with date config {:type=>nil, :field=>"timestamp", :format=>"dd/MMM/yyyy:HH:mm:ss Z"}
  683. [2016-12-07T10:45:31,626][DEBUG][logstash.filters.grok    ] Grok patterns path {:paths=>["/usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-4.0.2/patterns", "/usr/share/logstash/patterns/*"]}
  684. [2016-12-07T10:45:31,627][DEBUG][logstash.filters.grok    ] Grok patterns path {:paths=>[]}
  685. [2016-12-07T10:45:31,627][DEBUG][logstash.filters.grok    ] Match data {:match=>{"message"=>"%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\\[%{POSINT:syslog_pid}\\])?: %{GREEDYDATA:syslog_message}"}}
  686. [2016-12-07T10:45:31,627][DEBUG][logstash.filters.grok    ] regexp: /message {:pattern=>"%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\\[%{POSINT:syslog_pid}\\])?: %{GREEDYDATA:syslog_message}"}
  687. [2016-12-07T10:45:31,628][DEBUG][logstash.filters.grok    ] Adding pattern {"S3_REQUEST_LINE"=>"(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})"}
  688. [2016-12-07T10:45:31,628][DEBUG][logstash.filters.grok    ] Adding pattern {"S3_ACCESS_LOG"=>"%{WORD:owner} %{NOTSPACE:bucket} \\[%{HTTPDATE:timestamp}\\] %{IP:clientip} %{NOTSPACE:requester} %{NOTSPACE:request_id} %{NOTSPACE:operation} %{NOTSPACE:key} (?:\"%{S3_REQUEST_LINE}\"|-) (?:%{INT:response:int}|-) (?:-|%{NOTSPACE:error_code}) (?:%{INT:bytes:int}|-) (?:%{INT:object_size:int}|-) (?:%{INT:request_time_ms:int}|-) (?:%{INT:turnaround_time_ms:int}|-) (?:%{QS:referrer}|-) (?:\"?%{QS:agent}\"?|-) (?:-|%{NOTSPACE:version_id})"}
  689. [2016-12-07T10:45:31,629][DEBUG][logstash.filters.grok    ] Adding pattern {"ELB_URIPATHPARAM"=>"%{URIPATH:path}(?:%{URIPARAM:params})?"}
  690. [2016-12-07T10:45:31,629][DEBUG][logstash.filters.grok    ] Adding pattern {"ELB_URI"=>"%{URIPROTO:proto}://(?:%{USER}(?::[^@]*)?@)?(?:%{URIHOST:urihost})?(?:%{ELB_URIPATHPARAM})?"}
  691. [2016-12-07T10:45:31,629][DEBUG][logstash.filters.grok    ] Adding pattern {"ELB_REQUEST_LINE"=>"(?:%{WORD:verb} %{ELB_URI:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})"}
  692. [2016-12-07T10:45:31,629][DEBUG][logstash.filters.grok    ] Adding pattern {"ELB_ACCESS_LOG"=>"%{TIMESTAMP_ISO8601:timestamp} %{NOTSPACE:elb} %{IP:clientip}:%{INT:clientport:int} (?:(%{IP:backendip}:?:%{INT:backendport:int})|-) %{NUMBER:request_processing_time:float} %{NUMBER:backend_processing_time:float} %{NUMBER:response_processing_time:float} %{INT:response:int} %{INT:backend_response:int} %{INT:received_bytes:int} %{INT:bytes:int} \"%{ELB_REQUEST_LINE}\""}
  693. [2016-12-07T10:45:31,629][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_TIMESTAMP"=>"%{MONTHDAY}-%{MONTH} %{HOUR}:%{MINUTE}"}
  694. [2016-12-07T10:45:31,630][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_HOST"=>"[a-zA-Z0-9-]+"}
  695. [2016-12-07T10:45:31,630][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_VOLUME"=>"%{USER}"}
  696. [2016-12-07T10:45:31,630][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_DEVICE"=>"%{USER}"}
  697. [2016-12-07T10:45:31,630][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_DEVICEPATH"=>"%{UNIXPATH}"}
  698. [2016-12-07T10:45:31,630][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_CAPACITY"=>"%{INT}{1,3}(,%{INT}{3})*"}
  699. [2016-12-07T10:45:31,630][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_VERSION"=>"%{USER}"}
  700. [2016-12-07T10:45:31,630][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_JOB"=>"%{USER}"}
  701. [2016-12-07T10:45:31,631][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_MAX_CAPACITY"=>"User defined maximum volume capacity %{BACULA_CAPACITY} exceeded on device \\\"%{BACULA_DEVICE:device}\\\" \\(%{BACULA_DEVICEPATH}\\)"}
  702. [2016-12-07T10:45:31,631][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_END_VOLUME"=>"End of medium on Volume \\\"%{BACULA_VOLUME:volume}\\\" Bytes=%{BACULA_CAPACITY} Blocks=%{BACULA_CAPACITY} at %{MONTHDAY}-%{MONTH}-%{YEAR} %{HOUR}:%{MINUTE}."}
  703. [2016-12-07T10:45:31,631][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_NEW_VOLUME"=>"Created new Volume \\\"%{BACULA_VOLUME:volume}\\\" in catalog."}
  704. [2016-12-07T10:45:31,631][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_NEW_LABEL"=>"Labeled new Volume \\\"%{BACULA_VOLUME:volume}\\\" on device \\\"%{BACULA_DEVICE:device}\\\" \\(%{BACULA_DEVICEPATH}\\)."}
  705. [2016-12-07T10:45:31,631][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_WROTE_LABEL"=>"Wrote label to prelabeled Volume \\\"%{BACULA_VOLUME:volume}\\\" on device \\\"%{BACULA_DEVICE}\\\" \\(%{BACULA_DEVICEPATH}\\)"}
  706. [2016-12-07T10:45:31,632][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_NEW_MOUNT"=>"New volume \\\"%{BACULA_VOLUME:volume}\\\" mounted on device \\\"%{BACULA_DEVICE:device}\\\" \\(%{BACULA_DEVICEPATH}\\) at %{MONTHDAY}-%{MONTH}-%{YEAR} %{HOUR}:%{MINUTE}."}
  707. [2016-12-07T10:45:31,632][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_NOOPEN"=>"\\s+Cannot open %{DATA}: ERR=%{GREEDYDATA:berror}"}
  708. [2016-12-07T10:45:31,632][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_NOOPENDIR"=>"\\s+Could not open directory %{DATA}: ERR=%{GREEDYDATA:berror}"}
  709. [2016-12-07T10:45:31,632][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_NOSTAT"=>"\\s+Could not stat %{DATA}: ERR=%{GREEDYDATA:berror}"}
  710. [2016-12-07T10:45:31,632][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_NOJOBS"=>"There are no more Jobs associated with Volume \\\"%{BACULA_VOLUME:volume}\\\". Marking it purged."}
  711. [2016-12-07T10:45:31,632][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_ALL_RECORDS_PRUNED"=>"All records pruned from Volume \\\"%{BACULA_VOLUME:volume}\\\"; marking it \\\"Purged\\\""}
  712. [2016-12-07T10:45:31,633][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_BEGIN_PRUNE_JOBS"=>"Begin pruning Jobs older than %{INT} month %{INT} days ."}
  713. [2016-12-07T10:45:31,633][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_BEGIN_PRUNE_FILES"=>"Begin pruning Files."}
  714. [2016-12-07T10:45:31,633][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_PRUNED_JOBS"=>"Pruned %{INT} Jobs* for client %{BACULA_HOST:client} from catalog."}
  715. [2016-12-07T10:45:31,633][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_PRUNED_FILES"=>"Pruned Files from %{INT} Jobs* for client %{BACULA_HOST:client} from catalog."}
  716. [2016-12-07T10:45:31,633][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_ENDPRUNE"=>"End auto prune."}
  717. [2016-12-07T10:45:31,633][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_STARTJOB"=>"Start Backup JobId %{INT}, Job=%{BACULA_JOB:job}"}
  718. [2016-12-07T10:45:31,633][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_STARTRESTORE"=>"Start Restore Job %{BACULA_JOB:job}"}
  719. [2016-12-07T10:45:31,634][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_USEDEVICE"=>"Using Device \\\"%{BACULA_DEVICE:device}\\\""}
  720. [2016-12-07T10:45:31,634][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_DIFF_FS"=>"\\s+%{UNIXPATH} is a different filesystem. Will not descend from %{UNIXPATH} into it."}
  721. [2016-12-07T10:45:31,634][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_JOBEND"=>"Job write elapsed time = %{DATA:elapsed}, Transfer rate = %{NUMBER} (K|M|G)? Bytes/second"}
  722. [2016-12-07T10:45:31,634][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_NOPRUNE_JOBS"=>"No Jobs found to prune."}
  723. [2016-12-07T10:45:31,634][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_NOPRUNE_FILES"=>"No Files found to prune."}
  724. [2016-12-07T10:45:31,634][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_VOLUME_PREVWRITTEN"=>"Volume \\\"%{BACULA_VOLUME:volume}\\\" previously written, moving to end of data."}
  725. [2016-12-07T10:45:31,634][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_READYAPPEND"=>"Ready to append to end of Volume \\\"%{BACULA_VOLUME:volume}\\\" size=%{INT}"}
  726. [2016-12-07T10:45:31,635][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_CANCELLING"=>"Cancelling duplicate JobId=%{INT}."}
  727. [2016-12-07T10:45:31,635][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_MARKCANCEL"=>"JobId %{INT}, Job %{BACULA_JOB:job} marked to be canceled."}
  728. [2016-12-07T10:45:31,635][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_CLIENT_RBJ"=>"shell command: run ClientRunBeforeJob \\\"%{GREEDYDATA:runjob}\\\""}
  729. [2016-12-07T10:45:31,635][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_VSS"=>"(Generate )?VSS (Writer)?"}
  730. [2016-12-07T10:45:31,635][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_MAXSTART"=>"Fatal error: Job canceled because max start delay time exceeded."}
  731. [2016-12-07T10:45:31,635][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_DUPLICATE"=>"Fatal error: JobId %{INT:duplicate} already running. Duplicate job not allowed."}
  732. [2016-12-07T10:45:31,635][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_NOJOBSTAT"=>"Fatal error: No Job status returned from FD."}
  733. [2016-12-07T10:45:31,636][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_FATAL_CONN"=>"Fatal error: bsock.c:133 Unable to connect to (Client: %{BACULA_HOST:client}|Storage daemon) on %{HOSTNAME}:%{POSINT}. ERR=(?<berror>%{GREEDYDATA})"}
  734. [2016-12-07T10:45:31,636][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_NO_CONNECT"=>"Warning: bsock.c:127 Could not connect to (Client: %{BACULA_HOST:client}|Storage daemon) on %{HOSTNAME}:%{POSINT}. ERR=(?<berror>%{GREEDYDATA})"}
  735. [2016-12-07T10:45:31,636][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_NO_AUTH"=>"Fatal error: Unable to authenticate with File daemon at %{HOSTNAME}. Possible causes:"}
  736. [2016-12-07T10:45:31,636][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_NOSUIT"=>"No prior or suitable Full backup found in catalog. Doing FULL backup."}
  737. [2016-12-07T10:45:31,636][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_NOPRIOR"=>"No prior Full backup Job record found."}
  738. [2016-12-07T10:45:31,637][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_JOB"=>"(Error: )?Bacula %{BACULA_HOST} %{BACULA_VERSION} \\(%{BACULA_VERSION}\\):"}
  739. [2016-12-07T10:45:31,637][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOGLINE"=>"%{BACULA_TIMESTAMP:bts} %{BACULA_HOST:hostname} JobId %{INT:jobid}: (%{BACULA_LOG_MAX_CAPACITY}|%{BACULA_LOG_END_VOLUME}|%{BACULA_LOG_NEW_VOLUME}|%{BACULA_LOG_NEW_LABEL}|%{BACULA_LOG_WROTE_LABEL}|%{BACULA_LOG_NEW_MOUNT}|%{BACULA_LOG_NOOPEN}|%{BACULA_LOG_NOOPENDIR}|%{BACULA_LOG_NOSTAT}|%{BACULA_LOG_NOJOBS}|%{BACULA_LOG_ALL_RECORDS_PRUNED}|%{BACULA_LOG_BEGIN_PRUNE_JOBS}|%{BACULA_LOG_BEGIN_PRUNE_FILES}|%{BACULA_LOG_PRUNED_JOBS}|%{BACULA_LOG_PRUNED_FILES}|%{BACULA_LOG_ENDPRUNE}|%{BACULA_LOG_STARTJOB}|%{BACULA_LOG_STARTRESTORE}|%{BACULA_LOG_USEDEVICE}|%{BACULA_LOG_DIFF_FS}|%{BACULA_LOG_JOBEND}|%{BACULA_LOG_NOPRUNE_JOBS}|%{BACULA_LOG_NOPRUNE_FILES}|%{BACULA_LOG_VOLUME_PREVWRITTEN}|%{BACULA_LOG_READYAPPEND}|%{BACULA_LOG_CANCELLING}|%{BACULA_LOG_MARKCANCEL}|%{BACULA_LOG_CLIENT_RBJ}|%{BACULA_LOG_VSS}|%{BACULA_LOG_MAXSTART}|%{BACULA_LOG_DUPLICATE}|%{BACULA_LOG_NOJOBSTAT}|%{BACULA_LOG_FATAL_CONN}|%{BACULA_LOG_NO_CONNECT}|%{BACULA_LOG_NO_AUTH}|%{BACULA_LOG_NOSUIT}|%{BACULA_LOG_JOB}|%{BACULA_LOG_NOPRIOR})"}
  740. [2016-12-07T10:45:31,638][DEBUG][logstash.filters.grok    ] Adding pattern {"BRO_HTTP"=>"%{NUMBER:ts}\\t%{NOTSPACE:uid}\\t%{IP:orig_h}\\t%{INT:orig_p}\\t%{IP:resp_h}\\t%{INT:resp_p}\\t%{INT:trans_depth}\\t%{GREEDYDATA:method}\\t%{GREEDYDATA:domain}\\t%{GREEDYDATA:uri}\\t%{GREEDYDATA:referrer}\\t%{GREEDYDATA:user_agent}\\t%{NUMBER:request_body_len}\\t%{NUMBER:response_body_len}\\t%{GREEDYDATA:status_code}\\t%{GREEDYDATA:status_msg}\\t%{GREEDYDATA:info_code}\\t%{GREEDYDATA:info_msg}\\t%{GREEDYDATA:filename}\\t%{GREEDYDATA:bro_tags}\\t%{GREEDYDATA:username}\\t%{GREEDYDATA:password}\\t%{GREEDYDATA:proxied}\\t%{GREEDYDATA:orig_fuids}\\t%{GREEDYDATA:orig_mime_types}\\t%{GREEDYDATA:resp_fuids}\\t%{GREEDYDATA:resp_mime_types}"}
  741. [2016-12-07T10:45:31,638][DEBUG][logstash.filters.grok    ] Adding pattern {"BRO_DNS"=>"%{NUMBER:ts}\\t%{NOTSPACE:uid}\\t%{IP:orig_h}\\t%{INT:orig_p}\\t%{IP:resp_h}\\t%{INT:resp_p}\\t%{WORD:proto}\\t%{INT:trans_id}\\t%{GREEDYDATA:query}\\t%{GREEDYDATA:qclass}\\t%{GREEDYDATA:qclass_name}\\t%{GREEDYDATA:qtype}\\t%{GREEDYDATA:qtype_name}\\t%{GREEDYDATA:rcode}\\t%{GREEDYDATA:rcode_name}\\t%{GREEDYDATA:AA}\\t%{GREEDYDATA:TC}\\t%{GREEDYDATA:RD}\\t%{GREEDYDATA:RA}\\t%{GREEDYDATA:Z}\\t%{GREEDYDATA:answers}\\t%{GREEDYDATA:TTLs}\\t%{GREEDYDATA:rejected}"}
  742. [2016-12-07T10:45:31,638][DEBUG][logstash.filters.grok    ] Adding pattern {"BRO_CONN"=>"%{NUMBER:ts}\\t%{NOTSPACE:uid}\\t%{IP:orig_h}\\t%{INT:orig_p}\\t%{IP:resp_h}\\t%{INT:resp_p}\\t%{WORD:proto}\\t%{GREEDYDATA:service}\\t%{NUMBER:duration}\\t%{NUMBER:orig_bytes}\\t%{NUMBER:resp_bytes}\\t%{GREEDYDATA:conn_state}\\t%{GREEDYDATA:local_orig}\\t%{GREEDYDATA:missed_bytes}\\t%{GREEDYDATA:history}\\t%{GREEDYDATA:orig_pkts}\\t%{GREEDYDATA:orig_ip_bytes}\\t%{GREEDYDATA:resp_pkts}\\t%{GREEDYDATA:resp_ip_bytes}\\t%{GREEDYDATA:tunnel_parents}"}
  743. [2016-12-07T10:45:31,639][DEBUG][logstash.filters.grok    ] Adding pattern {"BRO_FILES"=>"%{NUMBER:ts}\\t%{NOTSPACE:fuid}\\t%{IP:tx_hosts}\\t%{IP:rx_hosts}\\t%{NOTSPACE:conn_uids}\\t%{GREEDYDATA:source}\\t%{GREEDYDATA:depth}\\t%{GREEDYDATA:analyzers}\\t%{GREEDYDATA:mime_type}\\t%{GREEDYDATA:filename}\\t%{GREEDYDATA:duration}\\t%{GREEDYDATA:local_orig}\\t%{GREEDYDATA:is_orig}\\t%{GREEDYDATA:seen_bytes}\\t%{GREEDYDATA:total_bytes}\\t%{GREEDYDATA:missing_bytes}\\t%{GREEDYDATA:overflow_bytes}\\t%{GREEDYDATA:timedout}\\t%{GREEDYDATA:parent_fuid}\\t%{GREEDYDATA:md5}\\t%{GREEDYDATA:sha1}\\t%{GREEDYDATA:sha256}\\t%{GREEDYDATA:extracted}"}
  744. [2016-12-07T10:45:31,639][DEBUG][logstash.filters.grok    ] Adding pattern {"EXIM_MSGID"=>"[0-9A-Za-z]{6}-[0-9A-Za-z]{6}-[0-9A-Za-z]{2}"}
  745. [2016-12-07T10:45:31,639][DEBUG][logstash.filters.grok    ] Adding pattern {"EXIM_FLAGS"=>"(<=|[-=>*]>|[*]{2}|==)"}
  746. [2016-12-07T10:45:31,639][DEBUG][logstash.filters.grok    ] Adding pattern {"EXIM_DATE"=>"%{YEAR:exim_year}-%{MONTHNUM:exim_month}-%{MONTHDAY:exim_day} %{TIME:exim_time}"}
  747. [2016-12-07T10:45:31,640][DEBUG][logstash.filters.grok    ] Adding pattern {"EXIM_PID"=>"\\[%{POSINT}\\]"}
  748. [2016-12-07T10:45:31,640][DEBUG][logstash.filters.grok    ] Adding pattern {"EXIM_QT"=>"((\\d+y)?(\\d+w)?(\\d+d)?(\\d+h)?(\\d+m)?(\\d+s)?)"}
  749. [2016-12-07T10:45:31,640][DEBUG][logstash.filters.grok    ] Adding pattern {"EXIM_EXCLUDE_TERMS"=>"(Message is frozen|(Start|End) queue run| Warning: | retry time not reached | no (IP address|host name) found for (IP address|host) | unexpected disconnection while reading SMTP command | no immediate delivery: |another process is handling this message)"}
  750. [2016-12-07T10:45:31,640][DEBUG][logstash.filters.grok    ] Adding pattern {"EXIM_REMOTE_HOST"=>"(H=(%{NOTSPACE:remote_hostname} )?(\\(%{NOTSPACE:remote_heloname}\\) )?\\[%{IP:remote_host}\\])"}
  751. [2016-12-07T10:45:31,640][DEBUG][logstash.filters.grok    ] Adding pattern {"EXIM_INTERFACE"=>"(I=\\[%{IP:exim_interface}\\](:%{NUMBER:exim_interface_port}))"}
  752. [2016-12-07T10:45:31,640][DEBUG][logstash.filters.grok    ] Adding pattern {"EXIM_PROTOCOL"=>"(P=%{NOTSPACE:protocol})"}
  753. [2016-12-07T10:45:31,640][DEBUG][logstash.filters.grok    ] Adding pattern {"EXIM_MSG_SIZE"=>"(S=%{NUMBER:exim_msg_size})"}
  754. [2016-12-07T10:45:31,641][DEBUG][logstash.filters.grok    ] Adding pattern {"EXIM_HEADER_ID"=>"(id=%{NOTSPACE:exim_header_id})"}
  755. [2016-12-07T10:45:31,641][DEBUG][logstash.filters.grok    ] Adding pattern {"EXIM_SUBJECT"=>"(T=%{QS:exim_subject})"}
  756. [2016-12-07T10:45:31,641][DEBUG][logstash.filters.grok    ] Adding pattern {"NETSCREENSESSIONLOG"=>"%{SYSLOGTIMESTAMP:date} %{IPORHOST:device} %{IPORHOST}: NetScreen device_id=%{WORD:device_id}%{DATA}: start_time=%{QUOTEDSTRING:start_time} duration=%{INT:duration} policy_id=%{INT:policy_id} service=%{DATA:service} proto=%{INT:proto} src zone=%{WORD:src_zone} dst zone=%{WORD:dst_zone} action=%{WORD:action} sent=%{INT:sent} rcvd=%{INT:rcvd} src=%{IPORHOST:src_ip} dst=%{IPORHOST:dst_ip} src_port=%{INT:src_port} dst_port=%{INT:dst_port} src-xlated ip=%{IPORHOST:src_xlated_ip} port=%{INT:src_xlated_port} dst-xlated ip=%{IPORHOST:dst_xlated_ip} port=%{INT:dst_xlated_port} session_id=%{INT:session_id} reason=%{GREEDYDATA:reason}"}
  757. [2016-12-07T10:45:31,642][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCO_TAGGED_SYSLOG"=>"^<%{POSINT:syslog_pri}>%{CISCOTIMESTAMP:timestamp}( %{SYSLOGHOST:sysloghost})? ?: %%{CISCOTAG:ciscotag}:"}
  758. [2016-12-07T10:45:31,642][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOTIMESTAMP"=>"%{MONTH} +%{MONTHDAY}(?: %{YEAR})? %{TIME}"}
  759. [2016-12-07T10:45:31,642][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOTAG"=>"[A-Z0-9]+-%{INT}-(?:[A-Z0-9_]+)"}
  760. [2016-12-07T10:45:31,642][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCO_ACTION"=>"Built|Teardown|Deny|Denied|denied|requested|permitted|denied by ACL|discarded|est-allowed|Dropping|created|deleted"}
  761. [2016-12-07T10:45:31,642][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCO_REASON"=>"Duplicate TCP SYN|Failed to locate egress interface|Invalid transport field|No matching connection|DNS Response|DNS Query|(?:%{WORD}\\s*)*"}
  762. [2016-12-07T10:45:31,642][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCO_DIRECTION"=>"Inbound|inbound|Outbound|outbound"}
  763. [2016-12-07T10:45:31,642][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCO_INTERVAL"=>"first hit|%{INT}-second interval"}
  764. [2016-12-07T10:45:31,643][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCO_XLATE_TYPE"=>"static|dynamic"}
  765. [2016-12-07T10:45:31,643][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW104001"=>"\\((?:Primary|Secondary)\\) Switching to ACTIVE - %{GREEDYDATA:switch_reason}"}
  766. [2016-12-07T10:45:31,643][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW104002"=>"\\((?:Primary|Secondary)\\) Switching to STANDBY - %{GREEDYDATA:switch_reason}"}
  767. [2016-12-07T10:45:31,643][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW104003"=>"\\((?:Primary|Secondary)\\) Switching to FAILED\\."}
  768. [2016-12-07T10:45:31,643][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW104004"=>"\\((?:Primary|Secondary)\\) Switching to OK\\."}
  769. [2016-12-07T10:45:31,643][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW105003"=>"\\((?:Primary|Secondary)\\) Monitoring on [Ii]nterface %{GREEDYDATA:interface_name} waiting"}
  770. [2016-12-07T10:45:31,644][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW105004"=>"\\((?:Primary|Secondary)\\) Monitoring on [Ii]nterface %{GREEDYDATA:interface_name} normal"}
  771. [2016-12-07T10:45:31,644][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW105005"=>"\\((?:Primary|Secondary)\\) Lost Failover communications with mate on [Ii]nterface %{GREEDYDATA:interface_name}"}
  772. [2016-12-07T10:45:31,644][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW105008"=>"\\((?:Primary|Secondary)\\) Testing [Ii]nterface %{GREEDYDATA:interface_name}"}
  773. [2016-12-07T10:45:31,644][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW105009"=>"\\((?:Primary|Secondary)\\) Testing on [Ii]nterface %{GREEDYDATA:interface_name} (?:Passed|Failed)"}
  774. [2016-12-07T10:45:31,644][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW106001"=>"%{CISCO_DIRECTION:direction} %{WORD:protocol} connection %{CISCO_ACTION:action} from %{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port} flags %{GREEDYDATA:tcp_flags} on interface %{GREEDYDATA:interface}"}
  775. [2016-12-07T10:45:31,644][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW106006_106007_106010"=>"%{CISCO_ACTION:action} %{CISCO_DIRECTION:direction} %{WORD:protocol} (?:from|src) %{IP:src_ip}/%{INT:src_port}(\\(%{DATA:src_fwuser}\\))? (?:to|dst) %{IP:dst_ip}/%{INT:dst_port}(\\(%{DATA:dst_fwuser}\\))? (?:on interface %{DATA:interface}|due to %{CISCO_REASON:reason})"}
  776. [2016-12-07T10:45:31,645][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW106014"=>"%{CISCO_ACTION:action} %{CISCO_DIRECTION:direction} %{WORD:protocol} src %{DATA:src_interface}:%{IP:src_ip}(\\(%{DATA:src_fwuser}\\))? dst %{DATA:dst_interface}:%{IP:dst_ip}(\\(%{DATA:dst_fwuser}\\))? \\(type %{INT:icmp_type}, code %{INT:icmp_code}\\)"}
  777. [2016-12-07T10:45:31,645][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW106015"=>"%{CISCO_ACTION:action} %{WORD:protocol} \\(%{DATA:policy_id}\\) from %{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port} flags %{DATA:tcp_flags}  on interface %{GREEDYDATA:interface}"}
  778. [2016-12-07T10:45:31,645][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW106021"=>"%{CISCO_ACTION:action} %{WORD:protocol} reverse path check from %{IP:src_ip} to %{IP:dst_ip} on interface %{GREEDYDATA:interface}"}
  779. [2016-12-07T10:45:31,645][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW106023"=>"%{CISCO_ACTION:action}( protocol)? %{WORD:protocol} src %{DATA:src_interface}:%{DATA:src_ip}(/%{INT:src_port})?(\\(%{DATA:src_fwuser}\\))? dst %{DATA:dst_interface}:%{DATA:dst_ip}(/%{INT:dst_port})?(\\(%{DATA:dst_fwuser}\\))?( \\(type %{INT:icmp_type}, code %{INT:icmp_code}\\))? by access-group \"?%{DATA:policy_id}\"? \\[%{DATA:hashcode1}, %{DATA:hashcode2}\\]"}
  780. [2016-12-07T10:45:31,646][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW106100_2_3"=>"access-list %{NOTSPACE:policy_id} %{CISCO_ACTION:action} %{WORD:protocol} for user '%{DATA:src_fwuser}' %{DATA:src_interface}/%{IP:src_ip}\\(%{INT:src_port}\\) -> %{DATA:dst_interface}/%{IP:dst_ip}\\(%{INT:dst_port}\\) hit-cnt %{INT:hit_count} %{CISCO_INTERVAL:interval} \\[%{DATA:hashcode1}, %{DATA:hashcode2}\\]"}
