-
Notifications
You must be signed in to change notification settings - Fork 3
Patterns
Gomatch needs to have a file to read pattern/event definitions from. Default location is ./Patterns.
Every pattern needs to be on a separate line and has to look close to something like this:
session_opened##<MONTH> <NUMBER:month_number> <TIME> <IP> <CLASS> <SYSLOGPROG> session opened for user <USERNAME>
Note that the pattern starts with a name, followed by ## separator and then the first thing to match (either <token_name> as a reference to regex or any_word), then followed by a single space and another thing to match, and so on. Unfortunatelly combinations of tokens and words aren't possible, but you can easily alter the regular expressions to suit your log data.
Every matched token is stored and printed in output (with it's matched value) only once (recommendation is to rename the second occurence of the same token), matched words are lost.
When you use <token_name> you will get token_name = matched_value in your output, but you can change this to <token_name:my_name>, to get my_name = matched_value.
It is also possible to append a new pattern while the program is running, to do this put the new patter on the top line in the file with Patterns.
If things are still unclear, try these few patterns (put them in your patterns file):
Pattern_1##y
Pattern_2##y <WORD> <IP>
Pattern_1 will match output generated by Unix command yes (endless generator of y or a given argument), try to run: yes | gomatch.
Pattern_2 will match lines starting with y, followed by any non-alphanumeric word and any IP address, examples:
y wordyword 192.168.2.1
y wordofwords 127.0.0.1
won't match:
y 12wordofwords 127.0.0.1 // word with numbers
n wordofwords 127.0.0.1 // first word is not y