#If it's syslog, we are going to extract progname from it
filter: "evt.Line.Labels.type == 'syslog'"
onsuccess: next_stage
pattern_syntax:
  RAW_SYSLOG_PREFIX: '^<%{NUMBER:stuff1}>%{NUMBER:stuff2} %{SYSLOGBASE2} %{DATA:program} %{NUMBER:pid}'
  RAW_SYSLOG_META: '\[meta sequenceId="%{NOTDQUOTE:seq_id}"\]'
name: crowdsecurity/syslog-logs
nodes:
  - grok:
      #this is a named regular expression. grok patterns can be kept into separate files for readability
      pattern: "^%{SYSLOGLINE}" 
      #This is the field of the `Event` to which the regexp should be applied
      apply_on: Line.Raw
  - grok:
      #a second pattern for unparsed syslog lines, as saw in opnsense
      pattern: '%{RAW_SYSLOG_PREFIX} - %{RAW_SYSLOG_META} %{GREEDYDATA:message}'
      apply_on: Line.Raw
#if the node was successfull, statics will be applied.
statics:
  - meta: machine
    expression: evt.Parsed.logsource
  - parsed: "logsource"
    value: "syslog"
# syslog date can be in two different fields (one of hte assignment will fail)
  - target: evt.StrTime
    expression: evt.Parsed.timestamp
  - target: evt.StrTime
    expression: evt.Parsed.timestamp8601
  - meta: datasource_path
    expression: evt.Line.Src
  - meta: datasource_type
    expression: evt.Line.Module
---
#if it's not syslog, the type is the progname
filter: "evt.Line.Labels.type != 'syslog'"
onsuccess: next_stage
name: crowdsecurity/non-syslog
#debug: true
statics:
  - parsed: message
    expression: evt.Line.Raw
  - parsed: program
    expression: evt.Line.Labels.type
  - meta: datasource_path
    expression: evt.Line.Src
  - meta: datasource_type
    expression: evt.Line.Module