  781. [2016-12-07T10:45:31,646][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW106100"=>"access-list %{NOTSPACE:policy_id} %{CISCO_ACTION:action} %{WORD:protocol} %{DATA:src_interface}/%{IP:src_ip}\\(%{INT:src_port}\\)(\\(%{DATA:src_fwuser}\\))? -> %{DATA:dst_interface}/%{IP:dst_ip}\\(%{INT:dst_port}\\)(\\(%{DATA:src_fwuser}\\))? hit-cnt %{INT:hit_count} %{CISCO_INTERVAL:interval} \\[%{DATA:hashcode1}, %{DATA:hashcode2}\\]"}
  782. [2016-12-07T10:45:31,646][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW110002"=>"%{CISCO_REASON:reason} for %{WORD:protocol} from %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port}"}
  783. [2016-12-07T10:45:31,647][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW302010"=>"%{INT:connection_count} in use, %{INT:connection_count_max} most used"}
  784. [2016-12-07T10:45:31,647][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW302013_302014_302015_302016"=>"%{CISCO_ACTION:action}(?: %{CISCO_DIRECTION:direction})? %{WORD:protocol} connection %{INT:connection_id} for %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port}( \\(%{IP:src_mapped_ip}/%{INT:src_mapped_port}\\))?(\\(%{DATA:src_fwuser}\\))? to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port}( \\(%{IP:dst_mapped_ip}/%{INT:dst_mapped_port}\\))?(\\(%{DATA:dst_fwuser}\\))?( duration %{TIME:duration} bytes %{INT:bytes})?(?: %{CISCO_REASON:reason})?( \\(%{DATA:user}\\))?"}
  785. [2016-12-07T10:45:31,647][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW302020_302021"=>"%{CISCO_ACTION:action}(?: %{CISCO_DIRECTION:direction})? %{WORD:protocol} connection for faddr %{IP:dst_ip}/%{INT:icmp_seq_num}(?:\\(%{DATA:fwuser}\\))? gaddr %{IP:src_xlated_ip}/%{INT:icmp_code_xlated} laddr %{IP:src_ip}/%{INT:icmp_code}( \\(%{DATA:user}\\))?"}
  786. [2016-12-07T10:45:31,648][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW305011"=>"%{CISCO_ACTION:action} %{CISCO_XLATE_TYPE:xlate_type} %{WORD:protocol} translation from %{DATA:src_interface}:%{IP:src_ip}(/%{INT:src_port})?(\\(%{DATA:src_fwuser}\\))? to %{DATA:src_xlated_interface}:%{IP:src_xlated_ip}/%{DATA:src_xlated_port}"}
  787. [2016-12-07T10:45:31,648][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW313001_313004_313008"=>"%{CISCO_ACTION:action} %{WORD:protocol} type=%{INT:icmp_type}, code=%{INT:icmp_code} from %{IP:src_ip} on interface %{DATA:interface}( to %{IP:dst_ip})?"}
  788. [2016-12-07T10:45:31,649][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW313005"=>"%{CISCO_REASON:reason} for %{WORD:protocol} error message: %{WORD:err_protocol} src %{DATA:err_src_interface}:%{IP:err_src_ip}(\\(%{DATA:err_src_fwuser}\\))? dst %{DATA:err_dst_interface}:%{IP:err_dst_ip}(\\(%{DATA:err_dst_fwuser}\\))? \\(type %{INT:err_icmp_type}, code %{INT:err_icmp_code}\\) on %{DATA:interface} interface\\.  Original IP payload: %{WORD:protocol} src %{IP:orig_src_ip}/%{INT:orig_src_port}(\\(%{DATA:orig_src_fwuser}\\))? dst %{IP:orig_dst_ip}/%{INT:orig_dst_port}(\\(%{DATA:orig_dst_fwuser}\\))?"}
  789. [2016-12-07T10:45:31,649][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW321001"=>"Resource '%{WORD:resource_name}' limit of %{POSINT:resource_limit} reached for system"}
  790. [2016-12-07T10:45:31,649][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW402117"=>"%{WORD:protocol}: Received a non-IPSec packet \\(protocol= %{WORD:orig_protocol}\\) from %{IP:src_ip} to %{IP:dst_ip}"}
  791. [2016-12-07T10:45:31,649][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW402119"=>"%{WORD:protocol}: Received an %{WORD:orig_protocol} packet \\(SPI= %{DATA:spi}, sequence number= %{DATA:seq_num}\\) from %{IP:src_ip} \\(user= %{DATA:user}\\) to %{IP:dst_ip} that failed anti-replay checking"}
  792. [2016-12-07T10:45:31,649][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW419001"=>"%{CISCO_ACTION:action} %{WORD:protocol} packet from %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port}, reason: %{GREEDYDATA:reason}"}
  793. [2016-12-07T10:45:31,649][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW419002"=>"%{CISCO_REASON:reason} from %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port} with different initial sequence number"}
  794. [2016-12-07T10:45:31,650][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW500004"=>"%{CISCO_REASON:reason} for protocol=%{WORD:protocol}, from %{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port}"}
  795. [2016-12-07T10:45:31,650][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW602303_602304"=>"%{WORD:protocol}: An %{CISCO_DIRECTION:direction} %{GREEDYDATA:tunnel_type} SA \\(SPI= %{DATA:spi}\\) between %{IP:src_ip} and %{IP:dst_ip} \\(user= %{DATA:user}\\) has been %{CISCO_ACTION:action}"}
  796. [2016-12-07T10:45:31,650][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW710001_710002_710003_710005_710006"=>"%{WORD:protocol} (?:request|access) %{CISCO_ACTION:action} from %{IP:src_ip}/%{INT:src_port} to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port}"}
  797. [2016-12-07T10:45:31,650][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW713172"=>"Group = %{GREEDYDATA:group}, IP = %{IP:src_ip}, Automatic NAT Detection Status:\\s+Remote end\\s*%{DATA:is_remote_natted}\\s*behind a NAT device\\s+This\\s+end\\s*%{DATA:is_local_natted}\\s*behind a NAT device"}
  798. [2016-12-07T10:45:31,650][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW733100"=>"\\[\\s*%{DATA:drop_type}\\s*\\] drop %{DATA:drop_rate_id} exceeded. Current burst rate is %{INT:drop_rate_current_burst} per second, max configured rate is %{INT:drop_rate_max_burst}; Current average rate is %{INT:drop_rate_current_avg} per second, max configured rate is %{INT:drop_rate_max_avg}; Cumulative total count is %{INT:drop_total_count}"}
  799. [2016-12-07T10:45:31,651][DEBUG][logstash.filters.grok    ] Adding pattern {"SHOREWALL"=>"(%{SYSLOGTIMESTAMP:timestamp}) (%{WORD:nf_host}) kernel:.*Shorewall:(%{WORD:nf_action1})?:(%{WORD:nf_action2})?.*IN=(%{USERNAME:nf_in_interface})?.*(OUT= *MAC=(%{COMMONMAC:nf_dst_mac}):(%{COMMONMAC:nf_src_mac})?|OUT=%{USERNAME:nf_out_interface}).*SRC=(%{IPV4:nf_src_ip}).*DST=(%{IPV4:nf_dst_ip}).*LEN=(%{WORD:nf_len}).?*TOS=(%{WORD:nf_tos}).?*PREC=(%{WORD:nf_prec}).?*TTL=(%{INT:nf_ttl}).?*ID=(%{INT:nf_id}).?*PROTO=(%{WORD:nf_protocol}).?*SPT=(%{INT:nf_src_port}?.*DPT=%{INT:nf_dst_port}?.*)"}
  800. [2016-12-07T10:45:31,651][DEBUG][logstash.filters.grok    ] Adding pattern {"USERNAME"=>"[a-zA-Z0-9._-]+"}
  801. [2016-12-07T10:45:31,651][DEBUG][logstash.filters.grok    ] Adding pattern {"USER"=>"%{USERNAME}"}
  802. [2016-12-07T10:45:31,651][DEBUG][logstash.filters.grok    ] Adding pattern {"EMAILLOCALPART"=>"[a-zA-Z][a-zA-Z0-9_.+-=:]+"}
  803. [2016-12-07T10:45:31,651][DEBUG][logstash.filters.grok    ] Adding pattern {"EMAILADDRESS"=>"%{EMAILLOCALPART}@%{HOSTNAME}"}
  804. [2016-12-07T10:45:31,652][DEBUG][logstash.filters.grok    ] Adding pattern {"HTTPDUSER"=>"%{EMAILADDRESS}|%{USER}"}
  805. [2016-12-07T10:45:31,652][DEBUG][logstash.filters.grok    ] Adding pattern {"INT"=>"(?:[+-]?(?:[0-9]+))"}
  806. [2016-12-07T10:45:31,652][DEBUG][logstash.filters.grok    ] Adding pattern {"BASE10NUM"=>"(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\\.[0-9]+)?)|(?:\\.[0-9]+)))"}
  807. [2016-12-07T10:45:31,652][DEBUG][logstash.filters.grok    ] Adding pattern {"NUMBER"=>"(?:%{BASE10NUM})"}
  808. [2016-12-07T10:45:31,652][DEBUG][logstash.filters.grok    ] Adding pattern {"BASE16NUM"=>"(?<![0-9A-Fa-f])(?:[+-]?(?:0x)?(?:[0-9A-Fa-f]+))"}
  809. [2016-12-07T10:45:31,652][DEBUG][logstash.filters.grok    ] Adding pattern {"BASE16FLOAT"=>"\\b(?<![0-9A-Fa-f.])(?:[+-]?(?:0x)?(?:(?:[0-9A-Fa-f]+(?:\\.[0-9A-Fa-f]*)?)|(?:\\.[0-9A-Fa-f]+)))\\b"}
  810. [2016-12-07T10:45:31,652][DEBUG][logstash.filters.grok    ] Adding pattern {"POSINT"=>"\\b(?:[1-9][0-9]*)\\b"}
  811. [2016-12-07T10:45:31,652][DEBUG][logstash.filters.grok    ] Adding pattern {"NONNEGINT"=>"\\b(?:[0-9]+)\\b"}
  812. [2016-12-07T10:45:31,653][DEBUG][logstash.filters.grok    ] Adding pattern {"WORD"=>"\\b\\w+\\b"}
  813. [2016-12-07T10:45:31,653][DEBUG][logstash.filters.grok    ] Adding pattern {"NOTSPACE"=>"\\S+"}
  814. [2016-12-07T10:45:31,653][DEBUG][logstash.filters.grok    ] Adding pattern {"SPACE"=>"\\s*"}
  815. [2016-12-07T10:45:31,653][DEBUG][logstash.filters.grok    ] Adding pattern {"DATA"=>".*?"}
  816. [2016-12-07T10:45:31,653][DEBUG][logstash.filters.grok    ] Adding pattern {"GREEDYDATA"=>".*"}
  817. [2016-12-07T10:45:31,653][DEBUG][logstash.filters.grok    ] Adding pattern {"QUOTEDSTRING"=>"(?>(?<!\\\\)(?>\"(?>\\\\.|[^\\\\\"]+)+\"|\"\"|(?>'(?>\\\\.|[^\\\\']+)+')|''|(?>`(?>\\\\.|[^\\\\`]+)+`)|``))"}
  818. [2016-12-07T10:45:31,653][DEBUG][logstash.filters.grok    ] Adding pattern {"UUID"=>"[A-Fa-f0-9]{8}-(?:[A-Fa-f0-9]{4}-){3}[A-Fa-f0-9]{12}"}
  819. [2016-12-07T10:45:31,653][DEBUG][logstash.filters.grok    ] Adding pattern {"URN"=>"urn:[0-9A-Za-z][0-9A-Za-z-]{0,31}:(?:%[0-9a-fA-F]{2}|[0-9A-Za-z()+,.:=@;$_!*'/?#-])+"}
  820. [2016-12-07T10:45:31,654][DEBUG][logstash.filters.grok    ] Adding pattern {"MAC"=>"(?:%{CISCOMAC}|%{WINDOWSMAC}|%{COMMONMAC})"}
  821. [2016-12-07T10:45:31,654][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOMAC"=>"(?:(?:[A-Fa-f0-9]{4}\\.){2}[A-Fa-f0-9]{4})"}
  822. [2016-12-07T10:45:31,654][DEBUG][logstash.filters.grok    ] Adding pattern {"WINDOWSMAC"=>"(?:(?:[A-Fa-f0-9]{2}-){5}[A-Fa-f0-9]{2})"}
  823. [2016-12-07T10:45:31,654][DEBUG][logstash.filters.grok    ] Adding pattern {"COMMONMAC"=>"(?:(?:[A-Fa-f0-9]{2}:){5}[A-Fa-f0-9]{2})"}
  824. [2016-12-07T10:45:31,654][DEBUG][logstash.filters.grok    ] Adding pattern {"IPV6"=>"((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:)))(%.+)?"}
  825. [2016-12-07T10:45:31,655][DEBUG][logstash.filters.grok    ] Adding pattern {"IPV4"=>"(?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]))(?![0-9])"}
  826. [2016-12-07T10:45:31,655][DEBUG][logstash.filters.grok    ] Adding pattern {"IP"=>"(?:%{IPV6}|%{IPV4})"}
  827. [2016-12-07T10:45:31,655][DEBUG][logstash.filters.grok    ] Adding pattern {"HOSTNAME"=>"\\b(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\\b)"}
  828. [2016-12-07T10:45:31,655][DEBUG][logstash.filters.grok    ] Adding pattern {"IPORHOST"=>"(?:%{IP}|%{HOSTNAME})"}
  829. [2016-12-07T10:45:31,655][DEBUG][logstash.filters.grok    ] Adding pattern {"HOSTPORT"=>"%{IPORHOST}:%{POSINT}"}
  830. [2016-12-07T10:45:31,655][DEBUG][logstash.filters.grok    ] Adding pattern {"PATH"=>"(?:%{UNIXPATH}|%{WINPATH})"}
  831. [2016-12-07T10:45:31,655][DEBUG][logstash.filters.grok    ] Adding pattern {"UNIXPATH"=>"(/([\\w_%!$@:.,+~-]+|\\\\.)*)+"}
  832. [2016-12-07T10:45:31,655][DEBUG][logstash.filters.grok    ] Adding pattern {"TTY"=>"(?:/dev/(pts|tty([pq])?)(\\w+)?/?(?:[0-9]+))"}
  833. [2016-12-07T10:45:31,656][DEBUG][logstash.filters.grok    ] Adding pattern {"WINPATH"=>"(?>[A-Za-z]+:|\\\\)(?:\\\\[^\\\\?*]*)+"}
  834. [2016-12-07T10:45:31,656][DEBUG][logstash.filters.grok    ] Adding pattern {"URIPROTO"=>"[A-Za-z]+(\\+[A-Za-z+]+)?"}
  835. [2016-12-07T10:45:31,656][DEBUG][logstash.filters.grok    ] Adding pattern {"URIHOST"=>"%{IPORHOST}(?::%{POSINT:port})?"}
  836. [2016-12-07T10:45:31,656][DEBUG][logstash.filters.grok    ] Adding pattern {"URIPATH"=>"(?:/[A-Za-z0-9$.+!*'(){},~:;=@#%&_\\-]*)+"}
  837. [2016-12-07T10:45:31,656][DEBUG][logstash.filters.grok    ] Adding pattern {"URIPARAM"=>"\\?[A-Za-z0-9$.+!*'|(){},~@#%&/=:;_?\\-\\[\\]<>]*"}
  838. [2016-12-07T10:45:31,656][DEBUG][logstash.filters.grok    ] Adding pattern {"URIPATHPARAM"=>"%{URIPATH}(?:%{URIPARAM})?"}
  839. [2016-12-07T10:45:31,656][DEBUG][logstash.filters.grok    ] Adding pattern {"URI"=>"%{URIPROTO}://(?:%{USER}(?::[^@]*)?@)?(?:%{URIHOST})?(?:%{URIPATHPARAM})?"}
  840. [2016-12-07T10:45:31,657][DEBUG][logstash.filters.grok    ] Adding pattern {"MONTH"=>"\\b(?:[Jj]an(?:uary|uar)?|[Ff]eb(?:ruary|ruar)?|[Mm](?:a|ä)?r(?:ch|z)?|[Aa]pr(?:il)?|[Mm]a(?:y|i)?|[Jj]un(?:e|i)?|[Jj]ul(?:y)?|[Aa]ug(?:ust)?|[Ss]ep(?:tember)?|[Oo](?:c|k)?t(?:ober)?|[Nn]ov(?:ember)?|[Dd]e(?:c|z)(?:ember)?)\\b"}
  841. [2016-12-07T10:45:31,657][DEBUG][logstash.filters.grok    ] Adding pattern {"MONTHNUM"=>"(?:0?[1-9]|1[0-2])"}
  842. [2016-12-07T10:45:31,657][DEBUG][logstash.filters.grok    ] Adding pattern {"MONTHNUM2"=>"(?:0[1-9]|1[0-2])"}
  843. [2016-12-07T10:45:31,657][DEBUG][logstash.filters.grok    ] Adding pattern {"MONTHDAY"=>"(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9])"}
  844. [2016-12-07T10:45:31,657][DEBUG][logstash.filters.grok    ] Adding pattern {"DAY"=>"(?:Mon(?:day)?|Tue(?:sday)?|Wed(?:nesday)?|Thu(?:rsday)?|Fri(?:day)?|Sat(?:urday)?|Sun(?:day)?)"}
  845. [2016-12-07T10:45:31,657][DEBUG][logstash.filters.grok    ] Adding pattern {"YEAR"=>"(?>\\d\\d){1,2}"}
  846. [2016-12-07T10:45:31,657][DEBUG][logstash.filters.grok    ] Adding pattern {"HOUR"=>"(?:2[0123]|[01]?[0-9])"}
  847. [2016-12-07T10:45:31,658][DEBUG][logstash.filters.grok    ] Adding pattern {"MINUTE"=>"(?:[0-5][0-9])"}
  848. [2016-12-07T10:45:31,658][DEBUG][logstash.filters.grok    ] Adding pattern {"SECOND"=>"(?:(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?)"}
  849. [2016-12-07T10:45:31,658][DEBUG][logstash.filters.grok    ] Adding pattern {"TIME"=>"(?!<[0-9])%{HOUR}:%{MINUTE}(?::%{SECOND})(?![0-9])"}
  850. [2016-12-07T10:45:31,658][DEBUG][logstash.filters.grok    ] Adding pattern {"DATE_US"=>"%{MONTHNUM}[/-]%{MONTHDAY}[/-]%{YEAR}"}
  851. [2016-12-07T10:45:31,658][DEBUG][logstash.filters.grok    ] Adding pattern {"DATE_EU"=>"%{MONTHDAY}[./-]%{MONTHNUM}[./-]%{YEAR}"}
  852. [2016-12-07T10:45:31,658][DEBUG][logstash.filters.grok    ] Adding pattern {"ISO8601_TIMEZONE"=>"(?:Z|[+-]%{HOUR}(?::?%{MINUTE}))"}
  853. [2016-12-07T10:45:31,658][DEBUG][logstash.filters.grok    ] Adding pattern {"ISO8601_SECOND"=>"(?:%{SECOND}|60)"}
  854. [2016-12-07T10:45:31,659][DEBUG][logstash.filters.grok    ] Adding pattern {"TIMESTAMP_ISO8601"=>"%{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?%{ISO8601_TIMEZONE}?"}
  855. [2016-12-07T10:45:31,659][DEBUG][logstash.filters.grok    ] Adding pattern {"DATE"=>"%{DATE_US}|%{DATE_EU}"}
  856. [2016-12-07T10:45:31,659][DEBUG][logstash.filters.grok    ] Adding pattern {"DATESTAMP"=>"%{DATE}[- ]%{TIME}"}
  857. [2016-12-07T10:45:31,659][DEBUG][logstash.filters.grok    ] Adding pattern {"TZ"=>"(?:[APMCE][SD]T|UTC)"}
  858. [2016-12-07T10:45:31,659][DEBUG][logstash.filters.grok    ] Adding pattern {"DATESTAMP_RFC822"=>"%{DAY} %{MONTH} %{MONTHDAY} %{YEAR} %{TIME} %{TZ}"}
  859. [2016-12-07T10:45:31,659][DEBUG][logstash.filters.grok    ] Adding pattern {"DATESTAMP_RFC2822"=>"%{DAY}, %{MONTHDAY} %{MONTH} %{YEAR} %{TIME} %{ISO8601_TIMEZONE}"}
  860. [2016-12-07T10:45:31,660][DEBUG][logstash.filters.grok    ] Adding pattern {"DATESTAMP_OTHER"=>"%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{TZ} %{YEAR}"}
  861. [2016-12-07T10:45:31,660][DEBUG][logstash.filters.grok    ] Adding pattern {"DATESTAMP_EVENTLOG"=>"%{YEAR}%{MONTHNUM2}%{MONTHDAY}%{HOUR}%{MINUTE}%{SECOND}"}
  862. [2016-12-07T10:45:31,660][DEBUG][logstash.filters.grok    ] Adding pattern {"HTTPDERROR_DATE"=>"%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR}"}
  863. [2016-12-07T10:45:31,660][DEBUG][logstash.filters.grok    ] Adding pattern {"SYSLOGTIMESTAMP"=>"%{MONTH} +%{MONTHDAY} %{TIME}"}
  864. [2016-12-07T10:45:31,660][DEBUG][logstash.filters.grok    ] Adding pattern {"PROG"=>"[\\x21-\\x5a\\x5c\\x5e-\\x7e]+"}
  865. [2016-12-07T10:45:31,660][DEBUG][logstash.filters.grok    ] Adding pattern {"SYSLOGPROG"=>"%{PROG:program}(?:\\[%{POSINT:pid}\\])?"}
  866. [2016-12-07T10:45:31,660][DEBUG][logstash.filters.grok    ] Adding pattern {"SYSLOGHOST"=>"%{IPORHOST}"}
  867. [2016-12-07T10:45:31,660][DEBUG][logstash.filters.grok    ] Adding pattern {"SYSLOGFACILITY"=>"<%{NONNEGINT:facility}.%{NONNEGINT:priority}>"}
  868. [2016-12-07T10:45:31,661][DEBUG][logstash.filters.grok    ] Adding pattern {"HTTPDATE"=>"%{MONTHDAY}/%{MONTH}/%{YEAR}:%{TIME} %{INT}"}
  869. [2016-12-07T10:45:31,661][DEBUG][logstash.filters.grok    ] Adding pattern {"QS"=>"%{QUOTEDSTRING}"}
  870. [2016-12-07T10:45:31,661][DEBUG][logstash.filters.grok    ] Adding pattern {"SYSLOGBASE"=>"%{SYSLOGTIMESTAMP:timestamp} (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource} %{SYSLOGPROG}:"}
  871. [2016-12-07T10:45:31,661][DEBUG][logstash.filters.grok    ] Adding pattern {"COMMONAPACHELOG"=>"%{IPORHOST:clientip} %{HTTPDUSER:ident} %{USER:auth} \\[%{HTTPDATE:timestamp}\\] \"(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})\" %{NUMBER:response} (?:%{NUMBER:bytes}|-)"}
  872. [2016-12-07T10:45:31,661][DEBUG][logstash.filters.grok    ] Adding pattern {"COMBINEDAPACHELOG"=>"%{COMMONAPACHELOG} %{QS:referrer} %{QS:agent}"}
  873. [2016-12-07T10:45:31,661][DEBUG][logstash.filters.grok    ] Adding pattern {"HTTPD20_ERRORLOG"=>"\\[%{HTTPDERROR_DATE:timestamp}\\] \\[%{LOGLEVEL:loglevel}\\] (?:\\[client %{IPORHOST:clientip}\\] ){0,1}%{GREEDYDATA:errormsg}"}
  874. [2016-12-07T10:45:31,661][DEBUG][logstash.filters.grok    ] Adding pattern {"HTTPD24_ERRORLOG"=>"\\[%{HTTPDERROR_DATE:timestamp}\\] \\[%{WORD:module}:%{LOGLEVEL:loglevel}\\] \\[pid %{POSINT:pid}:tid %{NUMBER:tid}\\]( \\(%{POSINT:proxy_errorcode}\\)%{DATA:proxy_errormessage}:)?( \\[client %{IPORHOST:client}:%{POSINT:clientport}\\])? %{DATA:errorcode}: %{GREEDYDATA:message}"}
  875. [2016-12-07T10:45:31,662][DEBUG][logstash.filters.grok    ] Adding pattern {"HTTPD_ERRORLOG"=>"%{HTTPD20_ERRORLOG}|%{HTTPD24_ERRORLOG}"}
  876. [2016-12-07T10:45:31,662][DEBUG][logstash.filters.grok    ] Adding pattern {"LOGLEVEL"=>"([Aa]lert|ALERT|[Tt]race|TRACE|[Dd]ebug|DEBUG|[Nn]otice|NOTICE|[Ii]nfo|INFO|[Ww]arn?(?:ing)?|WARN?(?:ING)?|[Ee]rr?(?:or)?|ERR?(?:OR)?|[Cc]rit?(?:ical)?|CRIT?(?:ICAL)?|[Ff]atal|FATAL|[Ss]evere|SEVERE|EMERG(?:ENCY)?|[Ee]merg(?:ency)?)"}
  877. [2016-12-07T10:45:31,662][DEBUG][logstash.filters.grok    ] Adding pattern {"HAPROXYTIME"=>"(?!<[0-9])%{HOUR:haproxy_hour}:%{MINUTE:haproxy_minute}(?::%{SECOND:haproxy_second})(?![0-9])"}
  878. [2016-12-07T10:45:31,662][DEBUG][logstash.filters.grok    ] Adding pattern {"HAPROXYDATE"=>"%{MONTHDAY:haproxy_monthday}/%{MONTH:haproxy_month}/%{YEAR:haproxy_year}:%{HAPROXYTIME:haproxy_time}.%{INT:haproxy_milliseconds}"}
  879. [2016-12-07T10:45:31,663][DEBUG][logstash.filters.grok    ] Adding pattern {"HAPROXYCAPTUREDREQUESTHEADERS"=>"%{DATA:captured_request_headers}"}
  880. [2016-12-07T10:45:31,663][DEBUG][logstash.filters.grok    ] Adding pattern {"HAPROXYCAPTUREDRESPONSEHEADERS"=>"%{DATA:captured_response_headers}"}
  881. [2016-12-07T10:45:31,665][DEBUG][logstash.filters.grok    ] Adding pattern {"HAPROXYHTTPBASE"=>"%{IP:client_ip}:%{INT:client_port} \\[%{HAPROXYDATE:accept_date}\\] %{NOTSPACE:frontend_name} %{NOTSPACE:backend_name}/%{NOTSPACE:server_name} %{INT:time_request}/%{INT:time_queue}/%{INT:time_backend_connect}/%{INT:time_backend_response}/%{NOTSPACE:time_duration} %{INT:http_status_code} %{NOTSPACE:bytes_read} %{DATA:captured_request_cookie} %{DATA:captured_response_cookie} %{NOTSPACE:termination_state} %{INT:actconn}/%{INT:feconn}/%{INT:beconn}/%{INT:srvconn}/%{NOTSPACE:retries} %{INT:srv_queue}/%{INT:backend_queue} (\\{%{HAPROXYCAPTUREDREQUESTHEADERS}\\})?( )?(\\{%{HAPROXYCAPTUREDRESPONSEHEADERS}\\})?( )?\"(<BADREQ>|(%{WORD:http_verb} (%{URIPROTO:http_proto}://)?(?:%{USER:http_user}(?::[^@]*)?@)?(?:%{URIHOST:http_host})?(?:%{URIPATHPARAM:http_request})?( HTTP/%{NUMBER:http_version})?))?\""}
  882. [2016-12-07T10:45:31,665][DEBUG][logstash.filters.grok    ] Adding pattern {"HAPROXYHTTP"=>"(?:%{SYSLOGTIMESTAMP:syslog_timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) %{IPORHOST:syslog_server} %{SYSLOGPROG}: %{HAPROXYHTTPBASE}"}
  883. [2016-12-07T10:45:31,665][DEBUG][logstash.filters.grok    ] Adding pattern {"HAPROXYTCP"=>"(?:%{SYSLOGTIMESTAMP:syslog_timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) %{IPORHOST:syslog_server} %{SYSLOGPROG}: %{IP:client_ip}:%{INT:client_port} \\[%{HAPROXYDATE:accept_date}\\] %{NOTSPACE:frontend_name} %{NOTSPACE:backend_name}/%{NOTSPACE:server_name} %{INT:time_queue}/%{INT:time_backend_connect}/%{NOTSPACE:time_duration} %{NOTSPACE:bytes_read} %{NOTSPACE:termination_state} %{INT:actconn}/%{INT:feconn}/%{INT:beconn}/%{INT:srvconn}/%{NOTSPACE:retries} %{INT:srv_queue}/%{INT:backend_queue}"}
  884. [2016-12-07T10:45:31,666][DEBUG][logstash.filters.grok    ] Adding pattern {"JAVACLASS"=>"(?:[a-zA-Z$_][a-zA-Z$_0-9]*\\.)*[a-zA-Z$_][a-zA-Z$_0-9]*"}
  885. [2016-12-07T10:45:31,666][DEBUG][logstash.filters.grok    ] Adding pattern {"JAVAFILE"=>"(?:[A-Za-z0-9_. -]+)"}
  886. [2016-12-07T10:45:31,666][DEBUG][logstash.filters.grok    ] Adding pattern {"JAVAMETHOD"=>"(?:(<(?:cl)?init>)|[a-zA-Z$_][a-zA-Z$_0-9]*)"}
  887. [2016-12-07T10:45:31,666][DEBUG][logstash.filters.grok    ] Adding pattern {"JAVASTACKTRACEPART"=>"%{SPACE}at %{JAVACLASS:class}\\.%{JAVAMETHOD:method}\\(%{JAVAFILE:file}(?::%{NUMBER:line})?\\)"}
  888. [2016-12-07T10:45:31,666][DEBUG][logstash.filters.grok    ] Adding pattern {"JAVATHREAD"=>"(?:[A-Z]{2}-Processor[\\d]+)"}
  889. [2016-12-07T10:45:31,666][DEBUG][logstash.filters.grok    ] Adding pattern {"JAVACLASS"=>"(?:[a-zA-Z0-9-]+\\.)+[A-Za-z0-9$]+"}
  890. [2016-12-07T10:45:31,667][DEBUG][logstash.filters.grok    ] Adding pattern {"JAVAFILE"=>"(?:[A-Za-z0-9_.-]+)"}
  891. [2016-12-07T10:45:31,667][DEBUG][logstash.filters.grok    ] Adding pattern {"JAVASTACKTRACEPART"=>"at %{JAVACLASS:class}\\.%{WORD:method}\\(%{JAVAFILE:file}:%{NUMBER:line}\\)"}
  892. [2016-12-07T10:45:31,667][DEBUG][logstash.filters.grok    ] Adding pattern {"JAVALOGMESSAGE"=>"(.*)"}
  893. [2016-12-07T10:45:31,668][DEBUG][logstash.filters.grok    ] Adding pattern {"CATALINA_DATESTAMP"=>"%{MONTH} %{MONTHDAY}, 20%{YEAR} %{HOUR}:?%{MINUTE}(?::?%{SECOND}) (?:AM|PM)"}
  894. [2016-12-07T10:45:31,668][DEBUG][logstash.filters.grok    ] Adding pattern {"TOMCAT_DATESTAMP"=>"20%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{HOUR}:?%{MINUTE}(?::?%{SECOND}) %{ISO8601_TIMEZONE}"}
  895. [2016-12-07T10:45:31,668][DEBUG][logstash.filters.grok    ] Adding pattern {"CATALINALOG"=>"%{CATALINA_DATESTAMP:timestamp} %{JAVACLASS:class} %{JAVALOGMESSAGE:logmessage}"}
  896. [2016-12-07T10:45:31,668][DEBUG][logstash.filters.grok    ] Adding pattern {"TOMCATLOG"=>"%{TOMCAT_DATESTAMP:timestamp} \\| %{LOGLEVEL:level} \\| %{JAVACLASS:class} - %{JAVALOGMESSAGE:logmessage}"}
  897. [2016-12-07T10:45:31,669][DEBUG][logstash.filters.grok    ] Adding pattern {"RT_FLOW_EVENT"=>"(RT_FLOW_SESSION_CREATE|RT_FLOW_SESSION_CLOSE|RT_FLOW_SESSION_DENY)"}
  898. [2016-12-07T10:45:31,668][DEBUG][logstash.instrument.collector] Collector: Sending snapshot to observers {:created_at=>2016-12-07 10:45:31 -0200}
  899. [2016-12-07T10:45:31,669][DEBUG][logstash.filters.grok    ] Adding pattern {"RT_FLOW1"=>"%{RT_FLOW_EVENT:event}: %{GREEDYDATA:close-reason}: %{IP:src-ip}/%{INT:src-port}->%{IP:dst-ip}/%{INT:dst-port} %{DATA:service} %{IP:nat-src-ip}/%{INT:nat-src-port}->%{IP:nat-dst-ip}/%{INT:nat-dst-port} %{DATA:src-nat-rule-name} %{DATA:dst-nat-rule-name} %{INT:protocol-id} %{DATA:policy-name} %{DATA:from-zone} %{DATA:to-zone} %{INT:session-id} \\d+\\(%{DATA:sent}\\) \\d+\\(%{DATA:received}\\) %{INT:elapsed-time} .*"}
  900. [2016-12-07T10:45:31,669][DEBUG][logstash.filters.grok    ] Adding pattern {"RT_FLOW2"=>"%{RT_FLOW_EVENT:event}: session created %{IP:src-ip}/%{INT:src-port}->%{IP:dst-ip}/%{INT:dst-port} %{DATA:service} %{IP:nat-src-ip}/%{INT:nat-src-port}->%{IP:nat-dst-ip}/%{INT:nat-dst-port} %{DATA:src-nat-rule-name} %{DATA:dst-nat-rule-name} %{INT:protocol-id} %{DATA:policy-name} %{DATA:from-zone} %{DATA:to-zone} %{INT:session-id} .*"}
  901. [2016-12-07T10:45:31,669][DEBUG][logstash.filters.grok    ] Adding pattern {"RT_FLOW3"=>"%{RT_FLOW_EVENT:event}: session denied %{IP:src-ip}/%{INT:src-port}->%{IP:dst-ip}/%{INT:dst-port} %{DATA:service} %{INT:protocol-id}\\(\\d\\) %{DATA:policy-name} %{DATA:from-zone} %{DATA:to-zone} .*"}
  902. [2016-12-07T10:45:31,670][DEBUG][logstash.filters.grok    ] Adding pattern {"SYSLOG5424PRINTASCII"=>"[!-~]+"}
  903. [2016-12-07T10:45:31,670][DEBUG][logstash.filters.grok    ] Adding pattern {"SYSLOGBASE2"=>"(?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource}+(?: %{SYSLOGPROG}:|)"}
  904. [2016-12-07T10:45:31,670][DEBUG][logstash.filters.grok    ] Adding pattern {"SYSLOGPAMSESSION"=>"%{SYSLOGBASE} (?=%{GREEDYDATA:message})%{WORD:pam_module}\\(%{DATA:pam_caller}\\): session %{WORD:pam_session_state} for user %{USERNAME:username}(?: by %{GREEDYDATA:pam_by})?"}
  905. [2016-12-07T10:45:31,670][DEBUG][logstash.filters.grok    ] Adding pattern {"CRON_ACTION"=>"[A-Z ]+"}
  906. [2016-12-07T10:45:31,671][DEBUG][logstash.filters.grok    ] Adding pattern {"CRONLOG"=>"%{SYSLOGBASE} \\(%{USER:user}\\) %{CRON_ACTION:action} \\(%{DATA:message}\\)"}
  907. [2016-12-07T10:45:31,671][DEBUG][logstash.filters.grok    ] Adding pattern {"SYSLOGLINE"=>"%{SYSLOGBASE2} %{GREEDYDATA:message}"}
  908. [2016-12-07T10:45:31,674][DEBUG][logstash.filters.grok    ] Adding pattern {"SYSLOG5424PRI"=>"<%{NONNEGINT:syslog5424_pri}>"}
  909. [2016-12-07T10:45:31,674][DEBUG][logstash.filters.grok    ] Adding pattern {"SYSLOG5424SD"=>"\\[%{DATA}\\]+"}
  910. [2016-12-07T10:45:31,674][DEBUG][logstash.filters.grok    ] Adding pattern {"SYSLOG5424BASE"=>"%{SYSLOG5424PRI}%{NONNEGINT:syslog5424_ver} +(?:%{TIMESTAMP_ISO8601:syslog5424_ts}|-) +(?:%{HOSTNAME:syslog5424_host}|-) +(-|%{SYSLOG5424PRINTASCII:syslog5424_app}) +(-|%{SYSLOG5424PRINTASCII:syslog5424_proc}) +(-|%{SYSLOG5424PRINTASCII:syslog5424_msgid}) +(?:%{SYSLOG5424SD:syslog5424_sd}|-|)"}
  911. [2016-12-07T10:45:31,674][DEBUG][logstash.filters.grok    ] Adding pattern {"SYSLOG5424LINE"=>"%{SYSLOG5424BASE} +%{GREEDYDATA:syslog5424_msg}"}
  912. [2016-12-07T10:45:31,675][DEBUG][logstash.filters.grok    ] Adding pattern {"MCOLLECTIVEAUDIT"=>"%{TIMESTAMP_ISO8601:timestamp}:"}
  913. [2016-12-07T10:45:31,675][DEBUG][logstash.filters.grok    ] Adding pattern {"MCOLLECTIVE"=>"., \\[%{TIMESTAMP_ISO8601:timestamp} #%{POSINT:pid}\\]%{SPACE}%{LOGLEVEL:event_level}"}
  914. [2016-12-07T10:45:31,675][DEBUG][logstash.filters.grok    ] Adding pattern {"MCOLLECTIVEAUDIT"=>"%{TIMESTAMP_ISO8601:timestamp}:"}
  915. [2016-12-07T10:45:31,675][DEBUG][logstash.filters.grok    ] Adding pattern {"MONGO_LOG"=>"%{SYSLOGTIMESTAMP:timestamp} \\[%{WORD:component}\\] %{GREEDYDATA:message}"}
  916. [2016-12-07T10:45:31,675][DEBUG][logstash.filters.grok    ] Adding pattern {"MONGO_QUERY"=>"\\{ (?<={ ).*(?= } ntoreturn:) \\}"}
  917. [2016-12-07T10:45:31,676][DEBUG][logstash.filters.grok    ] Adding pattern {"MONGO_SLOWQUERY"=>"%{WORD} %{MONGO_WORDDASH:database}\\.%{MONGO_WORDDASH:collection} %{WORD}: %{MONGO_QUERY:query} %{WORD}:%{NONNEGINT:ntoreturn} %{WORD}:%{NONNEGINT:ntoskip} %{WORD}:%{NONNEGINT:nscanned}.*nreturned:%{NONNEGINT:nreturned}..+ (?<duration>[0-9]+)ms"}
  918. [2016-12-07T10:45:31,676][DEBUG][logstash.filters.grok    ] Adding pattern {"MONGO_WORDDASH"=>"\\b[\\w-]+\\b"}
  919. [2016-12-07T10:45:31,676][DEBUG][logstash.filters.grok    ] Adding pattern {"MONGO3_SEVERITY"=>"\\w"}
  920. [2016-12-07T10:45:31,676][DEBUG][logstash.filters.grok    ] Adding pattern {"MONGO3_COMPONENT"=>"%{WORD}|-"}
  921. [2016-12-07T10:45:31,676][DEBUG][logstash.filters.grok    ] Adding pattern {"MONGO3_LOG"=>"%{TIMESTAMP_ISO8601:timestamp} %{MONGO3_SEVERITY:severity} %{MONGO3_COMPONENT:component}%{SPACE}(?:\\[%{DATA:context}\\])? %{GREEDYDATA:message}"}
  922. [2016-12-07T10:45:31,677][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOSTIME"=>"\\[%{NUMBER:nagios_epoch}\\]"}
  923. [2016-12-07T10:45:31,677][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_TYPE_CURRENT_SERVICE_STATE"=>"CURRENT SERVICE STATE"}
  924. [2016-12-07T10:45:31,677][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_TYPE_CURRENT_HOST_STATE"=>"CURRENT HOST STATE"}
  925. [2016-12-07T10:45:31,677][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_TYPE_SERVICE_NOTIFICATION"=>"SERVICE NOTIFICATION"}
  926. [2016-12-07T10:45:31,678][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_TYPE_HOST_NOTIFICATION"=>"HOST NOTIFICATION"}
  927. [2016-12-07T10:45:31,678][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_TYPE_SERVICE_ALERT"=>"SERVICE ALERT"}
  928. [2016-12-07T10:45:31,678][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_TYPE_HOST_ALERT"=>"HOST ALERT"}
  929. [2016-12-07T10:45:31,678][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_TYPE_SERVICE_FLAPPING_ALERT"=>"SERVICE FLAPPING ALERT"}
  930. [2016-12-07T10:45:31,678][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_TYPE_HOST_FLAPPING_ALERT"=>"HOST FLAPPING ALERT"}
  931. [2016-12-07T10:45:31,678][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_TYPE_SERVICE_DOWNTIME_ALERT"=>"SERVICE DOWNTIME ALERT"}
  932. [2016-12-07T10:45:31,678][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_TYPE_HOST_DOWNTIME_ALERT"=>"HOST DOWNTIME ALERT"}
  933. [2016-12-07T10:45:31,679][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_TYPE_PASSIVE_SERVICE_CHECK"=>"PASSIVE SERVICE CHECK"}
  934. [2016-12-07T10:45:31,679][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_TYPE_PASSIVE_HOST_CHECK"=>"PASSIVE HOST CHECK"}
  935. [2016-12-07T10:45:31,679][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_TYPE_SERVICE_EVENT_HANDLER"=>"SERVICE EVENT HANDLER"}
  936. [2016-12-07T10:45:31,679][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_TYPE_HOST_EVENT_HANDLER"=>"HOST EVENT HANDLER"}
  937. [2016-12-07T10:45:31,679][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_TYPE_EXTERNAL_COMMAND"=>"EXTERNAL COMMAND"}
  938. [2016-12-07T10:45:31,679][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_TYPE_TIMEPERIOD_TRANSITION"=>"TIMEPERIOD TRANSITION"}
  939. [2016-12-07T10:45:31,679][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_DISABLE_SVC_CHECK"=>"DISABLE_SVC_CHECK"}
  940. [2016-12-07T10:45:31,680][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_ENABLE_SVC_CHECK"=>"ENABLE_SVC_CHECK"}
  941. [2016-12-07T10:45:31,680][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_DISABLE_HOST_CHECK"=>"DISABLE_HOST_CHECK"}
  942. [2016-12-07T10:45:31,680][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_ENABLE_HOST_CHECK"=>"ENABLE_HOST_CHECK"}
  943. [2016-12-07T10:45:31,680][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_PROCESS_SERVICE_CHECK_RESULT"=>"PROCESS_SERVICE_CHECK_RESULT"}
  944. [2016-12-07T10:45:31,680][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_PROCESS_HOST_CHECK_RESULT"=>"PROCESS_HOST_CHECK_RESULT"}
  945. [2016-12-07T10:45:31,680][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_SCHEDULE_SERVICE_DOWNTIME"=>"SCHEDULE_SERVICE_DOWNTIME"}
  946. [2016-12-07T10:45:31,680][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_SCHEDULE_HOST_DOWNTIME"=>"SCHEDULE_HOST_DOWNTIME"}
  947. [2016-12-07T10:45:31,680][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_DISABLE_HOST_SVC_NOTIFICATIONS"=>"DISABLE_HOST_SVC_NOTIFICATIONS"}
  948. [2016-12-07T10:45:31,681][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_ENABLE_HOST_SVC_NOTIFICATIONS"=>"ENABLE_HOST_SVC_NOTIFICATIONS"}
  949. [2016-12-07T10:45:31,681][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_DISABLE_HOST_NOTIFICATIONS"=>"DISABLE_HOST_NOTIFICATIONS"}
  950. [2016-12-07T10:45:31,681][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_ENABLE_HOST_NOTIFICATIONS"=>"ENABLE_HOST_NOTIFICATIONS"}
  951. [2016-12-07T10:45:31,681][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_DISABLE_SVC_NOTIFICATIONS"=>"DISABLE_SVC_NOTIFICATIONS"}
  952. [2016-12-07T10:45:31,681][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_ENABLE_SVC_NOTIFICATIONS"=>"ENABLE_SVC_NOTIFICATIONS"}
  953. [2016-12-07T10:45:31,681][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_WARNING"=>"Warning:%{SPACE}%{GREEDYDATA:nagios_message}"}
  954. [2016-12-07T10:45:31,681][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_CURRENT_SERVICE_STATE"=>"%{NAGIOS_TYPE_CURRENT_SERVICE_STATE:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{DATA:nagios_statetype};%{DATA:nagios_statecode};%{GREEDYDATA:nagios_message}"}
  955. [2016-12-07T10:45:31,681][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_CURRENT_HOST_STATE"=>"%{NAGIOS_TYPE_CURRENT_HOST_STATE:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{DATA:nagios_statetype};%{DATA:nagios_statecode};%{GREEDYDATA:nagios_message}"}
  956. [2016-12-07T10:45:31,682][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_SERVICE_NOTIFICATION"=>"%{NAGIOS_TYPE_SERVICE_NOTIFICATION:nagios_type}: %{DATA:nagios_notifyname};%{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{DATA:nagios_contact};%{GREEDYDATA:nagios_message}"}
  957. [2016-12-07T10:45:31,682][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_HOST_NOTIFICATION"=>"%{NAGIOS_TYPE_HOST_NOTIFICATION:nagios_type}: %{DATA:nagios_notifyname};%{DATA:nagios_hostname};%{DATA:nagios_state};%{DATA:nagios_contact};%{GREEDYDATA:nagios_message}"}
  958. [2016-12-07T10:45:31,682][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_SERVICE_ALERT"=>"%{NAGIOS_TYPE_SERVICE_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{DATA:nagios_statelevel};%{NUMBER:nagios_attempt};%{GREEDYDATA:nagios_message}"}
  959. [2016-12-07T10:45:31,682][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_HOST_ALERT"=>"%{NAGIOS_TYPE_HOST_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{DATA:nagios_statelevel};%{NUMBER:nagios_attempt};%{GREEDYDATA:nagios_message}"}
  960. [2016-12-07T10:45:31,683][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_SERVICE_FLAPPING_ALERT"=>"%{NAGIOS_TYPE_SERVICE_FLAPPING_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{GREEDYDATA:nagios_message}"}
  961. [2016-12-07T10:45:31,683][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_HOST_FLAPPING_ALERT"=>"%{NAGIOS_TYPE_HOST_FLAPPING_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{GREEDYDATA:nagios_message}"}
  962. [2016-12-07T10:45:31,683][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_SERVICE_DOWNTIME_ALERT"=>"%{NAGIOS_TYPE_SERVICE_DOWNTIME_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{GREEDYDATA:nagios_comment}"}
  963. [2016-12-07T10:45:31,683][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_HOST_DOWNTIME_ALERT"=>"%{NAGIOS_TYPE_HOST_DOWNTIME_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{GREEDYDATA:nagios_comment}"}
  964. [2016-12-07T10:45:31,683][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_PASSIVE_SERVICE_CHECK"=>"%{NAGIOS_TYPE_PASSIVE_SERVICE_CHECK:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{GREEDYDATA:nagios_comment}"}
  965. [2016-12-07T10:45:31,683][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_PASSIVE_HOST_CHECK"=>"%{NAGIOS_TYPE_PASSIVE_HOST_CHECK:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{GREEDYDATA:nagios_comment}"}
  966. [2016-12-07T10:45:31,684][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_SERVICE_EVENT_HANDLER"=>"%{NAGIOS_TYPE_SERVICE_EVENT_HANDLER:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{DATA:nagios_statelevel};%{DATA:nagios_event_handler_name}"}
  967. [2016-12-07T10:45:31,684][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_HOST_EVENT_HANDLER"=>"%{NAGIOS_TYPE_HOST_EVENT_HANDLER:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{DATA:nagios_statelevel};%{DATA:nagios_event_handler_name}"}
  968. [2016-12-07T10:45:31,684][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_TIMEPERIOD_TRANSITION"=>"%{NAGIOS_TYPE_TIMEPERIOD_TRANSITION:nagios_type}: %{DATA:nagios_service};%{DATA:nagios_unknown1};%{DATA:nagios_unknown2}"}
  969. [2016-12-07T10:45:31,684][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_LINE_DISABLE_SVC_CHECK"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_DISABLE_SVC_CHECK:nagios_command};%{DATA:nagios_hostname};%{DATA:nagios_service}"}
  970. [2016-12-07T10:45:31,684][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_LINE_DISABLE_HOST_CHECK"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_DISABLE_HOST_CHECK:nagios_command};%{DATA:nagios_hostname}"}
  971. [2016-12-07T10:45:31,684][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_LINE_ENABLE_SVC_CHECK"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_ENABLE_SVC_CHECK:nagios_command};%{DATA:nagios_hostname};%{DATA:nagios_service}"}
  972. [2016-12-07T10:45:31,684][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_LINE_ENABLE_HOST_CHECK"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_ENABLE_HOST_CHECK:nagios_command};%{DATA:nagios_hostname}"}
  973. [2016-12-07T10:45:31,685][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_LINE_PROCESS_SERVICE_CHECK_RESULT"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_PROCESS_SERVICE_CHECK_RESULT:nagios_command};%{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{GREEDYDATA:nagios_check_result}"}
  974. [2016-12-07T10:45:31,685][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_LINE_PROCESS_HOST_CHECK_RESULT"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_PROCESS_HOST_CHECK_RESULT:nagios_command};%{DATA:nagios_hostname};%{DATA:nagios_state};%{GREEDYDATA:nagios_check_result}"}
  975. [2016-12-07T10:45:31,685][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_LINE_DISABLE_HOST_SVC_NOTIFICATIONS"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_DISABLE_HOST_SVC_NOTIFICATIONS:nagios_command};%{GREEDYDATA:nagios_hostname}"}
  976. [2016-12-07T10:45:31,685][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_LINE_DISABLE_HOST_NOTIFICATIONS"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_DISABLE_HOST_NOTIFICATIONS:nagios_command};%{GREEDYDATA:nagios_hostname}"}
  977. [2016-12-07T10:45:31,685][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_LINE_DISABLE_SVC_NOTIFICATIONS"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_DISABLE_SVC_NOTIFICATIONS:nagios_command};%{DATA:nagios_hostname};%{GREEDYDATA:nagios_service}"}
  978. [2016-12-07T10:45:31,685][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_LINE_ENABLE_HOST_SVC_NOTIFICATIONS"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_ENABLE_HOST_SVC_NOTIFICATIONS:nagios_command};%{GREEDYDATA:nagios_hostname}"}
  979. [2016-12-07T10:45:31,685][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_LINE_ENABLE_HOST_NOTIFICATIONS"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_ENABLE_HOST_NOTIFICATIONS:nagios_command};%{GREEDYDATA:nagios_hostname}"}
  980. [2016-12-07T10:45:31,686][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_LINE_ENABLE_SVC_NOTIFICATIONS"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_ENABLE_SVC_NOTIFICATIONS:nagios_command};%{DATA:nagios_hostname};%{GREEDYDATA:nagios_service}"}
  981. [2016-12-07T10:45:31,686][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_LINE_SCHEDULE_HOST_DOWNTIME"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_SCHEDULE_HOST_DOWNTIME:nagios_command};%{DATA:nagios_hostname};%{NUMBER:nagios_start_time};%{NUMBER:nagios_end_time};%{NUMBER:nagios_fixed};%{NUMBER:nagios_trigger_id};%{NUMBER:nagios_duration};%{DATA:author};%{DATA:comment}"}
  982. [2016-12-07T10:45:31,686][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOSLOGLINE"=>"%{NAGIOSTIME} (?:%{NAGIOS_WARNING}|%{NAGIOS_CURRENT_SERVICE_STATE}|%{NAGIOS_CURRENT_HOST_STATE}|%{NAGIOS_SERVICE_NOTIFICATION}|%{NAGIOS_HOST_NOTIFICATION}|%{NAGIOS_SERVICE_ALERT}|%{NAGIOS_HOST_ALERT}|%{NAGIOS_SERVICE_FLAPPING_ALERT}|%{NAGIOS_HOST_FLAPPING_ALERT}|%{NAGIOS_SERVICE_DOWNTIME_ALERT}|%{NAGIOS_HOST_DOWNTIME_ALERT}|%{NAGIOS_PASSIVE_SERVICE_CHECK}|%{NAGIOS_PASSIVE_HOST_CHECK}|%{NAGIOS_SERVICE_EVENT_HANDLER}|%{NAGIOS_HOST_EVENT_HANDLER}|%{NAGIOS_TIMEPERIOD_TRANSITION}|%{NAGIOS_EC_LINE_DISABLE_SVC_CHECK}|%{NAGIOS_EC_LINE_ENABLE_SVC_CHECK}|%{NAGIOS_EC_LINE_DISABLE_HOST_CHECK}|%{NAGIOS_EC_LINE_ENABLE_HOST_CHECK}|%{NAGIOS_EC_LINE_PROCESS_HOST_CHECK_RESULT}|%{NAGIOS_EC_LINE_PROCESS_SERVICE_CHECK_RESULT}|%{NAGIOS_EC_LINE_SCHEDULE_HOST_DOWNTIME}|%{NAGIOS_EC_LINE_DISABLE_HOST_SVC_NOTIFICATIONS}|%{NAGIOS_EC_LINE_ENABLE_HOST_SVC_NOTIFICATIONS}|%{NAGIOS_EC_LINE_DISABLE_HOST_NOTIFICATIONS}|%{NAGIOS_EC_LINE_ENABLE_HOST_NOTIFICATIONS}|%{NAGIOS_EC_LINE_DISABLE_SVC_NOTIFICATIONS}|%{NAGIOS_EC_LINE_ENABLE_SVC_NOTIFICATIONS})"}
  983. [2016-12-07T10:45:31,687][DEBUG][logstash.filters.grok    ] Adding pattern {"POSTGRESQL"=>"%{DATESTAMP:timestamp} %{TZ} %{DATA:user_id} %{GREEDYDATA:connection_id} %{POSINT:pid}"}
  984. [2016-12-07T10:45:31,687][DEBUG][logstash.filters.grok    ] Adding pattern {"RUUID"=>"\\h{32}"}
  985. [2016-12-07T10:45:31,687][DEBUG][logstash.filters.grok    ] Adding pattern {"RCONTROLLER"=>"(?<controller>[^#]+)#(?<action>\\w+)"}
  986. [2016-12-07T10:45:31,687][DEBUG][logstash.filters.grok    ] Adding pattern {"RAILS3HEAD"=>"(?m)Started %{WORD:verb} \"%{URIPATHPARAM:request}\" for %{IPORHOST:clientip} at (?<timestamp>%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{HOUR}:%{MINUTE}:%{SECOND} %{ISO8601_TIMEZONE})"}
  987. [2016-12-07T10:45:31,687][DEBUG][logstash.filters.grok    ] Adding pattern {"RPROCESSING"=>"\\W*Processing by %{RCONTROLLER} as (?<format>\\S+)(?:\\W*Parameters: {%{DATA:params}}\\W*)?"}
  988. [2016-12-07T10:45:31,687][DEBUG][logstash.filters.grok    ] Adding pattern {"RAILS3FOOT"=>"Completed %{NUMBER:response}%{DATA} in %{NUMBER:totalms}ms %{RAILS3PROFILE}%{GREEDYDATA}"}
  989. [2016-12-07T10:45:31,688][DEBUG][logstash.filters.grok    ] Adding pattern {"RAILS3PROFILE"=>"(?:\\(Views: %{NUMBER:viewms}ms \\| ActiveRecord: %{NUMBER:activerecordms}ms|\\(ActiveRecord: %{NUMBER:activerecordms}ms)?"}
  990. [2016-12-07T10:45:31,688][DEBUG][logstash.filters.grok    ] Adding pattern {"RAILS3"=>"%{RAILS3HEAD}(?:%{RPROCESSING})?(?<context>(?:%{DATA}\\n)*)(?:%{RAILS3FOOT})?"}
  991. [2016-12-07T10:45:31,688][DEBUG][logstash.filters.grok    ] Adding pattern {"REDISTIMESTAMP"=>"%{MONTHDAY} %{MONTH} %{TIME}"}
  992. [2016-12-07T10:45:31,688][DEBUG][logstash.filters.grok    ] Adding pattern {"REDISLOG"=>"\\[%{POSINT:pid}\\] %{REDISTIMESTAMP:timestamp} \\* "}
  993. [2016-12-07T10:45:31,688][DEBUG][logstash.filters.grok    ] Adding pattern {"RUBY_LOGLEVEL"=>"(?:DEBUG|FATAL|ERROR|WARN|INFO)"}
  994. [2016-12-07T10:45:31,689][DEBUG][logstash.filters.grok    ] Adding pattern {"RUBY_LOGGER"=>"[DFEWI], \\[%{TIMESTAMP_ISO8601:timestamp} #%{POSINT:pid}\\] *%{RUBY_LOGLEVEL:loglevel} -- +%{DATA:progname}: %{GREEDYDATA:message}"}
  995. [2016-12-07T10:45:31,689][DEBUG][logstash.filters.grok    ] replacement_pattern => (?<SYSLOGTIMESTAMP:syslog_timestamp>%{MONTH} +%{MONTHDAY} %{TIME})
  996. [2016-12-07T10:45:31,689][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:\b(?:[Jj]an(?:uary|uar)?|[Ff]eb(?:ruary|ruar)?|[Mm](?:a|ä)?r(?:ch|z)?|[Aa]pr(?:il)?|[Mm]a(?:y|i)?|[Jj]un(?:e|i)?|[Jj]ul(?:y)?|[Aa]ug(?:ust)?|[Ss]ep(?:tember)?|[Oo](?:c|k)?t(?:ober)?|[Nn]ov(?:ember)?|[Dd]e(?:c|z)(?:ember)?)\b)
  997. [2016-12-07T10:45:31,689][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9]))
  998. [2016-12-07T10:45:31,690][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:(?!<[0-9])%{HOUR}:%{MINUTE}(?::%{SECOND})(?![0-9]))
  999. [2016-12-07T10:45:31,690][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:(?:2[0123]|[01]?[0-9]))
  1000. [2016-12-07T10:45:31,690][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:(?:[0-5][0-9]))
  1001. [2016-12-07T10:45:31,690][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:(?:(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?))
  1002. [2016-12-07T10:45:31,690][DEBUG][logstash.filters.grok    ] replacement_pattern => (?<SYSLOGHOST:syslog_hostname>%{IPORHOST})
  1003. [2016-12-07T10:45:31,690][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:(?:%{IP}|%{HOSTNAME}))
  1004. [2016-12-07T10:45:31,691][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:(?:%{IPV6}|%{IPV4}))
  1005. [2016-12-07T10:45:31,691][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?)
  1006. [2016-12-07T10:45:31,691][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:(?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]))(?![0-9]))
  1007. [2016-12-07T10:45:31,691][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:\b(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\.?|\b))
  1008. [2016-12-07T10:45:31,691][DEBUG][logstash.filters.grok    ] replacement_pattern => (?<DATA:syslog_program>.*?)
  1009. [2016-12-07T10:45:31,692][DEBUG][logstash.filters.grok    ] replacement_pattern => (?<POSINT:syslog_pid>\b(?:[1-9][0-9]*)\b)
  1010. [2016-12-07T10:45:31,692][DEBUG][logstash.filters.grok    ] replacement_pattern => (?<GREEDYDATA:syslog_message>.*)
  1011. [2016-12-07T10:45:31,695][DEBUG][logstash.filters.grok    ] Grok compiled OK {:pattern=>"%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\\[%{POSINT:syslog_pid}\\])?: %{GREEDYDATA:syslog_message}", :expanded_pattern=>"(?<SYSLOGTIMESTAMP:syslog_timestamp>(?:\\b(?:[Jj]an(?:uary|uar)?|[Ff]eb(?:ruary|ruar)?|[Mm](?:a|ä)?r(?:ch|z)?|[Aa]pr(?:il)?|[Mm]a(?:y|i)?|[Jj]un(?:e|i)?|[Jj]ul(?:y)?|[Aa]ug(?:ust)?|[Ss]ep(?:tember)?|[Oo](?:c|k)?t(?:ober)?|[Nn]ov(?:ember)?|[Dd]e(?:c|z)(?:ember)?)\\b) +(?:(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9])) (?:(?!<[0-9])(?:(?:2[0123]|[01]?[0-9])):(?:(?:[0-5][0-9]))(?::(?:(?:(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?)))(?![0-9]))) (?<SYSLOGHOST:syslog_hostname>(?:(?:(?:(?:(?:((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:)))(%.+)?)|(?:(?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]))(?![0-9]))))|(?:\\b(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\\b))))) (?<DATA:syslog_program>.*?)(?:\\[(?<POSINT:syslog_pid>\\b(?:[1-9][0-9]*)\\b)\\])?: (?<GREEDYDATA:syslog_message>.*)"}
  1012. [2016-12-07T10:45:31,700][DEBUG][logstash.filters.date    ] Adding type with date config {:type=>nil, :field=>"syslog_timestamp", :format=>"MMM  d HH:mm:ss"}
  1013. [2016-12-07T10:45:31,700][DEBUG][logstash.filters.date    ] Adding type with date config {:type=>nil, :field=>"syslog_timestamp", :format=>"MMM dd HH:mm:ss"}
  1014. [2016-12-07T10:45:31,701][DEBUG][logstash.filters.grok    ] Grok patterns path {:paths=>["/usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-4.0.2/patterns", "/usr/share/logstash/patterns/*"]}
  1015. [2016-12-07T10:45:31,701][DEBUG][logstash.filters.grok    ] Grok patterns path {:paths=>[]}
  1016. [2016-12-07T10:45:31,702][DEBUG][logstash.filters.grok    ] Match data {:match=>{"message"=>"%{COMBINEDAPACHELOG}"}}
  1017. [2016-12-07T10:45:31,703][DEBUG][logstash.filters.grok    ] regexp: /message {:pattern=>"%{COMBINEDAPACHELOG}"}
  1018. [2016-12-07T10:45:31,704][DEBUG][logstash.filters.grok    ] Adding pattern {"S3_REQUEST_LINE"=>"(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})"}
  1019. [2016-12-07T10:45:31,704][DEBUG][logstash.filters.grok    ] Adding pattern {"S3_ACCESS_LOG"=>"%{WORD:owner} %{NOTSPACE:bucket} \\[%{HTTPDATE:timestamp}\\] %{IP:clientip} %{NOTSPACE:requester} %{NOTSPACE:request_id} %{NOTSPACE:operation} %{NOTSPACE:key} (?:\"%{S3_REQUEST_LINE}\"|-) (?:%{INT:response:int}|-) (?:-|%{NOTSPACE:error_code}) (?:%{INT:bytes:int}|-) (?:%{INT:object_size:int}|-) (?:%{INT:request_time_ms:int}|-) (?:%{INT:turnaround_time_ms:int}|-) (?:%{QS:referrer}|-) (?:\"?%{QS:agent}\"?|-) (?:-|%{NOTSPACE:version_id})"}
  1020. [2016-12-07T10:45:31,705][DEBUG][logstash.filters.grok    ] Adding pattern {"ELB_URIPATHPARAM"=>"%{URIPATH:path}(?:%{URIPARAM:params})?"}
  1021. [2016-12-07T10:45:31,705][DEBUG][logstash.filters.grok    ] Adding pattern {"ELB_URI"=>"%{URIPROTO:proto}://(?:%{USER}(?::[^@]*)?@)?(?:%{URIHOST:urihost})?(?:%{ELB_URIPATHPARAM})?"}
  1022. [2016-12-07T10:45:31,705][DEBUG][logstash.filters.grok    ] Adding pattern {"ELB_REQUEST_LINE"=>"(?:%{WORD:verb} %{ELB_URI:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})"}
  1023. [2016-12-07T10:45:31,705][DEBUG][logstash.filters.grok    ] Adding pattern {"ELB_ACCESS_LOG"=>"%{TIMESTAMP_ISO8601:timestamp} %{NOTSPACE:elb} %{IP:clientip}:%{INT:clientport:int} (?:(%{IP:backendip}:?:%{INT:backendport:int})|-) %{NUMBER:request_processing_time:float} %{NUMBER:backend_processing_time:float} %{NUMBER:response_processing_time:float} %{INT:response:int} %{INT:backend_response:int} %{INT:received_bytes:int} %{INT:bytes:int} \"%{ELB_REQUEST_LINE}\""}
  1024. [2016-12-07T10:45:31,705][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_TIMESTAMP"=>"%{MONTHDAY}-%{MONTH} %{HOUR}:%{MINUTE}"}
  1025. [2016-12-07T10:45:31,706][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_HOST"=>"[a-zA-Z0-9-]+"}
  1026. [2016-12-07T10:45:31,706][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_VOLUME"=>"%{USER}"}
  1027. [2016-12-07T10:45:31,706][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_DEVICE"=>"%{USER}"}
  1028. [2016-12-07T10:45:31,706][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_DEVICEPATH"=>"%{UNIXPATH}"}
  1029. [2016-12-07T10:45:31,706][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_CAPACITY"=>"%{INT}{1,3}(,%{INT}{3})*"}
  1030. [2016-12-07T10:45:31,706][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_VERSION"=>"%{USER}"}
  1031. [2016-12-07T10:45:31,706][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_JOB"=>"%{USER}"}
  1032. [2016-12-07T10:45:31,706][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_MAX_CAPACITY"=>"User defined maximum volume capacity %{BACULA_CAPACITY} exceeded on device \\\"%{BACULA_DEVICE:device}\\\" \\(%{BACULA_DEVICEPATH}\\)"}
  1033. [2016-12-07T10:45:31,707][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_END_VOLUME"=>"End of medium on Volume \\\"%{BACULA_VOLUME:volume}\\\" Bytes=%{BACULA_CAPACITY} Blocks=%{BACULA_CAPACITY} at %{MONTHDAY}-%{MONTH}-%{YEAR} %{HOUR}:%{MINUTE}."}
  1034. [2016-12-07T10:45:31,707][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_NEW_VOLUME"=>"Created new Volume \\\"%{BACULA_VOLUME:volume}\\\" in catalog."}
  1035. [2016-12-07T10:45:31,707][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_NEW_LABEL"=>"Labeled new Volume \\\"%{BACULA_VOLUME:volume}\\\" on device \\\"%{BACULA_DEVICE:device}\\\" \\(%{BACULA_DEVICEPATH}\\)."}
  1036. [2016-12-07T10:45:31,707][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_WROTE_LABEL"=>"Wrote label to prelabeled Volume \\\"%{BACULA_VOLUME:volume}\\\" on device \\\"%{BACULA_DEVICE}\\\" \\(%{BACULA_DEVICEPATH}\\)"}
  1037. [2016-12-07T10:45:31,707][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_NEW_MOUNT"=>"New volume \\\"%{BACULA_VOLUME:volume}\\\" mounted on device \\\"%{BACULA_DEVICE:device}\\\" \\(%{BACULA_DEVICEPATH}\\) at %{MONTHDAY}-%{MONTH}-%{YEAR} %{HOUR}:%{MINUTE}."}
  1038. [2016-12-07T10:45:31,707][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_NOOPEN"=>"\\s+Cannot open %{DATA}: ERR=%{GREEDYDATA:berror}"}
  1039. [2016-12-07T10:45:31,707][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_NOOPENDIR"=>"\\s+Could not open directory %{DATA}: ERR=%{GREEDYDATA:berror}"}
  1040. [2016-12-07T10:45:31,708][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_NOSTAT"=>"\\s+Could not stat %{DATA}: ERR=%{GREEDYDATA:berror}"}
  1041. [2016-12-07T10:45:31,708][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_NOJOBS"=>"There are no more Jobs associated with Volume \\\"%{BACULA_VOLUME:volume}\\\". Marking it purged."}
  1042. [2016-12-07T10:45:31,708][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_ALL_RECORDS_PRUNED"=>"All records pruned from Volume \\\"%{BACULA_VOLUME:volume}\\\"; marking it \\\"Purged\\\""}
  1043. [2016-12-07T10:45:31,710][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_BEGIN_PRUNE_JOBS"=>"Begin pruning Jobs older than %{INT} month %{INT} days ."}
  1044. [2016-12-07T10:45:31,710][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_BEGIN_PRUNE_FILES"=>"Begin pruning Files."}
  1045. [2016-12-07T10:45:31,710][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_PRUNED_JOBS"=>"Pruned %{INT} Jobs* for client %{BACULA_HOST:client} from catalog."}
  1046. [2016-12-07T10:45:31,710][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_PRUNED_FILES"=>"Pruned Files from %{INT} Jobs* for client %{BACULA_HOST:client} from catalog."}
  1047. [2016-12-07T10:45:31,710][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_ENDPRUNE"=>"End auto prune."}
  1048. [2016-12-07T10:45:31,710][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_STARTJOB"=>"Start Backup JobId %{INT}, Job=%{BACULA_JOB:job}"}
  1049. [2016-12-07T10:45:31,711][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_STARTRESTORE"=>"Start Restore Job %{BACULA_JOB:job}"}
  1050. [2016-12-07T10:45:31,711][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_USEDEVICE"=>"Using Device \\\"%{BACULA_DEVICE:device}\\\""}
  1051. [2016-12-07T10:45:31,711][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_DIFF_FS"=>"\\s+%{UNIXPATH} is a different filesystem. Will not descend from %{UNIXPATH} into it."}
  1052. [2016-12-07T10:45:31,711][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_JOBEND"=>"Job write elapsed time = %{DATA:elapsed}, Transfer rate = %{NUMBER} (K|M|G)? Bytes/second"}
  1053. [2016-12-07T10:45:31,711][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_NOPRUNE_JOBS"=>"No Jobs found to prune."}
  1054. [2016-12-07T10:45:31,711][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_NOPRUNE_FILES"=>"No Files found to prune."}
  1055. [2016-12-07T10:45:31,711][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_VOLUME_PREVWRITTEN"=>"Volume \\\"%{BACULA_VOLUME:volume}\\\" previously written, moving to end of data."}
  1056. [2016-12-07T10:45:31,712][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_READYAPPEND"=>"Ready to append to end of Volume \\\"%{BACULA_VOLUME:volume}\\\" size=%{INT}"}
  1057. [2016-12-07T10:45:31,712][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_CANCELLING"=>"Cancelling duplicate JobId=%{INT}."}
  1058. [2016-12-07T10:45:31,712][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_MARKCANCEL"=>"JobId %{INT}, Job %{BACULA_JOB:job} marked to be canceled."}
  1059. [2016-12-07T10:45:31,712][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_CLIENT_RBJ"=>"shell command: run ClientRunBeforeJob \\\"%{GREEDYDATA:runjob}\\\""}
  1060. [2016-12-07T10:45:31,712][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_VSS"=>"(Generate )?VSS (Writer)?"}
  1061. [2016-12-07T10:45:31,712][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_MAXSTART"=>"Fatal error: Job canceled because max start delay time exceeded."}
  1062. [2016-12-07T10:45:31,712][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_DUPLICATE"=>"Fatal error: JobId %{INT:duplicate} already running. Duplicate job not allowed."}
  1063. [2016-12-07T10:45:31,712][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_NOJOBSTAT"=>"Fatal error: No Job status returned from FD."}
  1064. [2016-12-07T10:45:31,713][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_FATAL_CONN"=>"Fatal error: bsock.c:133 Unable to connect to (Client: %{BACULA_HOST:client}|Storage daemon) on %{HOSTNAME}:%{POSINT}. ERR=(?<berror>%{GREEDYDATA})"}
  1065. [2016-12-07T10:45:31,713][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_NO_CONNECT"=>"Warning: bsock.c:127 Could not connect to (Client: %{BACULA_HOST:client}|Storage daemon) on %{HOSTNAME}:%{POSINT}. ERR=(?<berror>%{GREEDYDATA})"}
  1066. [2016-12-07T10:45:31,713][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_NO_AUTH"=>"Fatal error: Unable to authenticate with File daemon at %{HOSTNAME}. Possible causes:"}
  1067. [2016-12-07T10:45:31,713][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_NOSUIT"=>"No prior or suitable Full backup found in catalog. Doing FULL backup."}
  1068. [2016-12-07T10:45:31,713][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_NOPRIOR"=>"No prior Full backup Job record found."}
  1069. [2016-12-07T10:45:31,713][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOG_JOB"=>"(Error: )?Bacula %{BACULA_HOST} %{BACULA_VERSION} \\(%{BACULA_VERSION}\\):"}
  1070. [2016-12-07T10:45:31,714][DEBUG][logstash.filters.grok    ] Adding pattern {"BACULA_LOGLINE"=>"%{BACULA_TIMESTAMP:bts} %{BACULA_HOST:hostname} JobId %{INT:jobid}: (%{BACULA_LOG_MAX_CAPACITY}|%{BACULA_LOG_END_VOLUME}|%{BACULA_LOG_NEW_VOLUME}|%{BACULA_LOG_NEW_LABEL}|%{BACULA_LOG_WROTE_LABEL}|%{BACULA_LOG_NEW_MOUNT}|%{BACULA_LOG_NOOPEN}|%{BACULA_LOG_NOOPENDIR}|%{BACULA_LOG_NOSTAT}|%{BACULA_LOG_NOJOBS}|%{BACULA_LOG_ALL_RECORDS_PRUNED}|%{BACULA_LOG_BEGIN_PRUNE_JOBS}|%{BACULA_LOG_BEGIN_PRUNE_FILES}|%{BACULA_LOG_PRUNED_JOBS}|%{BACULA_LOG_PRUNED_FILES}|%{BACULA_LOG_ENDPRUNE}|%{BACULA_LOG_STARTJOB}|%{BACULA_LOG_STARTRESTORE}|%{BACULA_LOG_USEDEVICE}|%{BACULA_LOG_DIFF_FS}|%{BACULA_LOG_JOBEND}|%{BACULA_LOG_NOPRUNE_JOBS}|%{BACULA_LOG_NOPRUNE_FILES}|%{BACULA_LOG_VOLUME_PREVWRITTEN}|%{BACULA_LOG_READYAPPEND}|%{BACULA_LOG_CANCELLING}|%{BACULA_LOG_MARKCANCEL}|%{BACULA_LOG_CLIENT_RBJ}|%{BACULA_LOG_VSS}|%{BACULA_LOG_MAXSTART}|%{BACULA_LOG_DUPLICATE}|%{BACULA_LOG_NOJOBSTAT}|%{BACULA_LOG_FATAL_CONN}|%{BACULA_LOG_NO_CONNECT}|%{BACULA_LOG_NO_AUTH}|%{BACULA_LOG_NOSUIT}|%{BACULA_LOG_JOB}|%{BACULA_LOG_NOPRIOR})"}
  1071. [2016-12-07T10:45:31,714][DEBUG][logstash.filters.grok    ] Adding pattern {"BRO_HTTP"=>"%{NUMBER:ts}\\t%{NOTSPACE:uid}\\t%{IP:orig_h}\\t%{INT:orig_p}\\t%{IP:resp_h}\\t%{INT:resp_p}\\t%{INT:trans_depth}\\t%{GREEDYDATA:method}\\t%{GREEDYDATA:domain}\\t%{GREEDYDATA:uri}\\t%{GREEDYDATA:referrer}\\t%{GREEDYDATA:user_agent}\\t%{NUMBER:request_body_len}\\t%{NUMBER:response_body_len}\\t%{GREEDYDATA:status_code}\\t%{GREEDYDATA:status_msg}\\t%{GREEDYDATA:info_code}\\t%{GREEDYDATA:info_msg}\\t%{GREEDYDATA:filename}\\t%{GREEDYDATA:bro_tags}\\t%{GREEDYDATA:username}\\t%{GREEDYDATA:password}\\t%{GREEDYDATA:proxied}\\t%{GREEDYDATA:orig_fuids}\\t%{GREEDYDATA:orig_mime_types}\\t%{GREEDYDATA:resp_fuids}\\t%{GREEDYDATA:resp_mime_types}"}
  1072. [2016-12-07T10:45:31,714][DEBUG][logstash.filters.grok    ] Adding pattern {"BRO_DNS"=>"%{NUMBER:ts}\\t%{NOTSPACE:uid}\\t%{IP:orig_h}\\t%{INT:orig_p}\\t%{IP:resp_h}\\t%{INT:resp_p}\\t%{WORD:proto}\\t%{INT:trans_id}\\t%{GREEDYDATA:query}\\t%{GREEDYDATA:qclass}\\t%{GREEDYDATA:qclass_name}\\t%{GREEDYDATA:qtype}\\t%{GREEDYDATA:qtype_name}\\t%{GREEDYDATA:rcode}\\t%{GREEDYDATA:rcode_name}\\t%{GREEDYDATA:AA}\\t%{GREEDYDATA:TC}\\t%{GREEDYDATA:RD}\\t%{GREEDYDATA:RA}\\t%{GREEDYDATA:Z}\\t%{GREEDYDATA:answers}\\t%{GREEDYDATA:TTLs}\\t%{GREEDYDATA:rejected}"}
  1073. [2016-12-07T10:45:31,715][DEBUG][logstash.filters.grok    ] Adding pattern {"BRO_CONN"=>"%{NUMBER:ts}\\t%{NOTSPACE:uid}\\t%{IP:orig_h}\\t%{INT:orig_p}\\t%{IP:resp_h}\\t%{INT:resp_p}\\t%{WORD:proto}\\t%{GREEDYDATA:service}\\t%{NUMBER:duration}\\t%{NUMBER:orig_bytes}\\t%{NUMBER:resp_bytes}\\t%{GREEDYDATA:conn_state}\\t%{GREEDYDATA:local_orig}\\t%{GREEDYDATA:missed_bytes}\\t%{GREEDYDATA:history}\\t%{GREEDYDATA:orig_pkts}\\t%{GREEDYDATA:orig_ip_bytes}\\t%{GREEDYDATA:resp_pkts}\\t%{GREEDYDATA:resp_ip_bytes}\\t%{GREEDYDATA:tunnel_parents}"}
  1074. [2016-12-07T10:45:31,715][DEBUG][logstash.filters.grok    ] Adding pattern {"BRO_FILES"=>"%{NUMBER:ts}\\t%{NOTSPACE:fuid}\\t%{IP:tx_hosts}\\t%{IP:rx_hosts}\\t%{NOTSPACE:conn_uids}\\t%{GREEDYDATA:source}\\t%{GREEDYDATA:depth}\\t%{GREEDYDATA:analyzers}\\t%{GREEDYDATA:mime_type}\\t%{GREEDYDATA:filename}\\t%{GREEDYDATA:duration}\\t%{GREEDYDATA:local_orig}\\t%{GREEDYDATA:is_orig}\\t%{GREEDYDATA:seen_bytes}\\t%{GREEDYDATA:total_bytes}\\t%{GREEDYDATA:missing_bytes}\\t%{GREEDYDATA:overflow_bytes}\\t%{GREEDYDATA:timedout}\\t%{GREEDYDATA:parent_fuid}\\t%{GREEDYDATA:md5}\\t%{GREEDYDATA:sha1}\\t%{GREEDYDATA:sha256}\\t%{GREEDYDATA:extracted}"}
  1075. [2016-12-07T10:45:31,715][DEBUG][logstash.filters.grok    ] Adding pattern {"EXIM_MSGID"=>"[0-9A-Za-z]{6}-[0-9A-Za-z]{6}-[0-9A-Za-z]{2}"}
  1076. [2016-12-07T10:45:31,715][DEBUG][logstash.filters.grok    ] Adding pattern {"EXIM_FLAGS"=>"(<=|[-=>*]>|[*]{2}|==)"}
  1077. [2016-12-07T10:45:31,715][DEBUG][logstash.filters.grok    ] Adding pattern {"EXIM_DATE"=>"%{YEAR:exim_year}-%{MONTHNUM:exim_month}-%{MONTHDAY:exim_day} %{TIME:exim_time}"}
  1078. [2016-12-07T10:45:31,716][DEBUG][logstash.filters.grok    ] Adding pattern {"EXIM_PID"=>"\\[%{POSINT}\\]"}
  1079. [2016-12-07T10:45:31,716][DEBUG][logstash.filters.grok    ] Adding pattern {"EXIM_QT"=>"((\\d+y)?(\\d+w)?(\\d+d)?(\\d+h)?(\\d+m)?(\\d+s)?)"}
  1080. [2016-12-07T10:45:31,716][DEBUG][logstash.filters.grok    ] Adding pattern {"EXIM_EXCLUDE_TERMS"=>"(Message is frozen|(Start|End) queue run| Warning: | retry time not reached | no (IP address|host name) found for (IP address|host) | unexpected disconnection while reading SMTP command | no immediate delivery: |another process is handling this message)"}
  1081. [2016-12-07T10:45:31,716][DEBUG][logstash.filters.grok    ] Adding pattern {"EXIM_REMOTE_HOST"=>"(H=(%{NOTSPACE:remote_hostname} )?(\\(%{NOTSPACE:remote_heloname}\\) )?\\[%{IP:remote_host}\\])"}
  1082. [2016-12-07T10:45:31,716][DEBUG][logstash.filters.grok    ] Adding pattern {"EXIM_INTERFACE"=>"(I=\\[%{IP:exim_interface}\\](:%{NUMBER:exim_interface_port}))"}
  1083. [2016-12-07T10:45:31,716][DEBUG][logstash.filters.grok    ] Adding pattern {"EXIM_PROTOCOL"=>"(P=%{NOTSPACE:protocol})"}
  1084. [2016-12-07T10:45:31,716][DEBUG][logstash.filters.grok    ] Adding pattern {"EXIM_MSG_SIZE"=>"(S=%{NUMBER:exim_msg_size})"}
  1085. [2016-12-07T10:45:31,716][DEBUG][logstash.filters.grok    ] Adding pattern {"EXIM_HEADER_ID"=>"(id=%{NOTSPACE:exim_header_id})"}
  1086. [2016-12-07T10:45:31,716][DEBUG][logstash.filters.grok    ] Adding pattern {"EXIM_SUBJECT"=>"(T=%{QS:exim_subject})"}
  1087. [2016-12-07T10:45:31,717][DEBUG][logstash.filters.grok    ] Adding pattern {"NETSCREENSESSIONLOG"=>"%{SYSLOGTIMESTAMP:date} %{IPORHOST:device} %{IPORHOST}: NetScreen device_id=%{WORD:device_id}%{DATA}: start_time=%{QUOTEDSTRING:start_time} duration=%{INT:duration} policy_id=%{INT:policy_id} service=%{DATA:service} proto=%{INT:proto} src zone=%{WORD:src_zone} dst zone=%{WORD:dst_zone} action=%{WORD:action} sent=%{INT:sent} rcvd=%{INT:rcvd} src=%{IPORHOST:src_ip} dst=%{IPORHOST:dst_ip} src_port=%{INT:src_port} dst_port=%{INT:dst_port} src-xlated ip=%{IPORHOST:src_xlated_ip} port=%{INT:src_xlated_port} dst-xlated ip=%{IPORHOST:dst_xlated_ip} port=%{INT:dst_xlated_port} session_id=%{INT:session_id} reason=%{GREEDYDATA:reason}"}
  1088. [2016-12-07T10:45:31,717][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCO_TAGGED_SYSLOG"=>"^<%{POSINT:syslog_pri}>%{CISCOTIMESTAMP:timestamp}( %{SYSLOGHOST:sysloghost})? ?: %%{CISCOTAG:ciscotag}:"}
  1089. [2016-12-07T10:45:31,717][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOTIMESTAMP"=>"%{MONTH} +%{MONTHDAY}(?: %{YEAR})? %{TIME}"}
  1090. [2016-12-07T10:45:31,717][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOTAG"=>"[A-Z0-9]+-%{INT}-(?:[A-Z0-9_]+)"}
  1091. [2016-12-07T10:45:31,717][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCO_ACTION"=>"Built|Teardown|Deny|Denied|denied|requested|permitted|denied by ACL|discarded|est-allowed|Dropping|created|deleted"}
  1092. [2016-12-07T10:45:31,718][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCO_REASON"=>"Duplicate TCP SYN|Failed to locate egress interface|Invalid transport field|No matching connection|DNS Response|DNS Query|(?:%{WORD}\\s*)*"}
  1093. [2016-12-07T10:45:31,718][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCO_DIRECTION"=>"Inbound|inbound|Outbound|outbound"}
  1094. [2016-12-07T10:45:31,718][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCO_INTERVAL"=>"first hit|%{INT}-second interval"}
  1095. [2016-12-07T10:45:31,718][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCO_XLATE_TYPE"=>"static|dynamic"}
  1096. [2016-12-07T10:45:31,718][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW104001"=>"\\((?:Primary|Secondary)\\) Switching to ACTIVE - %{GREEDYDATA:switch_reason}"}
  1097. [2016-12-07T10:45:31,718][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW104002"=>"\\((?:Primary|Secondary)\\) Switching to STANDBY - %{GREEDYDATA:switch_reason}"}
  1098. [2016-12-07T10:45:31,718][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW104003"=>"\\((?:Primary|Secondary)\\) Switching to FAILED\\."}
  1099. [2016-12-07T10:45:31,719][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW104004"=>"\\((?:Primary|Secondary)\\) Switching to OK\\."}
  1100. [2016-12-07T10:45:31,719][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW105003"=>"\\((?:Primary|Secondary)\\) Monitoring on [Ii]nterface %{GREEDYDATA:interface_name} waiting"}
  1101. [2016-12-07T10:45:31,719][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW105004"=>"\\((?:Primary|Secondary)\\) Monitoring on [Ii]nterface %{GREEDYDATA:interface_name} normal"}
  1102. [2016-12-07T10:45:31,719][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW105005"=>"\\((?:Primary|Secondary)\\) Lost Failover communications with mate on [Ii]nterface %{GREEDYDATA:interface_name}"}
  1103. [2016-12-07T10:45:31,719][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW105008"=>"\\((?:Primary|Secondary)\\) Testing [Ii]nterface %{GREEDYDATA:interface_name}"}
  1104. [2016-12-07T10:45:31,719][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW105009"=>"\\((?:Primary|Secondary)\\) Testing on [Ii]nterface %{GREEDYDATA:interface_name} (?:Passed|Failed)"}
  1105. [2016-12-07T10:45:31,719][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW106001"=>"%{CISCO_DIRECTION:direction} %{WORD:protocol} connection %{CISCO_ACTION:action} from %{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port} flags %{GREEDYDATA:tcp_flags} on interface %{GREEDYDATA:interface}"}
  1106. [2016-12-07T10:45:31,720][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW106006_106007_106010"=>"%{CISCO_ACTION:action} %{CISCO_DIRECTION:direction} %{WORD:protocol} (?:from|src) %{IP:src_ip}/%{INT:src_port}(\\(%{DATA:src_fwuser}\\))? (?:to|dst) %{IP:dst_ip}/%{INT:dst_port}(\\(%{DATA:dst_fwuser}\\))? (?:on interface %{DATA:interface}|due to %{CISCO_REASON:reason})"}
  1107. [2016-12-07T10:45:31,720][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW106014"=>"%{CISCO_ACTION:action} %{CISCO_DIRECTION:direction} %{WORD:protocol} src %{DATA:src_interface}:%{IP:src_ip}(\\(%{DATA:src_fwuser}\\))? dst %{DATA:dst_interface}:%{IP:dst_ip}(\\(%{DATA:dst_fwuser}\\))? \\(type %{INT:icmp_type}, code %{INT:icmp_code}\\)"}
  1108. [2016-12-07T10:45:31,720][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW106015"=>"%{CISCO_ACTION:action} %{WORD:protocol} \\(%{DATA:policy_id}\\) from %{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port} flags %{DATA:tcp_flags}  on interface %{GREEDYDATA:interface}"}
  1109. [2016-12-07T10:45:31,720][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW106021"=>"%{CISCO_ACTION:action} %{WORD:protocol} reverse path check from %{IP:src_ip} to %{IP:dst_ip} on interface %{GREEDYDATA:interface}"}
  1110. [2016-12-07T10:45:31,720][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW106023"=>"%{CISCO_ACTION:action}( protocol)? %{WORD:protocol} src %{DATA:src_interface}:%{DATA:src_ip}(/%{INT:src_port})?(\\(%{DATA:src_fwuser}\\))? dst %{DATA:dst_interface}:%{DATA:dst_ip}(/%{INT:dst_port})?(\\(%{DATA:dst_fwuser}\\))?( \\(type %{INT:icmp_type}, code %{INT:icmp_code}\\))? by access-group \"?%{DATA:policy_id}\"? \\[%{DATA:hashcode1}, %{DATA:hashcode2}\\]"}
  1111. [2016-12-07T10:45:31,720][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW106100_2_3"=>"access-list %{NOTSPACE:policy_id} %{CISCO_ACTION:action} %{WORD:protocol} for user '%{DATA:src_fwuser}' %{DATA:src_interface}/%{IP:src_ip}\\(%{INT:src_port}\\) -> %{DATA:dst_interface}/%{IP:dst_ip}\\(%{INT:dst_port}\\) hit-cnt %{INT:hit_count} %{CISCO_INTERVAL:interval} \\[%{DATA:hashcode1}, %{DATA:hashcode2}\\]"}
  1112. [2016-12-07T10:45:31,720][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW106100"=>"access-list %{NOTSPACE:policy_id} %{CISCO_ACTION:action} %{WORD:protocol} %{DATA:src_interface}/%{IP:src_ip}\\(%{INT:src_port}\\)(\\(%{DATA:src_fwuser}\\))? -> %{DATA:dst_interface}/%{IP:dst_ip}\\(%{INT:dst_port}\\)(\\(%{DATA:src_fwuser}\\))? hit-cnt %{INT:hit_count} %{CISCO_INTERVAL:interval} \\[%{DATA:hashcode1}, %{DATA:hashcode2}\\]"}
  1113. [2016-12-07T10:45:31,721][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW110002"=>"%{CISCO_REASON:reason} for %{WORD:protocol} from %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port}"}
  1114. [2016-12-07T10:45:31,721][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW302010"=>"%{INT:connection_count} in use, %{INT:connection_count_max} most used"}
  1115. [2016-12-07T10:45:31,721][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW302013_302014_302015_302016"=>"%{CISCO_ACTION:action}(?: %{CISCO_DIRECTION:direction})? %{WORD:protocol} connection %{INT:connection_id} for %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port}( \\(%{IP:src_mapped_ip}/%{INT:src_mapped_port}\\))?(\\(%{DATA:src_fwuser}\\))? to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port}( \\(%{IP:dst_mapped_ip}/%{INT:dst_mapped_port}\\))?(\\(%{DATA:dst_fwuser}\\))?( duration %{TIME:duration} bytes %{INT:bytes})?(?: %{CISCO_REASON:reason})?( \\(%{DATA:user}\\))?"}
  1116. [2016-12-07T10:45:31,721][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW302020_302021"=>"%{CISCO_ACTION:action}(?: %{CISCO_DIRECTION:direction})? %{WORD:protocol} connection for faddr %{IP:dst_ip}/%{INT:icmp_seq_num}(?:\\(%{DATA:fwuser}\\))? gaddr %{IP:src_xlated_ip}/%{INT:icmp_code_xlated} laddr %{IP:src_ip}/%{INT:icmp_code}( \\(%{DATA:user}\\))?"}
  1117. [2016-12-07T10:45:31,721][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW305011"=>"%{CISCO_ACTION:action} %{CISCO_XLATE_TYPE:xlate_type} %{WORD:protocol} translation from %{DATA:src_interface}:%{IP:src_ip}(/%{INT:src_port})?(\\(%{DATA:src_fwuser}\\))? to %{DATA:src_xlated_interface}:%{IP:src_xlated_ip}/%{DATA:src_xlated_port}"}
  1118. [2016-12-07T10:45:31,721][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW313001_313004_313008"=>"%{CISCO_ACTION:action} %{WORD:protocol} type=%{INT:icmp_type}, code=%{INT:icmp_code} from %{IP:src_ip} on interface %{DATA:interface}( to %{IP:dst_ip})?"}
  1119. [2016-12-07T10:45:31,722][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW313005"=>"%{CISCO_REASON:reason} for %{WORD:protocol} error message: %{WORD:err_protocol} src %{DATA:err_src_interface}:%{IP:err_src_ip}(\\(%{DATA:err_src_fwuser}\\))? dst %{DATA:err_dst_interface}:%{IP:err_dst_ip}(\\(%{DATA:err_dst_fwuser}\\))? \\(type %{INT:err_icmp_type}, code %{INT:err_icmp_code}\\) on %{DATA:interface} interface\\.  Original IP payload: %{WORD:protocol} src %{IP:orig_src_ip}/%{INT:orig_src_port}(\\(%{DATA:orig_src_fwuser}\\))? dst %{IP:orig_dst_ip}/%{INT:orig_dst_port}(\\(%{DATA:orig_dst_fwuser}\\))?"}
  1120. [2016-12-07T10:45:31,722][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW321001"=>"Resource '%{WORD:resource_name}' limit of %{POSINT:resource_limit} reached for system"}
  1121. [2016-12-07T10:45:31,722][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW402117"=>"%{WORD:protocol}: Received a non-IPSec packet \\(protocol= %{WORD:orig_protocol}\\) from %{IP:src_ip} to %{IP:dst_ip}"}
  1122. [2016-12-07T10:45:31,722][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW402119"=>"%{WORD:protocol}: Received an %{WORD:orig_protocol} packet \\(SPI= %{DATA:spi}, sequence number= %{DATA:seq_num}\\) from %{IP:src_ip} \\(user= %{DATA:user}\\) to %{IP:dst_ip} that failed anti-replay checking"}
  1123. [2016-12-07T10:45:31,722][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW419001"=>"%{CISCO_ACTION:action} %{WORD:protocol} packet from %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port}, reason: %{GREEDYDATA:reason}"}
  1124. [2016-12-07T10:45:31,722][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW419002"=>"%{CISCO_REASON:reason} from %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port} with different initial sequence number"}
  1125. [2016-12-07T10:45:31,722][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW500004"=>"%{CISCO_REASON:reason} for protocol=%{WORD:protocol}, from %{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port}"}
  1126. [2016-12-07T10:45:31,723][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW602303_602304"=>"%{WORD:protocol}: An %{CISCO_DIRECTION:direction} %{GREEDYDATA:tunnel_type} SA \\(SPI= %{DATA:spi}\\) between %{IP:src_ip} and %{IP:dst_ip} \\(user= %{DATA:user}\\) has been %{CISCO_ACTION:action}"}
  1127. [2016-12-07T10:45:31,723][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW710001_710002_710003_710005_710006"=>"%{WORD:protocol} (?:request|access) %{CISCO_ACTION:action} from %{IP:src_ip}/%{INT:src_port} to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port}"}
  1128. [2016-12-07T10:45:31,723][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW713172"=>"Group = %{GREEDYDATA:group}, IP = %{IP:src_ip}, Automatic NAT Detection Status:\\s+Remote end\\s*%{DATA:is_remote_natted}\\s*behind a NAT device\\s+This\\s+end\\s*%{DATA:is_local_natted}\\s*behind a NAT device"}
  1129. [2016-12-07T10:45:31,723][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOFW733100"=>"\\[\\s*%{DATA:drop_type}\\s*\\] drop %{DATA:drop_rate_id} exceeded. Current burst rate is %{INT:drop_rate_current_burst} per second, max configured rate is %{INT:drop_rate_max_burst}; Current average rate is %{INT:drop_rate_current_avg} per second, max configured rate is %{INT:drop_rate_max_avg}; Cumulative total count is %{INT:drop_total_count}"}
  1130. [2016-12-07T10:45:31,723][DEBUG][logstash.filters.grok    ] Adding pattern {"SHOREWALL"=>"(%{SYSLOGTIMESTAMP:timestamp}) (%{WORD:nf_host}) kernel:.*Shorewall:(%{WORD:nf_action1})?:(%{WORD:nf_action2})?.*IN=(%{USERNAME:nf_in_interface})?.*(OUT= *MAC=(%{COMMONMAC:nf_dst_mac}):(%{COMMONMAC:nf_src_mac})?|OUT=%{USERNAME:nf_out_interface}).*SRC=(%{IPV4:nf_src_ip}).*DST=(%{IPV4:nf_dst_ip}).*LEN=(%{WORD:nf_len}).?*TOS=(%{WORD:nf_tos}).?*PREC=(%{WORD:nf_prec}).?*TTL=(%{INT:nf_ttl}).?*ID=(%{INT:nf_id}).?*PROTO=(%{WORD:nf_protocol}).?*SPT=(%{INT:nf_src_port}?.*DPT=%{INT:nf_dst_port}?.*)"}
  1131. [2016-12-07T10:45:31,724][DEBUG][logstash.filters.grok    ] Adding pattern {"USERNAME"=>"[a-zA-Z0-9._-]+"}
  1132. [2016-12-07T10:45:31,724][DEBUG][logstash.filters.grok    ] Adding pattern {"USER"=>"%{USERNAME}"}
  1133. [2016-12-07T10:45:31,724][DEBUG][logstash.filters.grok    ] Adding pattern {"EMAILLOCALPART"=>"[a-zA-Z][a-zA-Z0-9_.+-=:]+"}
  1134. [2016-12-07T10:45:31,724][DEBUG][logstash.filters.grok    ] Adding pattern {"EMAILADDRESS"=>"%{EMAILLOCALPART}@%{HOSTNAME}"}
  1135. [2016-12-07T10:45:31,724][DEBUG][logstash.filters.grok    ] Adding pattern {"HTTPDUSER"=>"%{EMAILADDRESS}|%{USER}"}
  1136. [2016-12-07T10:45:31,724][DEBUG][logstash.filters.grok    ] Adding pattern {"INT"=>"(?:[+-]?(?:[0-9]+))"}
  1137. [2016-12-07T10:45:31,724][DEBUG][logstash.filters.grok    ] Adding pattern {"BASE10NUM"=>"(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\\.[0-9]+)?)|(?:\\.[0-9]+)))"}
  1138. [2016-12-07T10:45:31,724][DEBUG][logstash.filters.grok    ] Adding pattern {"NUMBER"=>"(?:%{BASE10NUM})"}
  1139. [2016-12-07T10:45:31,725][DEBUG][logstash.filters.grok    ] Adding pattern {"BASE16NUM"=>"(?<![0-9A-Fa-f])(?:[+-]?(?:0x)?(?:[0-9A-Fa-f]+))"}
  1140. [2016-12-07T10:45:31,725][DEBUG][logstash.filters.grok    ] Adding pattern {"BASE16FLOAT"=>"\\b(?<![0-9A-Fa-f.])(?:[+-]?(?:0x)?(?:(?:[0-9A-Fa-f]+(?:\\.[0-9A-Fa-f]*)?)|(?:\\.[0-9A-Fa-f]+)))\\b"}
  1141. [2016-12-07T10:45:31,725][DEBUG][logstash.filters.grok    ] Adding pattern {"POSINT"=>"\\b(?:[1-9][0-9]*)\\b"}
  1142. [2016-12-07T10:45:31,725][DEBUG][logstash.filters.grok    ] Adding pattern {"NONNEGINT"=>"\\b(?:[0-9]+)\\b"}
  1143. [2016-12-07T10:45:31,725][DEBUG][logstash.filters.grok    ] Adding pattern {"WORD"=>"\\b\\w+\\b"}
  1144. [2016-12-07T10:45:31,725][DEBUG][logstash.filters.grok    ] Adding pattern {"NOTSPACE"=>"\\S+"}
  1145. [2016-12-07T10:45:31,725][DEBUG][logstash.filters.grok    ] Adding pattern {"SPACE"=>"\\s*"}
  1146. [2016-12-07T10:45:31,725][DEBUG][logstash.filters.grok    ] Adding pattern {"DATA"=>".*?"}
  1147. [2016-12-07T10:45:31,725][DEBUG][logstash.filters.grok    ] Adding pattern {"GREEDYDATA"=>".*"}
  1148. [2016-12-07T10:45:31,726][DEBUG][logstash.filters.grok    ] Adding pattern {"QUOTEDSTRING"=>"(?>(?<!\\\\)(?>\"(?>\\\\.|[^\\\\\"]+)+\"|\"\"|(?>'(?>\\\\.|[^\\\\']+)+')|''|(?>`(?>\\\\.|[^\\\\`]+)+`)|``))"}
  1149. [2016-12-07T10:45:31,726][DEBUG][logstash.filters.grok    ] Adding pattern {"UUID"=>"[A-Fa-f0-9]{8}-(?:[A-Fa-f0-9]{4}-){3}[A-Fa-f0-9]{12}"}
  1150. [2016-12-07T10:45:31,726][DEBUG][logstash.filters.grok    ] Adding pattern {"URN"=>"urn:[0-9A-Za-z][0-9A-Za-z-]{0,31}:(?:%[0-9a-fA-F]{2}|[0-9A-Za-z()+,.:=@;$_!*'/?#-])+"}
  1151. [2016-12-07T10:45:31,726][DEBUG][logstash.filters.grok    ] Adding pattern {"MAC"=>"(?:%{CISCOMAC}|%{WINDOWSMAC}|%{COMMONMAC})"}
  1152. [2016-12-07T10:45:31,726][DEBUG][logstash.filters.grok    ] Adding pattern {"CISCOMAC"=>"(?:(?:[A-Fa-f0-9]{4}\\.){2}[A-Fa-f0-9]{4})"}
  1153. [2016-12-07T10:45:31,726][DEBUG][logstash.filters.grok    ] Adding pattern {"WINDOWSMAC"=>"(?:(?:[A-Fa-f0-9]{2}-){5}[A-Fa-f0-9]{2})"}
  1154. [2016-12-07T10:45:31,726][DEBUG][logstash.filters.grok    ] Adding pattern {"COMMONMAC"=>"(?:(?:[A-Fa-f0-9]{2}:){5}[A-Fa-f0-9]{2})"}
  1155. [2016-12-07T10:45:31,726][DEBUG][logstash.filters.grok    ] Adding pattern {"IPV6"=>"((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:)))(%.+)?"}
  1156. [2016-12-07T10:45:31,727][DEBUG][logstash.filters.grok    ] Adding pattern {"IPV4"=>"(?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]))(?![0-9])"}
  1157. [2016-12-07T10:45:31,727][DEBUG][logstash.filters.grok    ] Adding pattern {"IP"=>"(?:%{IPV6}|%{IPV4})"}
  1158. [2016-12-07T10:45:31,727][DEBUG][logstash.filters.grok    ] Adding pattern {"HOSTNAME"=>"\\b(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\\b)"}
  1159. [2016-12-07T10:45:31,727][DEBUG][logstash.filters.grok    ] Adding pattern {"IPORHOST"=>"(?:%{IP}|%{HOSTNAME})"}
  1160. [2016-12-07T10:45:31,727][DEBUG][logstash.filters.grok    ] Adding pattern {"HOSTPORT"=>"%{IPORHOST}:%{POSINT}"}
  1161. [2016-12-07T10:45:31,727][DEBUG][logstash.filters.grok    ] Adding pattern {"PATH"=>"(?:%{UNIXPATH}|%{WINPATH})"}
  1162. [2016-12-07T10:45:31,727][DEBUG][logstash.filters.grok    ] Adding pattern {"UNIXPATH"=>"(/([\\w_%!$@:.,+~-]+|\\\\.)*)+"}
  1163. [2016-12-07T10:45:31,728][DEBUG][logstash.filters.grok    ] Adding pattern {"TTY"=>"(?:/dev/(pts|tty([pq])?)(\\w+)?/?(?:[0-9]+))"}
  1164. [2016-12-07T10:45:31,728][DEBUG][logstash.filters.grok    ] Adding pattern {"WINPATH"=>"(?>[A-Za-z]+:|\\\\)(?:\\\\[^\\\\?*]*)+"}
  1165. [2016-12-07T10:45:31,728][DEBUG][logstash.filters.grok    ] Adding pattern {"URIPROTO"=>"[A-Za-z]+(\\+[A-Za-z+]+)?"}
  1166. [2016-12-07T10:45:31,728][DEBUG][logstash.filters.grok    ] Adding pattern {"URIHOST"=>"%{IPORHOST}(?::%{POSINT:port})?"}
  1167. [2016-12-07T10:45:31,728][DEBUG][logstash.filters.grok    ] Adding pattern {"URIPATH"=>"(?:/[A-Za-z0-9$.+!*'(){},~:;=@#%&_\\-]*)+"}
  1168. [2016-12-07T10:45:31,728][DEBUG][logstash.filters.grok    ] Adding pattern {"URIPARAM"=>"\\?[A-Za-z0-9$.+!*'|(){},~@#%&/=:;_?\\-\\[\\]<>]*"}
  1169. [2016-12-07T10:45:31,728][DEBUG][logstash.filters.grok    ] Adding pattern {"URIPATHPARAM"=>"%{URIPATH}(?:%{URIPARAM})?"}
  1170. [2016-12-07T10:45:31,728][DEBUG][logstash.filters.grok    ] Adding pattern {"URI"=>"%{URIPROTO}://(?:%{USER}(?::[^@]*)?@)?(?:%{URIHOST})?(?:%{URIPATHPARAM})?"}
  1171. [2016-12-07T10:45:31,728][DEBUG][logstash.filters.grok    ] Adding pattern {"MONTH"=>"\\b(?:[Jj]an(?:uary|uar)?|[Ff]eb(?:ruary|ruar)?|[Mm](?:a|ä)?r(?:ch|z)?|[Aa]pr(?:il)?|[Mm]a(?:y|i)?|[Jj]un(?:e|i)?|[Jj]ul(?:y)?|[Aa]ug(?:ust)?|[Ss]ep(?:tember)?|[Oo](?:c|k)?t(?:ober)?|[Nn]ov(?:ember)?|[Dd]e(?:c|z)(?:ember)?)\\b"}
  1172. [2016-12-07T10:45:31,729][DEBUG][logstash.filters.grok    ] Adding pattern {"MONTHNUM"=>"(?:0?[1-9]|1[0-2])"}
  1173. [2016-12-07T10:45:31,729][DEBUG][logstash.filters.grok    ] Adding pattern {"MONTHNUM2"=>"(?:0[1-9]|1[0-2])"}
  1174. [2016-12-07T10:45:31,729][DEBUG][logstash.filters.grok    ] Adding pattern {"MONTHDAY"=>"(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9])"}
  1175. [2016-12-07T10:45:31,729][DEBUG][logstash.filters.grok    ] Adding pattern {"DAY"=>"(?:Mon(?:day)?|Tue(?:sday)?|Wed(?:nesday)?|Thu(?:rsday)?|Fri(?:day)?|Sat(?:urday)?|Sun(?:day)?)"}
  1176. [2016-12-07T10:45:31,729][DEBUG][logstash.filters.grok    ] Adding pattern {"YEAR"=>"(?>\\d\\d){1,2}"}
  1177. [2016-12-07T10:45:31,729][DEBUG][logstash.filters.grok    ] Adding pattern {"HOUR"=>"(?:2[0123]|[01]?[0-9])"}
  1178. [2016-12-07T10:45:31,729][DEBUG][logstash.filters.grok    ] Adding pattern {"MINUTE"=>"(?:[0-5][0-9])"}
  1179. [2016-12-07T10:45:31,729][DEBUG][logstash.filters.grok    ] Adding pattern {"SECOND"=>"(?:(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?)"}
  1180. [2016-12-07T10:45:31,729][DEBUG][logstash.filters.grok    ] Adding pattern {"TIME"=>"(?!<[0-9])%{HOUR}:%{MINUTE}(?::%{SECOND})(?![0-9])"}
  1181. [2016-12-07T10:45:31,730][DEBUG][logstash.filters.grok    ] Adding pattern {"DATE_US"=>"%{MONTHNUM}[/-]%{MONTHDAY}[/-]%{YEAR}"}
  1182. [2016-12-07T10:45:31,730][DEBUG][logstash.filters.grok    ] Adding pattern {"DATE_EU"=>"%{MONTHDAY}[./-]%{MONTHNUM}[./-]%{YEAR}"}
  1183. [2016-12-07T10:45:31,730][DEBUG][logstash.filters.grok    ] Adding pattern {"ISO8601_TIMEZONE"=>"(?:Z|[+-]%{HOUR}(?::?%{MINUTE}))"}
  1184. [2016-12-07T10:45:31,730][DEBUG][logstash.filters.grok    ] Adding pattern {"ISO8601_SECOND"=>"(?:%{SECOND}|60)"}
  1185. [2016-12-07T10:45:31,730][DEBUG][logstash.filters.grok    ] Adding pattern {"TIMESTAMP_ISO8601"=>"%{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?%{ISO8601_TIMEZONE}?"}
  1186. [2016-12-07T10:45:31,730][DEBUG][logstash.filters.grok    ] Adding pattern {"DATE"=>"%{DATE_US}|%{DATE_EU}"}
  1187. [2016-12-07T10:45:31,730][DEBUG][logstash.filters.grok    ] Adding pattern {"DATESTAMP"=>"%{DATE}[- ]%{TIME}"}
  1188. [2016-12-07T10:45:31,730][DEBUG][logstash.filters.grok    ] Adding pattern {"TZ"=>"(?:[APMCE][SD]T|UTC)"}
  1189. [2016-12-07T10:45:31,730][DEBUG][logstash.filters.grok    ] Adding pattern {"DATESTAMP_RFC822"=>"%{DAY} %{MONTH} %{MONTHDAY} %{YEAR} %{TIME} %{TZ}"}
  1190. [2016-12-07T10:45:31,730][DEBUG][logstash.filters.grok    ] Adding pattern {"DATESTAMP_RFC2822"=>"%{DAY}, %{MONTHDAY} %{MONTH} %{YEAR} %{TIME} %{ISO8601_TIMEZONE}"}
  1191. [2016-12-07T10:45:31,731][DEBUG][logstash.filters.grok    ] Adding pattern {"DATESTAMP_OTHER"=>"%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{TZ} %{YEAR}"}
  1192. [2016-12-07T10:45:31,731][DEBUG][logstash.filters.grok    ] Adding pattern {"DATESTAMP_EVENTLOG"=>"%{YEAR}%{MONTHNUM2}%{MONTHDAY}%{HOUR}%{MINUTE}%{SECOND}"}
  1193. [2016-12-07T10:45:31,731][DEBUG][logstash.filters.grok    ] Adding pattern {"HTTPDERROR_DATE"=>"%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR}"}
  1194. [2016-12-07T10:45:31,731][DEBUG][logstash.filters.grok    ] Adding pattern {"SYSLOGTIMESTAMP"=>"%{MONTH} +%{MONTHDAY} %{TIME}"}
  1195. [2016-12-07T10:45:31,731][DEBUG][logstash.filters.grok    ] Adding pattern {"PROG"=>"[\\x21-\\x5a\\x5c\\x5e-\\x7e]+"}
  1196. [2016-12-07T10:45:31,731][DEBUG][logstash.filters.grok    ] Adding pattern {"SYSLOGPROG"=>"%{PROG:program}(?:\\[%{POSINT:pid}\\])?"}
  1197. [2016-12-07T10:45:31,731][DEBUG][logstash.filters.grok    ] Adding pattern {"SYSLOGHOST"=>"%{IPORHOST}"}
  1198. [2016-12-07T10:45:31,731][DEBUG][logstash.filters.grok    ] Adding pattern {"SYSLOGFACILITY"=>"<%{NONNEGINT:facility}.%{NONNEGINT:priority}>"}
  1199. [2016-12-07T10:45:31,731][DEBUG][logstash.filters.grok    ] Adding pattern {"HTTPDATE"=>"%{MONTHDAY}/%{MONTH}/%{YEAR}:%{TIME} %{INT}"}
  1200. [2016-12-07T10:45:31,731][DEBUG][logstash.filters.grok    ] Adding pattern {"QS"=>"%{QUOTEDSTRING}"}
  1201. [2016-12-07T10:45:31,732][DEBUG][logstash.filters.grok    ] Adding pattern {"SYSLOGBASE"=>"%{SYSLOGTIMESTAMP:timestamp} (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource} %{SYSLOGPROG}:"}
  1202. [2016-12-07T10:45:31,732][DEBUG][logstash.filters.grok    ] Adding pattern {"COMMONAPACHELOG"=>"%{IPORHOST:clientip} %{HTTPDUSER:ident} %{USER:auth} \\[%{HTTPDATE:timestamp}\\] \"(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})\" %{NUMBER:response} (?:%{NUMBER:bytes}|-)"}
  1203. [2016-12-07T10:45:31,732][DEBUG][logstash.filters.grok    ] Adding pattern {"COMBINEDAPACHELOG"=>"%{COMMONAPACHELOG} %{QS:referrer} %{QS:agent}"}
  1204. [2016-12-07T10:45:31,732][DEBUG][logstash.filters.grok    ] Adding pattern {"HTTPD20_ERRORLOG"=>"\\[%{HTTPDERROR_DATE:timestamp}\\] \\[%{LOGLEVEL:loglevel}\\] (?:\\[client %{IPORHOST:clientip}\\] ){0,1}%{GREEDYDATA:errormsg}"}
  1205. [2016-12-07T10:45:31,732][DEBUG][logstash.filters.grok    ] Adding pattern {"HTTPD24_ERRORLOG"=>"\\[%{HTTPDERROR_DATE:timestamp}\\] \\[%{WORD:module}:%{LOGLEVEL:loglevel}\\] \\[pid %{POSINT:pid}:tid %{NUMBER:tid}\\]( \\(%{POSINT:proxy_errorcode}\\)%{DATA:proxy_errormessage}:)?( \\[client %{IPORHOST:client}:%{POSINT:clientport}\\])? %{DATA:errorcode}: %{GREEDYDATA:message}"}
  1206. [2016-12-07T10:45:31,732][DEBUG][logstash.filters.grok    ] Adding pattern {"HTTPD_ERRORLOG"=>"%{HTTPD20_ERRORLOG}|%{HTTPD24_ERRORLOG}"}
  1207. [2016-12-07T10:45:31,732][DEBUG][logstash.filters.grok    ] Adding pattern {"LOGLEVEL"=>"([Aa]lert|ALERT|[Tt]race|TRACE|[Dd]ebug|DEBUG|[Nn]otice|NOTICE|[Ii]nfo|INFO|[Ww]arn?(?:ing)?|WARN?(?:ING)?|[Ee]rr?(?:or)?|ERR?(?:OR)?|[Cc]rit?(?:ical)?|CRIT?(?:ICAL)?|[Ff]atal|FATAL|[Ss]evere|SEVERE|EMERG(?:ENCY)?|[Ee]merg(?:ency)?)"}
  1208. [2016-12-07T10:45:31,733][DEBUG][logstash.filters.grok    ] Adding pattern {"HAPROXYTIME"=>"(?!<[0-9])%{HOUR:haproxy_hour}:%{MINUTE:haproxy_minute}(?::%{SECOND:haproxy_second})(?![0-9])"}
  1209. [2016-12-07T10:45:31,733][DEBUG][logstash.filters.grok    ] Adding pattern {"HAPROXYDATE"=>"%{MONTHDAY:haproxy_monthday}/%{MONTH:haproxy_month}/%{YEAR:haproxy_year}:%{HAPROXYTIME:haproxy_time}.%{INT:haproxy_milliseconds}"}
  1210. [2016-12-07T10:45:31,733][DEBUG][logstash.filters.grok    ] Adding pattern {"HAPROXYCAPTUREDREQUESTHEADERS"=>"%{DATA:captured_request_headers}"}
  1211. [2016-12-07T10:45:31,733][DEBUG][logstash.filters.grok    ] Adding pattern {"HAPROXYCAPTUREDRESPONSEHEADERS"=>"%{DATA:captured_response_headers}"}
  1212. [2016-12-07T10:45:31,734][DEBUG][logstash.filters.grok    ] Adding pattern {"HAPROXYHTTPBASE"=>"%{IP:client_ip}:%{INT:client_port} \\[%{HAPROXYDATE:accept_date}\\] %{NOTSPACE:frontend_name} %{NOTSPACE:backend_name}/%{NOTSPACE:server_name} %{INT:time_request}/%{INT:time_queue}/%{INT:time_backend_connect}/%{INT:time_backend_response}/%{NOTSPACE:time_duration} %{INT:http_status_code} %{NOTSPACE:bytes_read} %{DATA:captured_request_cookie} %{DATA:captured_response_cookie} %{NOTSPACE:termination_state} %{INT:actconn}/%{INT:feconn}/%{INT:beconn}/%{INT:srvconn}/%{NOTSPACE:retries} %{INT:srv_queue}/%{INT:backend_queue} (\\{%{HAPROXYCAPTUREDREQUESTHEADERS}\\})?( )?(\\{%{HAPROXYCAPTUREDRESPONSEHEADERS}\\})?( )?\"(<BADREQ>|(%{WORD:http_verb} (%{URIPROTO:http_proto}://)?(?:%{USER:http_user}(?::[^@]*)?@)?(?:%{URIHOST:http_host})?(?:%{URIPATHPARAM:http_request})?( HTTP/%{NUMBER:http_version})?))?\""}
  1213. [2016-12-07T10:45:31,734][DEBUG][logstash.filters.grok    ] Adding pattern {"HAPROXYHTTP"=>"(?:%{SYSLOGTIMESTAMP:syslog_timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) %{IPORHOST:syslog_server} %{SYSLOGPROG}: %{HAPROXYHTTPBASE}"}
  1214. [2016-12-07T10:45:31,734][DEBUG][logstash.filters.grok    ] Adding pattern {"HAPROXYTCP"=>"(?:%{SYSLOGTIMESTAMP:syslog_timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) %{IPORHOST:syslog_server} %{SYSLOGPROG}: %{IP:client_ip}:%{INT:client_port} \\[%{HAPROXYDATE:accept_date}\\] %{NOTSPACE:frontend_name} %{NOTSPACE:backend_name}/%{NOTSPACE:server_name} %{INT:time_queue}/%{INT:time_backend_connect}/%{NOTSPACE:time_duration} %{NOTSPACE:bytes_read} %{NOTSPACE:termination_state} %{INT:actconn}/%{INT:feconn}/%{INT:beconn}/%{INT:srvconn}/%{NOTSPACE:retries} %{INT:srv_queue}/%{INT:backend_queue}"}
  1215. [2016-12-07T10:45:31,734][DEBUG][logstash.filters.grok    ] Adding pattern {"JAVACLASS"=>"(?:[a-zA-Z$_][a-zA-Z$_0-9]*\\.)*[a-zA-Z$_][a-zA-Z$_0-9]*"}
  1216. [2016-12-07T10:45:31,734][DEBUG][logstash.filters.grok    ] Adding pattern {"JAVAFILE"=>"(?:[A-Za-z0-9_. -]+)"}
  1217. [2016-12-07T10:45:31,734][DEBUG][logstash.filters.grok    ] Adding pattern {"JAVAMETHOD"=>"(?:(<(?:cl)?init>)|[a-zA-Z$_][a-zA-Z$_0-9]*)"}
  1218. [2016-12-07T10:45:31,735][DEBUG][logstash.filters.grok    ] Adding pattern {"JAVASTACKTRACEPART"=>"%{SPACE}at %{JAVACLASS:class}\\.%{JAVAMETHOD:method}\\(%{JAVAFILE:file}(?::%{NUMBER:line})?\\)"}
  1219. [2016-12-07T10:45:31,735][DEBUG][logstash.filters.grok    ] Adding pattern {"JAVATHREAD"=>"(?:[A-Z]{2}-Processor[\\d]+)"}
  1220. [2016-12-07T10:45:31,735][DEBUG][logstash.filters.grok    ] Adding pattern {"JAVACLASS"=>"(?:[a-zA-Z0-9-]+\\.)+[A-Za-z0-9$]+"}
  1221. [2016-12-07T10:45:31,735][DEBUG][logstash.filters.grok    ] Adding pattern {"JAVAFILE"=>"(?:[A-Za-z0-9_.-]+)"}
  1222. [2016-12-07T10:45:31,735][DEBUG][logstash.filters.grok    ] Adding pattern {"JAVASTACKTRACEPART"=>"at %{JAVACLASS:class}\\.%{WORD:method}\\(%{JAVAFILE:file}:%{NUMBER:line}\\)"}
  1223. [2016-12-07T10:45:31,735][DEBUG][logstash.filters.grok    ] Adding pattern {"JAVALOGMESSAGE"=>"(.*)"}
  1224. [2016-12-07T10:45:31,735][DEBUG][logstash.filters.grok    ] Adding pattern {"CATALINA_DATESTAMP"=>"%{MONTH} %{MONTHDAY}, 20%{YEAR} %{HOUR}:?%{MINUTE}(?::?%{SECOND}) (?:AM|PM)"}
  1225. [2016-12-07T10:45:31,735][DEBUG][logstash.filters.grok    ] Adding pattern {"TOMCAT_DATESTAMP"=>"20%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{HOUR}:?%{MINUTE}(?::?%{SECOND}) %{ISO8601_TIMEZONE}"}
  1226. [2016-12-07T10:45:31,735][DEBUG][logstash.filters.grok    ] Adding pattern {"CATALINALOG"=>"%{CATALINA_DATESTAMP:timestamp} %{JAVACLASS:class} %{JAVALOGMESSAGE:logmessage}"}
  1227. [2016-12-07T10:45:31,736][DEBUG][logstash.filters.grok    ] Adding pattern {"TOMCATLOG"=>"%{TOMCAT_DATESTAMP:timestamp} \\| %{LOGLEVEL:level} \\| %{JAVACLASS:class} - %{JAVALOGMESSAGE:logmessage}"}
  1228. [2016-12-07T10:45:31,736][DEBUG][logstash.filters.grok    ] Adding pattern {"RT_FLOW_EVENT"=>"(RT_FLOW_SESSION_CREATE|RT_FLOW_SESSION_CLOSE|RT_FLOW_SESSION_DENY)"}
  1229. [2016-12-07T10:45:31,736][DEBUG][logstash.filters.grok    ] Adding pattern {"RT_FLOW1"=>"%{RT_FLOW_EVENT:event}: %{GREEDYDATA:close-reason}: %{IP:src-ip}/%{INT:src-port}->%{IP:dst-ip}/%{INT:dst-port} %{DATA:service} %{IP:nat-src-ip}/%{INT:nat-src-port}->%{IP:nat-dst-ip}/%{INT:nat-dst-port} %{DATA:src-nat-rule-name} %{DATA:dst-nat-rule-name} %{INT:protocol-id} %{DATA:policy-name} %{DATA:from-zone} %{DATA:to-zone} %{INT:session-id} \\d+\\(%{DATA:sent}\\) \\d+\\(%{DATA:received}\\) %{INT:elapsed-time} .*"}
  1230. [2016-12-07T10:45:31,736][DEBUG][logstash.filters.grok    ] Adding pattern {"RT_FLOW2"=>"%{RT_FLOW_EVENT:event}: session created %{IP:src-ip}/%{INT:src-port}->%{IP:dst-ip}/%{INT:dst-port} %{DATA:service} %{IP:nat-src-ip}/%{INT:nat-src-port}->%{IP:nat-dst-ip}/%{INT:nat-dst-port} %{DATA:src-nat-rule-name} %{DATA:dst-nat-rule-name} %{INT:protocol-id} %{DATA:policy-name} %{DATA:from-zone} %{DATA:to-zone} %{INT:session-id} .*"}
  1231. [2016-12-07T10:45:31,736][DEBUG][logstash.filters.grok    ] Adding pattern {"RT_FLOW3"=>"%{RT_FLOW_EVENT:event}: session denied %{IP:src-ip}/%{INT:src-port}->%{IP:dst-ip}/%{INT:dst-port} %{DATA:service} %{INT:protocol-id}\\(\\d\\) %{DATA:policy-name} %{DATA:from-zone} %{DATA:to-zone} .*"}
  1232. [2016-12-07T10:45:31,737][DEBUG][logstash.filters.grok    ] Adding pattern {"SYSLOG5424PRINTASCII"=>"[!-~]+"}
  1233. [2016-12-07T10:45:31,737][DEBUG][logstash.filters.grok    ] Adding pattern {"SYSLOGBASE2"=>"(?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource}+(?: %{SYSLOGPROG}:|)"}
  1234. [2016-12-07T10:45:31,737][DEBUG][logstash.filters.grok    ] Adding pattern {"SYSLOGPAMSESSION"=>"%{SYSLOGBASE} (?=%{GREEDYDATA:message})%{WORD:pam_module}\\(%{DATA:pam_caller}\\): session %{WORD:pam_session_state} for user %{USERNAME:username}(?: by %{GREEDYDATA:pam_by})?"}
  1235. [2016-12-07T10:45:31,737][DEBUG][logstash.filters.grok    ] Adding pattern {"CRON_ACTION"=>"[A-Z ]+"}
  1236. [2016-12-07T10:45:31,737][DEBUG][logstash.filters.grok    ] Adding pattern {"CRONLOG"=>"%{SYSLOGBASE} \\(%{USER:user}\\) %{CRON_ACTION:action} \\(%{DATA:message}\\)"}
  1237. [2016-12-07T10:45:31,737][DEBUG][logstash.filters.grok    ] Adding pattern {"SYSLOGLINE"=>"%{SYSLOGBASE2} %{GREEDYDATA:message}"}
  1238. [2016-12-07T10:45:31,737][DEBUG][logstash.filters.grok    ] Adding pattern {"SYSLOG5424PRI"=>"<%{NONNEGINT:syslog5424_pri}>"}
  1239. [2016-12-07T10:45:31,738][DEBUG][logstash.filters.grok    ] Adding pattern {"SYSLOG5424SD"=>"\\[%{DATA}\\]+"}
  1240. [2016-12-07T10:45:31,738][DEBUG][logstash.filters.grok    ] Adding pattern {"SYSLOG5424BASE"=>"%{SYSLOG5424PRI}%{NONNEGINT:syslog5424_ver} +(?:%{TIMESTAMP_ISO8601:syslog5424_ts}|-) +(?:%{HOSTNAME:syslog5424_host}|-) +(-|%{SYSLOG5424PRINTASCII:syslog5424_app}) +(-|%{SYSLOG5424PRINTASCII:syslog5424_proc}) +(-|%{SYSLOG5424PRINTASCII:syslog5424_msgid}) +(?:%{SYSLOG5424SD:syslog5424_sd}|-|)"}
  1241. [2016-12-07T10:45:31,738][DEBUG][logstash.filters.grok    ] Adding pattern {"SYSLOG5424LINE"=>"%{SYSLOG5424BASE} +%{GREEDYDATA:syslog5424_msg}"}
  1242. [2016-12-07T10:45:31,738][DEBUG][logstash.filters.grok    ] Adding pattern {"MCOLLECTIVEAUDIT"=>"%{TIMESTAMP_ISO8601:timestamp}:"}
  1243. [2016-12-07T10:45:31,738][DEBUG][logstash.filters.grok    ] Adding pattern {"MCOLLECTIVE"=>"., \\[%{TIMESTAMP_ISO8601:timestamp} #%{POSINT:pid}\\]%{SPACE}%{LOGLEVEL:event_level}"}
  1244. [2016-12-07T10:45:31,739][DEBUG][logstash.filters.grok    ] Adding pattern {"MCOLLECTIVEAUDIT"=>"%{TIMESTAMP_ISO8601:timestamp}:"}
  1245. [2016-12-07T10:45:31,739][DEBUG][logstash.filters.grok    ] Adding pattern {"MONGO_LOG"=>"%{SYSLOGTIMESTAMP:timestamp} \\[%{WORD:component}\\] %{GREEDYDATA:message}"}
  1246. [2016-12-07T10:45:31,739][DEBUG][logstash.filters.grok    ] Adding pattern {"MONGO_QUERY"=>"\\{ (?<={ ).*(?= } ntoreturn:) \\}"}
  1247. [2016-12-07T10:45:31,739][DEBUG][logstash.filters.grok    ] Adding pattern {"MONGO_SLOWQUERY"=>"%{WORD} %{MONGO_WORDDASH:database}\\.%{MONGO_WORDDASH:collection} %{WORD}: %{MONGO_QUERY:query} %{WORD}:%{NONNEGINT:ntoreturn} %{WORD}:%{NONNEGINT:ntoskip} %{WORD}:%{NONNEGINT:nscanned}.*nreturned:%{NONNEGINT:nreturned}..+ (?<duration>[0-9]+)ms"}
  1248. [2016-12-07T10:45:31,739][DEBUG][logstash.filters.grok    ] Adding pattern {"MONGO_WORDDASH"=>"\\b[\\w-]+\\b"}
  1249. [2016-12-07T10:45:31,739][DEBUG][logstash.filters.grok    ] Adding pattern {"MONGO3_SEVERITY"=>"\\w"}
  1250. [2016-12-07T10:45:31,739][DEBUG][logstash.filters.grok    ] Adding pattern {"MONGO3_COMPONENT"=>"%{WORD}|-"}
  1251. [2016-12-07T10:45:31,739][DEBUG][logstash.filters.grok    ] Adding pattern {"MONGO3_LOG"=>"%{TIMESTAMP_ISO8601:timestamp} %{MONGO3_SEVERITY:severity} %{MONGO3_COMPONENT:component}%{SPACE}(?:\\[%{DATA:context}\\])? %{GREEDYDATA:message}"}
  1252. [2016-12-07T10:45:31,740][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOSTIME"=>"\\[%{NUMBER:nagios_epoch}\\]"}
  1253. [2016-12-07T10:45:31,740][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_TYPE_CURRENT_SERVICE_STATE"=>"CURRENT SERVICE STATE"}
  1254. [2016-12-07T10:45:31,740][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_TYPE_CURRENT_HOST_STATE"=>"CURRENT HOST STATE"}
  1255. [2016-12-07T10:45:31,740][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_TYPE_SERVICE_NOTIFICATION"=>"SERVICE NOTIFICATION"}
  1256. [2016-12-07T10:45:31,740][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_TYPE_HOST_NOTIFICATION"=>"HOST NOTIFICATION"}
  1257. [2016-12-07T10:45:31,740][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_TYPE_SERVICE_ALERT"=>"SERVICE ALERT"}
  1258. [2016-12-07T10:45:31,740][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_TYPE_HOST_ALERT"=>"HOST ALERT"}
  1259. [2016-12-07T10:45:31,741][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_TYPE_SERVICE_FLAPPING_ALERT"=>"SERVICE FLAPPING ALERT"}
  1260. [2016-12-07T10:45:31,741][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_TYPE_HOST_FLAPPING_ALERT"=>"HOST FLAPPING ALERT"}
  1261. [2016-12-07T10:45:31,741][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_TYPE_SERVICE_DOWNTIME_ALERT"=>"SERVICE DOWNTIME ALERT"}
  1262. [2016-12-07T10:45:31,741][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_TYPE_HOST_DOWNTIME_ALERT"=>"HOST DOWNTIME ALERT"}
  1263. [2016-12-07T10:45:31,741][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_TYPE_PASSIVE_SERVICE_CHECK"=>"PASSIVE SERVICE CHECK"}
  1264. [2016-12-07T10:45:31,741][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_TYPE_PASSIVE_HOST_CHECK"=>"PASSIVE HOST CHECK"}
  1265. [2016-12-07T10:45:31,741][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_TYPE_SERVICE_EVENT_HANDLER"=>"SERVICE EVENT HANDLER"}
  1266. [2016-12-07T10:45:31,741][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_TYPE_HOST_EVENT_HANDLER"=>"HOST EVENT HANDLER"}
  1267. [2016-12-07T10:45:31,741][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_TYPE_EXTERNAL_COMMAND"=>"EXTERNAL COMMAND"}
  1268. [2016-12-07T10:45:31,742][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_TYPE_TIMEPERIOD_TRANSITION"=>"TIMEPERIOD TRANSITION"}
  1269. [2016-12-07T10:45:31,742][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_DISABLE_SVC_CHECK"=>"DISABLE_SVC_CHECK"}
  1270. [2016-12-07T10:45:31,742][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_ENABLE_SVC_CHECK"=>"ENABLE_SVC_CHECK"}
  1271. [2016-12-07T10:45:31,742][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_DISABLE_HOST_CHECK"=>"DISABLE_HOST_CHECK"}
  1272. [2016-12-07T10:45:31,742][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_ENABLE_HOST_CHECK"=>"ENABLE_HOST_CHECK"}
  1273. [2016-12-07T10:45:31,742][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_PROCESS_SERVICE_CHECK_RESULT"=>"PROCESS_SERVICE_CHECK_RESULT"}
  1274. [2016-12-07T10:45:31,742][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_PROCESS_HOST_CHECK_RESULT"=>"PROCESS_HOST_CHECK_RESULT"}
  1275. [2016-12-07T10:45:31,742][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_SCHEDULE_SERVICE_DOWNTIME"=>"SCHEDULE_SERVICE_DOWNTIME"}
  1276. [2016-12-07T10:45:31,742][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_SCHEDULE_HOST_DOWNTIME"=>"SCHEDULE_HOST_DOWNTIME"}
  1277. [2016-12-07T10:45:31,742][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_DISABLE_HOST_SVC_NOTIFICATIONS"=>"DISABLE_HOST_SVC_NOTIFICATIONS"}
  1278. [2016-12-07T10:45:31,742][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_ENABLE_HOST_SVC_NOTIFICATIONS"=>"ENABLE_HOST_SVC_NOTIFICATIONS"}
  1279. [2016-12-07T10:45:31,743][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_DISABLE_HOST_NOTIFICATIONS"=>"DISABLE_HOST_NOTIFICATIONS"}
  1280. [2016-12-07T10:45:31,743][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_ENABLE_HOST_NOTIFICATIONS"=>"ENABLE_HOST_NOTIFICATIONS"}
  1281. [2016-12-07T10:45:31,743][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_DISABLE_SVC_NOTIFICATIONS"=>"DISABLE_SVC_NOTIFICATIONS"}
  1282. [2016-12-07T10:45:31,743][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_ENABLE_SVC_NOTIFICATIONS"=>"ENABLE_SVC_NOTIFICATIONS"}
  1283. [2016-12-07T10:45:31,743][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_WARNING"=>"Warning:%{SPACE}%{GREEDYDATA:nagios_message}"}
  1284. [2016-12-07T10:45:31,743][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_CURRENT_SERVICE_STATE"=>"%{NAGIOS_TYPE_CURRENT_SERVICE_STATE:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{DATA:nagios_statetype};%{DATA:nagios_statecode};%{GREEDYDATA:nagios_message}"}
  1285. [2016-12-07T10:45:31,743][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_CURRENT_HOST_STATE"=>"%{NAGIOS_TYPE_CURRENT_HOST_STATE:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{DATA:nagios_statetype};%{DATA:nagios_statecode};%{GREEDYDATA:nagios_message}"}
  1286. [2016-12-07T10:45:31,743][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_SERVICE_NOTIFICATION"=>"%{NAGIOS_TYPE_SERVICE_NOTIFICATION:nagios_type}: %{DATA:nagios_notifyname};%{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{DATA:nagios_contact};%{GREEDYDATA:nagios_message}"}
  1287. [2016-12-07T10:45:31,744][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_HOST_NOTIFICATION"=>"%{NAGIOS_TYPE_HOST_NOTIFICATION:nagios_type}: %{DATA:nagios_notifyname};%{DATA:nagios_hostname};%{DATA:nagios_state};%{DATA:nagios_contact};%{GREEDYDATA:nagios_message}"}
  1288. [2016-12-07T10:45:31,744][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_SERVICE_ALERT"=>"%{NAGIOS_TYPE_SERVICE_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{DATA:nagios_statelevel};%{NUMBER:nagios_attempt};%{GREEDYDATA:nagios_message}"}
  1289. [2016-12-07T10:45:31,744][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_HOST_ALERT"=>"%{NAGIOS_TYPE_HOST_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{DATA:nagios_statelevel};%{NUMBER:nagios_attempt};%{GREEDYDATA:nagios_message}"}
  1290. [2016-12-07T10:45:31,744][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_SERVICE_FLAPPING_ALERT"=>"%{NAGIOS_TYPE_SERVICE_FLAPPING_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{GREEDYDATA:nagios_message}"}
  1291. [2016-12-07T10:45:31,744][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_HOST_FLAPPING_ALERT"=>"%{NAGIOS_TYPE_HOST_FLAPPING_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{GREEDYDATA:nagios_message}"}
  1292. [2016-12-07T10:45:31,744][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_SERVICE_DOWNTIME_ALERT"=>"%{NAGIOS_TYPE_SERVICE_DOWNTIME_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{GREEDYDATA:nagios_comment}"}
  1293. [2016-12-07T10:45:31,744][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_HOST_DOWNTIME_ALERT"=>"%{NAGIOS_TYPE_HOST_DOWNTIME_ALERT:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{GREEDYDATA:nagios_comment}"}
  1294. [2016-12-07T10:45:31,744][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_PASSIVE_SERVICE_CHECK"=>"%{NAGIOS_TYPE_PASSIVE_SERVICE_CHECK:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{GREEDYDATA:nagios_comment}"}
  1295. [2016-12-07T10:45:31,745][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_PASSIVE_HOST_CHECK"=>"%{NAGIOS_TYPE_PASSIVE_HOST_CHECK:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{GREEDYDATA:nagios_comment}"}
  1296. [2016-12-07T10:45:31,745][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_SERVICE_EVENT_HANDLER"=>"%{NAGIOS_TYPE_SERVICE_EVENT_HANDLER:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{DATA:nagios_statelevel};%{DATA:nagios_event_handler_name}"}
  1297. [2016-12-07T10:45:31,745][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_HOST_EVENT_HANDLER"=>"%{NAGIOS_TYPE_HOST_EVENT_HANDLER:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{DATA:nagios_statelevel};%{DATA:nagios_event_handler_name}"}
  1298. [2016-12-07T10:45:31,745][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_TIMEPERIOD_TRANSITION"=>"%{NAGIOS_TYPE_TIMEPERIOD_TRANSITION:nagios_type}: %{DATA:nagios_service};%{DATA:nagios_unknown1};%{DATA:nagios_unknown2}"}
  1299. [2016-12-07T10:45:31,745][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_LINE_DISABLE_SVC_CHECK"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_DISABLE_SVC_CHECK:nagios_command};%{DATA:nagios_hostname};%{DATA:nagios_service}"}
  1300. [2016-12-07T10:45:31,745][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_LINE_DISABLE_HOST_CHECK"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_DISABLE_HOST_CHECK:nagios_command};%{DATA:nagios_hostname}"}
  1301. [2016-12-07T10:45:31,745][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_LINE_ENABLE_SVC_CHECK"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_ENABLE_SVC_CHECK:nagios_command};%{DATA:nagios_hostname};%{DATA:nagios_service}"}
  1302. [2016-12-07T10:45:31,746][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_LINE_ENABLE_HOST_CHECK"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_ENABLE_HOST_CHECK:nagios_command};%{DATA:nagios_hostname}"}
  1303. [2016-12-07T10:45:31,746][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_LINE_PROCESS_SERVICE_CHECK_RESULT"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_PROCESS_SERVICE_CHECK_RESULT:nagios_command};%{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:nagios_state};%{GREEDYDATA:nagios_check_result}"}
  1304. [2016-12-07T10:45:31,746][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_LINE_PROCESS_HOST_CHECK_RESULT"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_PROCESS_HOST_CHECK_RESULT:nagios_command};%{DATA:nagios_hostname};%{DATA:nagios_state};%{GREEDYDATA:nagios_check_result}"}
  1305. [2016-12-07T10:45:31,746][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_LINE_DISABLE_HOST_SVC_NOTIFICATIONS"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_DISABLE_HOST_SVC_NOTIFICATIONS:nagios_command};%{GREEDYDATA:nagios_hostname}"}
  1306. [2016-12-07T10:45:31,746][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_LINE_DISABLE_HOST_NOTIFICATIONS"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_DISABLE_HOST_NOTIFICATIONS:nagios_command};%{GREEDYDATA:nagios_hostname}"}
  1307. [2016-12-07T10:45:31,746][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_LINE_DISABLE_SVC_NOTIFICATIONS"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_DISABLE_SVC_NOTIFICATIONS:nagios_command};%{DATA:nagios_hostname};%{GREEDYDATA:nagios_service}"}
  1308. [2016-12-07T10:45:31,746][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_LINE_ENABLE_HOST_SVC_NOTIFICATIONS"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_ENABLE_HOST_SVC_NOTIFICATIONS:nagios_command};%{GREEDYDATA:nagios_hostname}"}
  1309. [2016-12-07T10:45:31,746][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_LINE_ENABLE_HOST_NOTIFICATIONS"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_ENABLE_HOST_NOTIFICATIONS:nagios_command};%{GREEDYDATA:nagios_hostname}"}
  1310. [2016-12-07T10:45:31,747][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_LINE_ENABLE_SVC_NOTIFICATIONS"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_ENABLE_SVC_NOTIFICATIONS:nagios_command};%{DATA:nagios_hostname};%{GREEDYDATA:nagios_service}"}
  1311. [2016-12-07T10:45:31,747][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOS_EC_LINE_SCHEDULE_HOST_DOWNTIME"=>"%{NAGIOS_TYPE_EXTERNAL_COMMAND:nagios_type}: %{NAGIOS_EC_SCHEDULE_HOST_DOWNTIME:nagios_command};%{DATA:nagios_hostname};%{NUMBER:nagios_start_time};%{NUMBER:nagios_end_time};%{NUMBER:nagios_fixed};%{NUMBER:nagios_trigger_id};%{NUMBER:nagios_duration};%{DATA:author};%{DATA:comment}"}
  1312. [2016-12-07T10:45:31,747][DEBUG][logstash.filters.grok    ] Adding pattern {"NAGIOSLOGLINE"=>"%{NAGIOSTIME} (?:%{NAGIOS_WARNING}|%{NAGIOS_CURRENT_SERVICE_STATE}|%{NAGIOS_CURRENT_HOST_STATE}|%{NAGIOS_SERVICE_NOTIFICATION}|%{NAGIOS_HOST_NOTIFICATION}|%{NAGIOS_SERVICE_ALERT}|%{NAGIOS_HOST_ALERT}|%{NAGIOS_SERVICE_FLAPPING_ALERT}|%{NAGIOS_HOST_FLAPPING_ALERT}|%{NAGIOS_SERVICE_DOWNTIME_ALERT}|%{NAGIOS_HOST_DOWNTIME_ALERT}|%{NAGIOS_PASSIVE_SERVICE_CHECK}|%{NAGIOS_PASSIVE_HOST_CHECK}|%{NAGIOS_SERVICE_EVENT_HANDLER}|%{NAGIOS_HOST_EVENT_HANDLER}|%{NAGIOS_TIMEPERIOD_TRANSITION}|%{NAGIOS_EC_LINE_DISABLE_SVC_CHECK}|%{NAGIOS_EC_LINE_ENABLE_SVC_CHECK}|%{NAGIOS_EC_LINE_DISABLE_HOST_CHECK}|%{NAGIOS_EC_LINE_ENABLE_HOST_CHECK}|%{NAGIOS_EC_LINE_PROCESS_HOST_CHECK_RESULT}|%{NAGIOS_EC_LINE_PROCESS_SERVICE_CHECK_RESULT}|%{NAGIOS_EC_LINE_SCHEDULE_HOST_DOWNTIME}|%{NAGIOS_EC_LINE_DISABLE_HOST_SVC_NOTIFICATIONS}|%{NAGIOS_EC_LINE_ENABLE_HOST_SVC_NOTIFICATIONS}|%{NAGIOS_EC_LINE_DISABLE_HOST_NOTIFICATIONS}|%{NAGIOS_EC_LINE_ENABLE_HOST_NOTIFICATIONS}|%{NAGIOS_EC_LINE_DISABLE_SVC_NOTIFICATIONS}|%{NAGIOS_EC_LINE_ENABLE_SVC_NOTIFICATIONS})"}
  1313. [2016-12-07T10:45:31,749][DEBUG][logstash.filters.grok    ] Adding pattern {"POSTGRESQL"=>"%{DATESTAMP:timestamp} %{TZ} %{DATA:user_id} %{GREEDYDATA:connection_id} %{POSINT:pid}"}
  1314. [2016-12-07T10:45:31,750][DEBUG][logstash.filters.grok    ] Adding pattern {"RUUID"=>"\\h{32}"}
  1315. [2016-12-07T10:45:31,750][DEBUG][logstash.filters.grok    ] Adding pattern {"RCONTROLLER"=>"(?<controller>[^#]+)#(?<action>\\w+)"}
  1316. [2016-12-07T10:45:31,750][DEBUG][logstash.filters.grok    ] Adding pattern {"RAILS3HEAD"=>"(?m)Started %{WORD:verb} \"%{URIPATHPARAM:request}\" for %{IPORHOST:clientip} at (?<timestamp>%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{HOUR}:%{MINUTE}:%{SECOND} %{ISO8601_TIMEZONE})"}
  1317. [2016-12-07T10:45:31,750][DEBUG][logstash.filters.grok    ] Adding pattern {"RPROCESSING"=>"\\W*Processing by %{RCONTROLLER} as (?<format>\\S+)(?:\\W*Parameters: {%{DATA:params}}\\W*)?"}
  1318. [2016-12-07T10:45:31,750][DEBUG][logstash.filters.grok    ] Adding pattern {"RAILS3FOOT"=>"Completed %{NUMBER:response}%{DATA} in %{NUMBER:totalms}ms %{RAILS3PROFILE}%{GREEDYDATA}"}
  1319. [2016-12-07T10:45:31,750][DEBUG][logstash.filters.grok    ] Adding pattern {"RAILS3PROFILE"=>"(?:\\(Views: %{NUMBER:viewms}ms \\| ActiveRecord: %{NUMBER:activerecordms}ms|\\(ActiveRecord: %{NUMBER:activerecordms}ms)?"}
  1320. [2016-12-07T10:45:31,751][DEBUG][logstash.filters.grok    ] Adding pattern {"RAILS3"=>"%{RAILS3HEAD}(?:%{RPROCESSING})?(?<context>(?:%{DATA}\\n)*)(?:%{RAILS3FOOT})?"}
  1321. [2016-12-07T10:45:31,751][DEBUG][logstash.filters.grok    ] Adding pattern {"REDISTIMESTAMP"=>"%{MONTHDAY} %{MONTH} %{TIME}"}
  1322. [2016-12-07T10:45:31,751][DEBUG][logstash.filters.grok    ] Adding pattern {"REDISLOG"=>"\\[%{POSINT:pid}\\] %{REDISTIMESTAMP:timestamp} \\* "}
  1323. [2016-12-07T10:45:31,751][DEBUG][logstash.filters.grok    ] Adding pattern {"RUBY_LOGLEVEL"=>"(?:DEBUG|FATAL|ERROR|WARN|INFO)"}
  1324. [2016-12-07T10:45:31,751][DEBUG][logstash.filters.grok    ] Adding pattern {"RUBY_LOGGER"=>"[DFEWI], \\[%{TIMESTAMP_ISO8601:timestamp} #%{POSINT:pid}\\] *%{RUBY_LOGLEVEL:loglevel} -- +%{DATA:progname}: %{GREEDYDATA:message}"}
  1325. [2016-12-07T10:45:31,752][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:%{COMMONAPACHELOG} %{QS:referrer} %{QS:agent})
  1326. [2016-12-07T10:45:31,752][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:%{IPORHOST:clientip} %{HTTPDUSER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" %{NUMBER:response} (?:%{NUMBER:bytes}|-))
  1327. [2016-12-07T10:45:31,752][DEBUG][logstash.filters.grok    ] replacement_pattern => (?<IPORHOST:clientip>(?:%{IP}|%{HOSTNAME}))
  1328. [2016-12-07T10:45:31,752][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:(?:%{IPV6}|%{IPV4}))
  1329. [2016-12-07T10:45:31,752][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?)
  1330. [2016-12-07T10:45:31,752][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:(?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]))(?![0-9]))
  1331. [2016-12-07T10:45:31,752][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:\b(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\.?|\b))
  1332. [2016-12-07T10:45:31,753][DEBUG][logstash.filters.grok    ] replacement_pattern => (?<HTTPDUSER:ident>%{EMAILADDRESS}|%{USER})
  1333. [2016-12-07T10:45:31,753][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:%{EMAILLOCALPART}@%{HOSTNAME})
  1334. [2016-12-07T10:45:31,753][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:[a-zA-Z][a-zA-Z0-9_.+-=:]+)
  1335. [2016-12-07T10:45:31,753][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:\b(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\.?|\b))
  1336. [2016-12-07T10:45:31,753][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:%{USERNAME})
  1337. [2016-12-07T10:45:31,754][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:[a-zA-Z0-9._-]+)
  1338. [2016-12-07T10:45:31,754][DEBUG][logstash.filters.grok    ] replacement_pattern => (?<USER:auth>%{USERNAME})
  1339. [2016-12-07T10:45:31,754][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:[a-zA-Z0-9._-]+)
  1340. [2016-12-07T10:45:31,754][DEBUG][logstash.filters.grok    ] replacement_pattern => (?<HTTPDATE:timestamp>%{MONTHDAY}/%{MONTH}/%{YEAR}:%{TIME} %{INT})
  1341. [2016-12-07T10:45:31,754][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9]))
  1342. [2016-12-07T10:45:31,754][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:\b(?:[Jj]an(?:uary|uar)?|[Ff]eb(?:ruary|ruar)?|[Mm](?:a|ä)?r(?:ch|z)?|[Aa]pr(?:il)?|[Mm]a(?:y|i)?|[Jj]un(?:e|i)?|[Jj]ul(?:y)?|[Aa]ug(?:ust)?|[Ss]ep(?:tember)?|[Oo](?:c|k)?t(?:ober)?|[Nn]ov(?:ember)?|[Dd]e(?:c|z)(?:ember)?)\b)
  1343. [2016-12-07T10:45:31,754][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:(?>\d\d){1,2})
  1344. [2016-12-07T10:45:31,754][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:(?!<[0-9])%{HOUR}:%{MINUTE}(?::%{SECOND})(?![0-9]))
  1345. [2016-12-07T10:45:31,755][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:(?:2[0123]|[01]?[0-9]))
  1346. [2016-12-07T10:45:31,755][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:(?:[0-5][0-9]))
  1347. [2016-12-07T10:45:31,755][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:(?:(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?))
  1348. [2016-12-07T10:45:31,755][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:(?:[+-]?(?:[0-9]+)))
  1349. [2016-12-07T10:45:31,755][DEBUG][logstash.filters.grok    ] replacement_pattern => (?<WORD:verb>\b\w+\b)
  1350. [2016-12-07T10:45:31,755][DEBUG][logstash.filters.grok    ] replacement_pattern => (?<NOTSPACE:request>\S+)
  1351. [2016-12-07T10:45:31,755][DEBUG][logstash.filters.grok    ] replacement_pattern => (?<NUMBER:httpversion>(?:%{BASE10NUM}))
  1352. [2016-12-07T10:45:31,756][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))
  1353. [2016-12-07T10:45:31,756][DEBUG][logstash.filters.grok    ] replacement_pattern => (?<DATA:rawrequest>.*?)
  1354. [2016-12-07T10:45:31,756][DEBUG][logstash.filters.grok    ] replacement_pattern => (?<NUMBER:response>(?:%{BASE10NUM}))
  1355. [2016-12-07T10:45:31,756][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))
  1356. [2016-12-07T10:45:31,756][DEBUG][logstash.filters.grok    ] replacement_pattern => (?<NUMBER:bytes>(?:%{BASE10NUM}))
  1357. [2016-12-07T10:45:31,756][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))
  1358. [2016-12-07T10:45:31,756][DEBUG][logstash.filters.grok    ] replacement_pattern => (?<QS:referrer>%{QUOTEDSTRING})
  1359. [2016-12-07T10:45:31,757][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:(?>(?<!\\)(?>"(?>\\.|[^\\"]+)+"|""|(?>'(?>\\.|[^\\']+)+')|''|(?>`(?>\\.|[^\\`]+)+`)|``)))
  1360. [2016-12-07T10:45:31,757][DEBUG][logstash.filters.grok    ] replacement_pattern => (?<QS:agent>%{QUOTEDSTRING})
  1361. [2016-12-07T10:45:31,757][DEBUG][logstash.filters.grok    ] replacement_pattern => (?:(?>(?<!\\)(?>"(?>\\.|[^\\"]+)+"|""|(?>'(?>\\.|[^\\']+)+')|''|(?>`(?>\\.|[^\\`]+)+`)|``)))
  1362. [2016-12-07T10:45:31,757][DEBUG][logstash.filters.grok    ] Grok compiled OK {:pattern=>"%{COMBINEDAPACHELOG}", :expanded_pattern=>"(?:(?:(?<IPORHOST:clientip>(?:(?:(?:(?:((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:)))(%.+)?)|(?:(?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]))(?![0-9]))))|(?:\\b(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\\b)))) (?<HTTPDUSER:ident>(?:(?:[a-zA-Z][a-zA-Z0-9_.+-=:]+)@(?:\\b(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\\b)))|(?:(?:[a-zA-Z0-9._-]+))) (?<USER:auth>(?:[a-zA-Z0-9._-]+)) \\[(?<HTTPDATE:timestamp>(?:(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9]))/(?:\\b(?:[Jj]an(?:uary|uar)?|[Ff]eb(?:ruary|ruar)?|[Mm](?:a|ä)?r(?:ch|z)?|[Aa]pr(?:il)?|[Mm]a(?:y|i)?|[Jj]un(?:e|i)?|[Jj]ul(?:y)?|[Aa]ug(?:ust)?|[Ss]ep(?:tember)?|[Oo](?:c|k)?t(?:ober)?|[Nn]ov(?:ember)?|[Dd]e(?:c|z)(?:ember)?)\\b)/(?:(?>\\d\\d){1,2}):(?:(?!<[0-9])(?:(?:2[0123]|[01]?[0-9])):(?:(?:[0-5][0-9]))(?::(?:(?:(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?)))(?![0-9])) (?:(?:[+-]?(?:[0-9]+))))\\] \"(?:(?<WORD:verb>\\b\\w+\\b) (?<NOTSPACE:request>\\S+)(?: HTTP/(?<NUMBER:httpversion>(?:(?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\\.[0-9]+)?)|(?:\\.[0-9]+)))))))?|(?<DATA:rawrequest>.*?))\" (?<NUMBER:response>(?:(?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\\.[0-9]+)?)|(?:\\.[0-9]+)))))) (?:(?<NUMBER:bytes>(?:(?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\\.[0-9]+)?)|(?:\\.[0-9]+))))))|-)) (?<QS:referrer>(?:(?>(?<!\\\\)(?>\"(?>\\\\.|[^\\\\\"]+)+\"|\"\"|(?>'(?>\\\\.|[^\\\\']+)+')|''|(?>`(?>\\\\.|[^\\\\`]+)+`)|``)))) (?<QS:agent>(?:(?>(?<!\\\\)(?>\"(?>\\\\.|[^\\\\\"]+)+\"|\"\"|(?>'(?>\\\\.|[^\\\\']+)+')|''|(?>`(?>\\\\.|[^\\\\`]+)+`)|``)))))"}
  1363. [2016-12-07T10:45:31,758][WARN ][logstash.filters.date    ] Date filter now use BCP47 format for locale, replacing underscore with dash
  1364. [2016-12-07T10:45:31,766][DEBUG][logstash.filters.date    ] Adding type with date config {:type=>nil, :field=>"timestamp", :format=>"dd/MMM/yyyy:HH:mm:ss Z"}
  1365. [2016-12-07T10:45:31,768][INFO ][logstash.pipeline        ] Starting pipeline {"id"=>"main", "pipeline.workers"=>6, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>5, "pipeline.max_inflight"=>750}
  1366. [2016-12-07T10:45:31,771][INFO ][logstash.pipeline        ] Pipeline main started
  1367. [2016-12-07T10:45:31,780][DEBUG][logstash.agent           ] Starting puma
  1368. [2016-12-07T10:45:31,781][DEBUG][logstash.agent           ] Trying to start WebServer {:port=>9600}
  1369. [2016-12-07T10:45:31,782][DEBUG][logstash.api.service     ] [api-service] start
  1370. [2016-12-07T10:45:31,817][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600}
  1371. [2016-12-07T10:45:32,675][DEBUG][logstash.instrument.collector] Collector: Sending snapshot to observers {:created_at=>2016-12-07 10:45:32 -0200}
  1372. [2016-12-07T10:45:33,686][DEBUG][logstash.instrument.collector] Collector: Sending snapshot to observers {:created_at=>2016-12-07 10:45:33 -0200}
  1373. [2016-12-07T10:45:34,690][DEBUG][logstash.instrument.collector] Collector: Sending snapshot to observers {:created_at=>2016-12-07 10:45:34 -0200}
  1374. [2016-12-07T10:45:35,695][DEBUG][logstash.instrument.collector] Collector: Sending snapshot to observers {:created_at=>2016-12-07 10:45:35 -0200}
  1375. [2016-12-07T10:45:36,546][DEBUG][org.apache.http.client.protocol.RequestAuthCache] Auth cache not set in the context
  1376. [2016-12-07T10:45:36,548][DEBUG][org.apache.http.impl.conn.PoolingHttpClientConnectionManager] Connection request: [route: {}->http://localhost:9200][total kept alive: 0; route allocated: 0 of 100; total allocated: 0 of 1000]
  1377. [2016-12-07T10:45:36,574][DEBUG][org.apache.http.impl.conn.PoolingHttpClientConnectionManager] Connection leased: [id: 0][route: {}->http://localhost:9200][total kept alive: 0; route allocated: 1 of 100; total allocated: 1 of 1000]
  1378. [2016-12-07T10:45:36,575][DEBUG][org.apache.http.impl.execchain.MainClientExec] Opening connection {}->http://localhost:9200
  1379. [2016-12-07T10:45:36,577][DEBUG][org.apache.http.impl.conn.DefaultHttpClientConnectionOperator] Connecting to localhost/127.0.0.1:9200
  1380. [2016-12-07T10:45:36,582][DEBUG][org.apache.http.impl.conn.DefaultHttpClientConnectionOperator] Connection established 127.0.0.1:9418<->127.0.0.1:9200
  1381. [2016-12-07T10:45:36,582][DEBUG][org.apache.http.impl.conn.DefaultManagedHttpClientConnection] http-outgoing-0: set socket timeout to 60000
  1382. [2016-12-07T10:45:36,582][DEBUG][org.apache.http.impl.execchain.MainClientExec] Executing request GET /_nodes HTTP/1.1
  1383. [2016-12-07T10:45:36,582][DEBUG][org.apache.http.impl.execchain.MainClientExec] Target auth state: UNCHALLENGED
  1384. [2016-12-07T10:45:36,583][DEBUG][org.apache.http.impl.execchain.MainClientExec] Proxy auth state: UNCHALLENGED
  1385. [2016-12-07T10:45:36,590][DEBUG][org.apache.http.headers  ] http-outgoing-0 >> GET /_nodes HTTP/1.1
  1386. [2016-12-07T10:45:36,590][DEBUG][org.apache.http.headers  ] http-outgoing-0 >> Connection: Keep-Alive
  1387. [2016-12-07T10:45:36,590][DEBUG][org.apache.http.headers  ] http-outgoing-0 >> Content-Length: 0
  1388. [2016-12-07T10:45:36,590][DEBUG][org.apache.http.headers  ] http-outgoing-0 >> Host: localhost:9200
  1389. [2016-12-07T10:45:36,590][DEBUG][org.apache.http.headers  ] http-outgoing-0 >> User-Agent: Manticore 0.6.0
  1390. [2016-12-07T10:45:36,590][DEBUG][org.apache.http.headers  ] http-outgoing-0 >> Accept-Encoding: gzip,deflate
  1391. [2016-12-07T10:45:36,590][DEBUG][org.apache.http.wire     ] http-outgoing-0 >> "GET /_nodes HTTP/1.1[\r][\n]"
  1392. [2016-12-07T10:45:36,590][DEBUG][org.apache.http.wire     ] http-outgoing-0 >> "Connection: Keep-Alive[\r][\n]"
  1393. [2016-12-07T10:45:36,590][DEBUG][org.apache.http.wire     ] http-outgoing-0 >> "Content-Length: 0[\r][\n]"
  1394. [2016-12-07T10:45:36,590][DEBUG][org.apache.http.wire     ] http-outgoing-0 >> "Host: localhost:9200[\r][\n]"
  1395. [2016-12-07T10:45:36,590][DEBUG][org.apache.http.wire     ] http-outgoing-0 >> "User-Agent: Manticore 0.6.0[\r][\n]"
  1396. [2016-12-07T10:45:36,590][DEBUG][org.apache.http.wire     ] http-outgoing-0 >> "Accept-Encoding: gzip,deflate[\r][\n]"
  1397. [2016-12-07T10:45:36,590][DEBUG][org.apache.http.wire     ] http-outgoing-0 >> "[\r][\n]"
  1398. [2016-12-07T10:45:36,592][DEBUG][org.apache.http.wire     ] http-outgoing-0 << "HTTP/1.1 200 OK[\r][\n]"
  1399. [2016-12-07T10:45:36,592][DEBUG][org.apache.http.wire     ] http-outgoing-0 << "content-type: application/json; charset=UTF-8[\r][\n]"
  1400. [2016-12-07T10:45:36,592][DEBUG][org.apache.http.wire     ] http-outgoing-0 << "content-encoding: gzip[\r][\n]"
  1401. [2016-12-07T10:45:36,592][DEBUG][org.apache.http.wire     ] http-outgoing-0 << "transfer-encoding: chunked[\r][\n]"
  1402. [2016-12-07T10:45:36,592][DEBUG][org.apache.http.wire     ] http-outgoing-0 << "[\r][\n]"
  1403. [2016-12-07T10:45:36,592][DEBUG][org.apache.http.wire     ] http-outgoing-0 << "6f9[\r][\n]"
  1404. [2016-12-07T10:45:36,592][DEBUG][org.apache.http.wire     ] http-outgoing-0 << "[0x1f][0x8b][0x8][0x0][0x0][0x0][0x0][0x0][0x0][0x0][0xac]X[0xdb]n[0xdb]8[0x10][0xfd][0x15]BO[0xbb]@[0xac][0xc8][0xf7][0xc4]omPt[0xbb][0xbb]i[0x83]M[0xd1][0x97][0xa2][0x10]h[0x89][0xb2][0xd8]H[0xa4]JR[0x8e][0xb3]A[0xff]}[0xcf]P[0xb2]-[0xc5]q[0x1d]l[0xdb]>[0xc4]$[0x87]s?3C=[0x6][0xb1][0xd2][0xa9][0xb0][0xc1][0xe2]1p[0xda][0xf1]"X[0xc][0xcf][0x2]['[0x89][0xb0]6[0xab][0x9b]e[0xc6]e![0xd2]`[0x11]}?[0xb][0x92][0xa2][0xb6]N[0x98]X[0xf1]R[0x4][0x8b]@[0x14][0xdc]:[0x99]X[0xc1]M[0x92][0x7]g[0xc1][0x9e]Y[0xf9][0xe9][0xaf][0xf7][0xb3][0xf9][0xfa][0xe3]fd[0xb2]w[0xd5][[0xf5][0xfa][0xb5][0xbb]|Eb[0xda][0x9b][0xae]![0xc0][0x1d]g[0xb8][0xb2][0x95]6.[0xe6]ij [0x17]|[0x87][0xf3]Q8[0x9c][0x85][0xb3]([0x9c]/.[0xc7]Q[0x4][0xb2]\[[0xd7]?[0xc1][0xa6][0xac][0xe][0xb6][0xd6][0xc2]X[0xa9][0x15][0xf6][0xa7]a[0x14][0x8e]@[0xb4][0xac]e[0x91][0xc6]9[0xb7]96[0xb3][0xd9]rr9[0x1d][0x92]\[0xb2]7[0x96]*[0x15][0x1b][0xa9]V[0xf1][0xb2][0xce]2a[0x82][0xc5]([0xc2][0xf1][0xc5][0xf4]rt[0x16][0x18]][0x90]k>[0x7]%[0xac][0xc4][0xd9]Y[0x90]r[0xc7]I[0xac]Z[0x9]h[0xf3][0x5][0xae][0x12][0xce]a[0xe5][0x1d]X[0xc9]4[0x83][0xa7] [0xe4]|[0xcd][0xcd][0xb9][0xa9][0xd5]y[0xcf]?[0xfd]U[0x8]r[0xb0]j[0x1d][0xda][0xf1]L[0xdf][0xa7][0xf0]99[0xf5][0x19][0xcf][0xe1][0xa4][0xe2][0xe]6=[0x6][0x89]V[0x19][0x89][0x15].[0xe9][0xb][0xd9][0xaa][0xc][0x1b][0xce]u[0xe5][0xb6][0x87][0x3]o[0x7][0xd4]/4[0xa9][0xde]?[0xf3]{[0xe4]o[0x1f][0xe1][0xf3][0xda][0x9a]s[0x9b]s#[0x9e]p[0xf6][0xc9] [0x85]BP[0x90];[0xf][0x15][0x11]{Mq[0x90];[0x87][0xc0]l[0xb7][0x1f][0x83]Td[0xbc].(|[\n]"
  1405. [2016-12-07T10:45:36,592][DEBUG][org.apache.http.wire     ] http-outgoing-0 << "[0xfe]z[0x98][0x4][0xdf]A[0xb4][0x8b][0xfb]IJ\[0xba][0xd7][0xe6][0x8e][0xe8][0xda],[0x88][0x10]Z[0xfc][0xf7]|[0xb4]w[0xbe][0x11][0x19]r'G<[0x11][0xa9][0xb5][0xf]l\[0xca][0xa2][0x90]8[0x1d]FQ[0x4]76)[0xfb][0xb7]T[0xf5][0x6][0xf6][0xf9][0x8c]][0x4][0xbc]Lg[0x13],[0xf7]i3[0xe][0x87]`=[0x18][0x8f][0xe6][0xe1]x[0x16][0x8e]CQ[0xcc][0xc3][0xcd][0xc5],[0xf6]d|[\r]0[0xf0]e![0xe2][0xca]h[0x2][0x89]6[0x10]0[0xc3]AQ[0xe8][0x84];[0x91][0xf6][0xf](H[\r][0xe1][0xcb][0x94]DN,F[0xb3][0xe9][0x14][0xb0]+[0xc1][0xf0][0xe]l[0x83]E[0xc6][0xb]+[0xc0][0xe9][0xeb][0xba]l[0xf3]lG[0xb4]W{[0x18]^[0x84]Q<[0x1f][0x93]-[0xe5][0x16][0x9f]B_[0xf6][0x87]v[0xb7][0x95]v[0xbf]}[0xbc][0xfe][0x9d][0xcd]&[0x83][0xd7][0xd2][0xb1][[0xf8]H[0x18][0xf6][0xe9][0xba][0xa1][0xde]s[0x19]M[0xc3][0xf9]x[0xb0][0x8c][0x8]7[0xfe]@[0xa5][0x1a][0xa0][0x8]>[0x18][0x9e][0x14][0x82]]i[0x3][0xa4]rG[0x0]C[0xf2];[0xe][0xd4]:Y[0x8a][0x9e][0xb7]'[0x17][0xc3]at1[0xb9][0x9c]x[0x10][0x95][0xc2]+[0x9d][0xb]^[0x81]J:"]>8[0x2][0xd6]h8[0x99]O.[0xc6][0xb3][0xc9][0x5]R[0x86][0xce]K[0xbe][0xe9][0x1e]o[0x91]H[0xc1][0xd3]*~[0x96][0xc5]t:[0xbd][0x8c]&[0x1d][0x82]>[0xf]\M[0xa5][0x11][0x89];[0xca][0x1b]~]%q[0xa2][0x8b][0x2]T>[0x9a][0x9f][0x83][0x1b]n[0xde][0x8b]{Xx[0xa5]UR[0x1b][0x83],[0xbf][0xe6][0xe6][0xee][0xf6]^[0x88][0x8a]`[0x3][0x9b][0xb4]y[0x88]+[0xad][0xb]O[0x85][0xbc]gW<[0xc9][0x5][0xee]\[0xb][0xc7]m[0xc5][0x13][0xfa]}[0xa5][0xcb][0x8a]J[0x9a]H[0xd9][0x15]J[0xa5]e[0xb7][0xed][0x1]$[0xb0]7[0xa9]P[0xbd][0x8d][0xdb][0xda][0xac][0xe5]Z[0x9b][0xdd][0xe6][0xd5][0xf5]-[0xfb]P[0xa4][0xec][0xad]P$[0xb6][0xb6]T[0xa8][0x92][0x1d][0xcf]X[0x9b]T*[0xe]M[0xf4][0xf2]+[0xd9]Xi[0x9f][0xfe][0x4]igj[0xf]E[0x97][0x1b][0xc1][0x91][0x94]P[0x95][0xc2][0x90]i[0x93][0x88][0xb8][0x14]f[0xe5]KJ[0x8b][0xdb]LnP[0xe0]a[0x97]D[0xdd][0xa4][0xd4][0xe3][0x1b][0xff][0xf7][-j[0x11][[0xf9]/[0x88][0x7]Cp[0xcb]Pa[0xf2][0x98][0xca]A[0x1a][0xfb][0xe8]S_[0xd8][0xb1][0xb1][0x9]/[0xa0][0xe1][0x1]#d[0xc1][0x1d]<[0x17][0xe3]tM[0x10][0x9c][0x96] 9[0xe0][\r][0xa8]:[0xa1][0xa8][0x4]?[0xaf][0xd7][0xb8][0xd5][0xb][0xf][0xee][0xfa]*~[0xec]"[0xd0][0xe9][\r][0xc2][0xdf][0xee][0xc5]QD[\r][0xad][0xad][0x1b][0xa7][0xad][0x80][0xd8][0x17][0x18][0xb1]"[0xb]dr[0x9c][0x1d]R[0xb5][0xf1][0xee][0x8]I[0xdf]c8[0x8e][0xa8][0xec][0x1e][0x98]v[0xcf][\r][0xc2][0xf5][0xab][0xf4]k;[0xf5][0xb1][0xd0][0x3].[0x8d]v[0xf8][0xd1][0xd5][0x84]*([0x85][0x1f][0xdd][0xdf]7[0x9c]6o[0x8e][0x4][0xfc]e[0xae][0xea][0xe7][0x92]6[0xdd][0x84][0xfc][0xb9]L*[0xb9][0xe2]+Q[0xf6]{[0xd3][0x11][0x96][0xd3][0x17][0x86][0xb5][0xdb][0xe6]zp9[0x92]][0xad][0xc7][0x96]u[0xe1][0xfb][0xd6]s@;rsJ[0x9e][0xb6][0x8a]W6[0xd7]][0xa9]?[0xe1][0xec][0xa7][0xdd]v[0xa9]k[0x95][0xee][0xc7][0xad][0xcf][0xc1][0xe7][0xc5][0xe2]K3h[0xa1][0xcc]T[0xf5][0x12]X[0xcc]<[0x8e][0xa1][0xab][0xd1][0xb0]Cm[0x8d][0x9a][0xf0][0xb6][0xe3][0x1f][0xe1][0xc][0xac][0xbd][0x80]3Q[0xf9][0x4]D[0x8d]C[0x1d]S..[0x84]Z9j[0xea][0xdb][0x96]1[0x8c]&[0x17][0xd3][0xf9][0xcc]gcU[0xd4]+[0xa9][0xa8][0x0]SI[0xd6]i[0xdd]Lk[0xbb][0x11][0x93][0xaf]VvPrg[0xe4]f[0x80]b[0xe5][0x8]^[0x87][0xd3]![0xa6][0xdf][0xc4][0xc8][0xca][0xb7][0xb4]E[0xf0]*M-[0xc3]E#V[0xbe][0xcb]Yv[0x8f][0x91]C0[0xa9][0xaa][0xda]1LA[0x8c]3*TLgL[0xd5][0x0][0xa6]LX&EA[0xb7]T[0xca]t[0xed][0x88]N*[0x8c]u`[0xc][0xe2]F~[0xe8]'=4[0x80]v[0x8][0xd1]f[0x85][0xb9][0xa2]3;[0x87][\r]0[0xc3][0xae][0xe8][0xb0][0xbd]{[0xed]Y[0xbc][0xda]+u[0xe3][\r]Gu[0xdf][0x99][0xda][0xc][0xa4][0x3][0xb4][0x86][0xd2]w[0xe6]Sf^{o1t[0x3][0xe8]JW[0xd9]~[0x9c]a.[0xe7][0x8e][0xa5][0x9a])[0xed][0x98][0x11][0xdf]j[0xf4]O[0x86][0xd1]\[0x92]?x[0xc1][0xac]@K[0x94][0xee][0x81]U[0xc2][0x94][0xd2][0xd2][0xb0]m[0x19][0x18][0xe5]|-X[0xc1][0xd1]YX**[0xc][0xe]B%[0x92]|[0x0][0xbf][0xa0][0x7][0xea][0x1a][0x9d][0x87]B[0xf0]c?4[0xea][0x84][0x8d]%[0xe1];[0xbf]B[0x17][0xc5][0xe2][0xd0][0xea][0x82][0xab][0xd5]@l|[0x87]m&[0x92]Sv[0xff]]'([0xd0]l[0xc7][0xc2]~'V[0xcd]H[0xe3][0xfd][0xf1][0xe6][0xc9][0x93][0xe6]D[0xd8]|[0xee][0x84]{[0x86][0xe1][0x9b][0x9d]>G[0x14]^[0x19][0xad][0xd7][0xf]/P[0xf6][0xad]'dmz[0xaa][0xd5][0xaf]Q[0xb5][0x11][0x1f]6[0xcc][0x8f][0xa8]X[0xe2][0x91][0xd7]N3[0xa7]<z[0xdd][0x92][0xfe]j5[0xb7]*[0x84][[0x1]GT[0xad][0xb8]T[0xc0][0xfd][0x8b][0xb0][0xad][0x98][0xe0][0xf6][0xe1][0x8c]Y[0x9e]![0xa3][0x91][0x96][0x19][0x10][0xd8]Q[0x9c][0xf2][0xa9]F[0xe7][0xf8][0x1f]y[0xb0]U#[0xbc]i[0xf5]9T[0x17]p[0xc1][0x94][0xc9]1c[0xbe] [0xf6]7;b[0xd6]T6B[0xa0]e[0x9][0xaf][0xf8]R[0x16][0x84]>[0xa7][0x91][0xf][0x98]z[0x18][0xfa][0xb4][0xd9][0xe2][0x8c]~[0xe3]([0x17](Y[0xdb][0xfd]%R[0xa8][0x12][0x89][0xcc][0x1e][0x80]-[0xe0]:A[0xd9]R[0xbe][0x18][0xfe]8[0xb5][0xf7][0xfa][0x86]{m[0xe][0xcd]2[0xa2][0x19][0xbe]N[0x83][0xef]c.[0xd8]?[\r]u[0xcf][0xa8]W7[0xef],[0x99][0xd3]rb[0x99][0xd1]%[0xd3][0x80]iC[0x8a][0x13][0x8e]R[0x94][0xe3][0xbd][0x2]x[0xd6][0x15][0xde][0xae][0xa8]0[3@[0xc4][0xaa][0x2][0xd3][0xf6][0xe9][0x12][0xeb][0xd9][0x85][0xad][0x94][0xb0][0xd5][0xe4][0xd0][0xa0][0xdd][0xbb]t[0xe0][0x1f][0xab][0xfe]Au[0xf0]M[0xa1][0xdf]5[0xde][0x13]![0x1b][0xb3]%[0xa7]I[0xc7][0x80][0xc9][0xb2]*[0xfc][0x1c][0xb2]}1[0xfd][0xd8][0xe3][0xbb][0x8b][0xa1]g8>[0xa9][[0xff][0xe1][0xba][0xfd][0xde][0xf1][0x9c]n[0x93]_[0xac][0xdb]d[0xab][0x1b]Zo[0xfb]5[0x84][0xbe][0x80]t[0xde][0xc4][0xe8][0xc3][0xed][0xd0][0xc3]+[0xea][0x6][0xbe]][0xb5];h[0xef]p[0xa9][0xeb]nQT[0x9f][0xae][0x9b][0x8f]3[0xcd][[0xb6]s;[0xd5].F[0xc1][0x5][0x80]1[0x17]w[0xf6][0xe9];Uo[0x8d][0x99][0x12]U[0xac][0xbb][0x85][0xe2]w[0xd7][[0xdb]z[0xd9]][0xc5][0x3][0xaa][0xb7][0xb6]h+[0x1d][0x11][0x85][0xbe][0x7]0[0x11][0xe5][0xee][0xa6][0xc1]k[0x10][0xef][0x9a][0xe][0x19][0x1e][0x8c]Otn[0x8a]x[0x97][0x6]_[0x8e]zK|[0x0][0xeb][0xad]+[0xa0][0xbc][0xbb][0x81][0x19][0xa0][0xec][0xae]kx[0xb5]U[0xe5][0xcb]w[0xfc][0xfb][0xf][0x0][0x0][0xff][0xff][\r][\n]"
  1406. [2016-12-07T10:45:36,593][DEBUG][org.apache.http.wire     ] http-outgoing-0 << "a[\r][\n]"
  1407. [2016-12-07T10:45:36,593][DEBUG][org.apache.http.wire     ] http-outgoing-0 << "[0x3][0x0][0xbf]g[0x11]C[0xcb][0x13][0x0][0x0][\r][\n]"
  1408. [2016-12-07T10:45:36,593][DEBUG][org.apache.http.wire     ] http-outgoing-0 << "0[\r][\n]"
  1409. [2016-12-07T10:45:36,593][DEBUG][org.apache.http.wire     ] http-outgoing-0 << "[\r][\n]"
  1410. [2016-12-07T10:45:36,596][DEBUG][org.apache.http.headers  ] http-outgoing-0 << HTTP/1.1 200 OK
  1411. [2016-12-07T10:45:36,596][DEBUG][org.apache.http.headers  ] http-outgoing-0 << content-type: application/json; charset=UTF-8
  1412. [2016-12-07T10:45:36,596][DEBUG][org.apache.http.headers  ] http-outgoing-0 << content-encoding: gzip
  1413. [2016-12-07T10:45:36,596][DEBUG][org.apache.http.headers  ] http-outgoing-0 << transfer-encoding: chunked
  1414. [2016-12-07T10:45:36,603][DEBUG][org.apache.http.impl.execchain.MainClientExec] Connection can be kept alive indefinitely
  1415. [2016-12-07T10:45:36,618][DEBUG][org.apache.http.impl.conn.PoolingHttpClientConnectionManager] Connection [id: 0][route: {}->http://localhost:9200] can be kept alive indefinitely
  1416. [2016-12-07T10:45:36,618][DEBUG][org.apache.http.impl.conn.PoolingHttpClientConnectionManager] Connection released: [id: 0][route: {}->http://localhost:9200][total kept alive: 1; route allocated: 1 of 100; total allocated: 1 of 1000]
  1417. [2016-12-07T10:45:36,662][INFO ][logstash.outputs.elasticsearch] Elasticsearch pool URLs updated {:changes=>{:removed=>["http://localhost:9200"], :added=>[]}}
  1418. [2016-12-07T10:45:36,698][DEBUG][logstash.instrument.collector] Collector: Sending snapshot to observers {:created_at=>2016-12-07 10:45:36 -0200}
  1419. [2016-12-07T10:45:36,772][DEBUG][logstash.pipeline        ] Pushing flush onto pipeline
  1420. [2016-12-07T10:45:37,701][DEBUG][logstash.instrument.collector] Collector: Sending snapshot to observers {:created_at=>2016-12-07 10:45:37 -0200}
  1421. [2016-12-07T10:45:38,710][DEBUG][logstash.instrument.collector] Collector: Sending snapshot to observers {:created_at=>2016-12-07 10:45:38 -0200}
  1422. [2016-12-07T10:45:39,712][DEBUG][logstash.instrument.collector] Collector: Sending snapshot to observers {:created_at=>2016-12-07 10:45:39 -0200}
  1423. [2016-12-07T10:45:40,716][DEBUG][logstash.instrument.collector] Collector: Sending snapshot to observers {:created_at=>2016-12-07 10:45:40 -0200}
  1424. [2016-12-07T10:45:41,666][WARN ][logstash.outputs.elasticsearch] UNEXPECTED POOL ERROR {:e=>#<LogStash::Outputs::ElasticSearch::HttpClient::Pool::NoConnectionAvailableError: No Available connections>}
  1425. [2016-12-07T10:45:41,667][WARN ][logstash.outputs.elasticsearch] Elasticsearch output attempted to sniff for new connections but cannot. No living connections are detected. Pool contains the following current URLs {:url_info=>{}}
  1426. [2016-12-07T10:45:41,731][DEBUG][logstash.instrument.collector] Collector: Sending snapshot to observers {:created_at=>2016-12-07 10:45:41 -0200}
  1427. [2016-12-07T10:45:41,775][DEBUG][logstash.pipeline        ] Pushing flush onto pipeline
  1428. [2016-12-07T10:45:42,733][DEBUG][logstash.instrument.collector] Collector: Sending snapshot to observers {:created_at=>2016-12-07 10:45:42 -0200}
  1429. [2016-12-07T10:45:43,739][DEBUG][logstash.instrument.collector] Collector: Sending snapshot to observers {:created_at=>2016-12-07 10:45:43 -0200}
  1430. [2016-12-07T10:45:44,745][DEBUG][logstash.instrument.collector] Collector: Sending snapshot to observers {:created_at=>2016-12-07 10:45:44 -0200}
  1431. [2016-12-07T10:45:45,749][DEBUG][logstash.instrument.collector] Collector: Sending snapshot to observers {:created_at=>2016-12-07 10:45:45 -0200}
  1432. [2016-12-07T10:45:46,672][WARN ][logstash.outputs.elasticsearch] UNEXPECTED POOL ERROR {:e=>#<LogStash::Outputs::ElasticSearch::HttpClient::Pool::NoConnectionAvailableError: No Available connections>}
  1433. [2016-12-07T10:45:46,673][WARN ][logstash.outputs.elasticsearch] Elasticsearch output attempted to sniff for new connections but cannot. No living connections are detected. Pool contains the following current URLs {:url_info=>{}}
  1434. [2016-12-07T10:45:46,758][DEBUG][logstash.instrument.collector] Collector: Sending snapshot to observers {:created_at=>2016-12-07 10:45:46 -0200}
  1435. [2016-12-07T10:45:46,777][DEBUG][logstash.pipeline        ] Pushing flush onto pipeline
  1436. [2016-12-07T10:45:47,762][DEBUG][logstash.instrument.collector] Collector: Sending snapshot to observers {:created_at=>2016-12-07 10:45:47 -0200}
  1437. [2016-12-07T10:45:48,779][DEBUG][logstash.instrument.collector] Collector: Sending snapshot to observers {:created_at=>2016-12-07 10:45:48 -0200}
  1438. [2016-12-07T10:45:49,784][DEBUG][logstash.instrument.collector] Collector: Sending snapshot to observers {:created_at=>2016-12-07 10:45:49 -0200}
  1439. [2016-12-07T10:45:50,786][DEBUG][logstash.instrument.collector] Collector: Sending snapshot to observers {:created_at=>2016-12-07 10:45:50 -0200}
  1440. [2016-12-07T10:45:51,681][WARN ][logstash.outputs.elasticsearch] UNEXPECTED POOL ERROR {:e=>#<LogStash::Outputs::ElasticSearch::HttpClient::Pool::NoConnectionAvailableError: No Available connections>}
  1441. [2016-12-07T10:45:51,681][WARN ][logstash.outputs.elasticsearch] Elasticsearch output attempted to sniff for new connections but cannot. No living connections are detected. Pool contains the following current URLs {:url_info=>{}}
  1442. [2016-12-07T10:45:51,778][DEBUG][logstash.pipeline        ] Pushing flush onto pipeline
  1443. [2016-12-07T10:45:51,789][DEBUG][logstash.instrument.collector] Collector: Sending snapshot to observers {:created_at=>2016-12-07 10:45:51 -0200}
  1444. [2016-12-07T10:45:52,792][DEBUG][logstash.instrument.collector] Collector: Sending snapshot to observers {:created_at=>2016-12-07 10:45:52 -0200}
  1445. [2016-12-07T10:45:53,795][DEBUG][logstash.instrument.collector] Collector: Sending snapshot to observers {:created_at=>2016-12-07 10:45:53 -0200}
  1446. [2016-12-07T10:45:54,800][DEBUG][logstash.instrument.collector] Collector: Sending snapshot to observers {:created_at=>2016-12-07 10:45:54 -0200}
  1447. [2016-12-07T10:45:55,804][DEBUG][logstash.instrument.collector] Collector: Sending snapshot to observers {:created_at=>2016-12-07 10:45:55 -0200}
  1448. [2016-12-07T10:45:56,685][WARN ][logstash.outputs.elasticsearch] UNEXPECTED POOL ERROR {:e=>#<LogStash::Outputs::ElasticSearch::HttpClient::Pool::NoConnectionAvailableError: No Available connections>}
  1449. [2016-12-07T10:45:56,686][WARN ][logstash.outputs.elasticsearch] Elasticsearch output attempted to sniff for new connections but cannot. No living connections are detected. Pool contains the following current URLs {:url_info=>{}}
  1450. [2016-12-07T10:45:56,778][DEBUG][logstash.pipeline        ] Pushing flush onto pipeline
  1451. [2016-12-07T10:45:56,811][DEBUG][logstash.instrument.collector] Collector: Sending snapshot to observers {:created_at=>2016-12-07 10:45:56 -0200}
  1452. [2016-12-07T10:45:57,813][DEBUG][logstash.instrument.collector] Collector: Sending snapshot to observers {:created_at=>2016-12-07 10:45:57 -0200}
  1453. [2016-12-07T10:45:58,816][DEBUG][logstash.instrument.collector] Collector: Sending snapshot to observers {:created_at=>2016-12-07 10:45:58 -0200}
  1454. [2016-12-07T10:45:59,820][DEBUG][logstash.instrument.collector] Collector: Sending snapshot to observers {:created_at=>2016-12-07 10:45:59 -0200}
  1455. [2016-12-07T10:46:00,824][DEBUG][logstash.instrument.collector] Collector: Sending snapshot to observers {:created_at=>2016-12-07 10:46:00 -0200}
  1456. [2016-12-07T10:46:01,689][WARN ][logstash.outputs.elasticsearch] UNEXPECTED POOL ERROR {:e=>#<LogStash::Outputs::ElasticSearch::HttpClient::Pool::NoConnectionAvailableError: No Available connections>}
  1457. [2016-12-07T10:46:01,690][WARN ][logstash.outputs.elasticsearch] Elasticsearch output attempted to sniff for new connections but cannot. No living connections are detected. Pool contains the following current URLs {:url_info=>{}}
  1458. [2016-12-07T10:46:01,783][DEBUG][logstash.pipeline        ] Pushing flush onto pipeline
  1459. [2016-12-07T10:46:01,826][DEBUG][logstash.instrument.collector] Collector: Sending snapshot to observers {:created_at=>2016-12-07 10:46:01 -0200}
  1460. [2016-12-07T10:46:02,829][DEBUG][logstash.instrument.collector] Collector: Sending snapshot to observers {:created_at=>2016-12-07 10:46:02 -0200}
  1461. [2016-12-07T10:46:03,831][DEBUG][logstash.instrument.collector] Collector: Sending snapshot to observers {:created_at=>2016-12-07 10:46:03 -0200}
  1462. [2016-12-07T10:46:04,834][DEBUG][logstash.instrument.collector] Collector: Sending snapshot to observers {:created_at=>2016-12-07 10:46:04 -0200}
  1463. [2016-12-07T10:46:05,838][DEBUG][logstash.instrument.collector] Collector: Sending snapshot to observers {:created_at=>2016-12-07 10:46:05 -0200}
  1464. [2016-12-07T10:46:06,692][WARN ][logstash.outputs.elasticsearch] UNEXPECTED POOL ERROR {:e=>#<LogStash::Outputs::ElasticSearch::HttpClient::Pool::NoConnectionAvailableError: No Available connections>}
  1465. [2016-12-07T10:46:06,693][WARN ][logstash.outputs.elasticsearch] Elasticsearch output attempted to sniff for new connections but cannot. No living connections are detected. Pool contains the following current URLs {:url_info=>{}}
  1466. [2016-12-07T10:46:06,783][DEBUG][logstash.pipeline        ] Pushing flush onto pipeline
  1467. [2016-12-07T10:46:06,841][DEBUG][logstash.instrument.collector] Collector: Sending snapshot to observers {:created_at=>2016-12-07 10:46:06 -0200}
  1468. [2016-12-07T10:46:07,847][DEBUG][logstash.instrument.collector] Collector: Sending snapshot to observers {:created_at=>2016-12-07 10:46:07 -0200}
RAW Paste Data