# Copyright (C) 2005-2021 Splunk Inc. All Rights Reserved. 

#Set the sourcetype from syslog tag
#timestamp in RFC3339 format (syslog protocol spec) is:
#\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d+(\.\d+)?(?:Z|[\+\-]\d{2}:\d{2})?
[set_syslog_sourcetype]
REGEX = ^(?:(?:\w{3}\s+\d+\s+[\d\:]{8})|(?:<\d+>)?(?:(?:(?:[\d\-]{10}T[\d\:]{8}(?:\.\d+)?(?:Z|[\+\-][\d\:]{3,5})?))|(?:NoneZ)?)|(?:\w{3}\s+\w{3}\s+\d+\s+[\d\:]{8}\s+\d{4}))\s[^ ]+\s+([A-Za-z\-]+)(?:[^:]*)[:\[]
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::vmware:esxlog:$1

#Setting source type for 4x, as this vpxa data for 4x esx is in different format
[set_syslog_sourcetype_4x]
REGEX = ^\w+\s+\d+\s+[\d\:]{8}\s+[^ ]+\s+\w+\s+\d+\s+[\d\:]{8}\s+([^\[\:]+)
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::vmware:esxlog:$1

#Set source to identify report extractions
[set_syslog_source]
SOURCE_KEY = MetaData:Source
REGEX = (.+)
DEST_KEY = MetaData:Source
FORMAT = source::vmware:esxlog:$1


[set_syslog_sourcetype_sections]
REGEX = ^(?:<\d+>)Section.*
DEST_KEY = MetaData:Sourcetype
#TODO: this may need to be assigned to a particular log sourcetype
FORMAT = sourcetype::vmware:esxlog:section_headers

# the following is applicable to:
# hostd, vpxa, rhttpproxy, hostd-probe
[esx_hostd_fields_6x]
REGEX = ^(?:(?:\w{3}\s+\d+\s+[\d\:]{8})|(?:<(\d+)>)?(?:(?:(?:[\d\-]{10}T[\d\:]{8}(?:\.\d+)?(Z|[\+\-][\d\:]{3,5})?))|(?:NoneZ)?)|(?:\w{3}\s+\w{3}\s+\d+\s+[\d\:]{8}\s+\d{4}))\s[^ ]+\s+([^\[\:]+):\s(?:(?:[\d\-:TZ.]+)\s*)?(\w+)\s*(?:\S+\[\S+\])?\s*\[(?:[^\s\]]+)\s*(?:sub=([^\s\]]+))?\s*(?:opID=([^\s\]]+))?(?:[^]]+?)?\]\s*(.*)$
FORMAT = Pri::$1 Offset::$2 Application::$3 Level::$4 Object::$5 opID::$6 Message::$7

[esx_hostd_fields_5x]
REGEX = ^(?:(?:\w{3}\s+\d+\s+[\d\:]{8})|(?:<(\d+)>)?(?:(?:(?:[\d\-]{10}T[\d\:]{8}(?:\.\d+)?(Z|[\+\-][\d\:]{3,5})?))|(?:NoneZ)?)|(?:\w{3}\s+\w{3}\s+\d+\s+[\d\:]{8}\s+\d{4}))\s[^ ]+\s+([^\[\:]+): \[[^\s]+ (\w+) '([^']+)'(?: opID=([^\s\]]+))?(?:[^]]+?)?\]\s*(.*)$
FORMAT = Pri::$1 Offset::$2 Application::$3 Level::$4 Object::$5 opID::$6 Message::$7

[esx_hostd_fields_4x]
REGEX = ^\w+\s+\d+\s+[\d\:]{8}\s+[^ ]+\s+\w+\s+\d+\s+[\d\:]{8}\s+(?:[^\[\:]+)(?:\[\d+\])?:\s*(?:\[(?:'([^']+)'\s+)?(?:[-\d]{10}(?:\s+|T))?(?:[.:\dZ]+\s+)?(\w+)\s+(\w+)(?:\s+'([^']+)'(?:\s+opID=([^\s\x00-\x20]+))?)?\]\s+)?(?:\[([\:\w]+)\]\s+)?(.*)
FORMAT = Application::$1 Offset::$2 Level::$3 Object::$4 opID::$5 SubComp::$6 Message::$7

[esx_vmkernel_fields]
REGEX = ^(?:(?:\w{3}\s+\d+\s+[\d\:]{8})|(?:<(\d+)>)?(?:(?:(?:[\d\-]{10}T[\d\:]{8}(?:\.\d+)?(?:Z|[\+\-][\d\:]{3,5})?))|(?:NoneZ)?)|(?:\w{3}\s+\w{3}\s+\d+\s+[\d\:]{8}\s+\d{4}))\s[^ ]+\s+(vmkernel|vmkwarning):\s+(?:([\d\:\.]+)\s+)?(cpu\d+):(?:(\d+)\s*(?:[^\s]+)?\))?(?:\[([\:\w]+)\]\s+)?(.*)
FORMAT = Pri::$1 Type::$2 HostUpTime::$3 Cpu::$4 WorldId::$5 SubComp::$6 Message::$7

[esx_vmkernel_fields_4x]
REGEX = ^\w+\s+\d+\s+[\d\:]{8}\s+[^ ]+\s+\w+\s+\d+\s+[\d\:]{8}\s+(vmkernel|vmkwarning):\s+(?:([\d\:\.]+)\s+)?(cpu\d+):(?:(\d+)\))?(?:\[([\:\w]+)\]\s+)?(.*)
FORMAT = Type::$1 HostUpTime::$2 Cpu::$3 WorldId::$4 SubComp::$5 Message::$6

[esx_generic_fields]
REGEX = ^(?:(?:\w{3}\s+\d+\s+[\d\:]{8})|(?:<(\d+)>)?(?:(?:(?:[\d\-]{10}T[\d\:]{8}(?:\.\d+)?(?:Z|[\+\-][\d\:]{3,5})?))|(?:NoneZ)?)|(?:\w{3}\s+\w{3}\s+\d+\s+[\d\:]{8}\s+\d{4}))\s[^ ]+\s+([A-Za-z\-]+)(?:[^:]*):?(?:[^(]*\))?\s*(.*)$
FORMAT = Pri::$1 Application::$2 Message::$3

[esx_generic_fields_4x]
REGEX =  ^\w+\s+\d+\s+[\d\:]{8}\s+[^ ]+\s+\w+\s+\d+\s+[\d\:]{8}\s+(?:[^\[\:]+)(?:\[\d+\])?:\s*(.*)
FORMAT = Message::$1

[esx_hostd_fields_syslogserver]
REGEX = (?:^<(\d+)>)?^(?:\w{3}\s+\d+\s+[\d\:]{8}\s+(?:(?:Section for VMware ESX,)\s+)?[^ ]+\s+)?([A-Za-z\-]+)(?:[^:]*): \[([^\s]+) (\w+) '([^']+)'(?: opID=([^\]]+))?\] ?(.*)
FORMAT = Pri::$1 Application::$2 Offset::$3 Level::$4 Object::$5 opID::$6 Message::$7

[esx_vmkernel_fields_syslogserver]
REGEX = (?:^<(\d+)>)?^(?:\w{3}\s+\d+\s+[\d\:]{8}\s+(?:(?:Section for VMware ESX,)\s+)?[^ ]+\s+)?(vmkernel|vmkwarning):\s+(?:([\d\:\.]+)\s+)?(cpu\d+):(?:(\d+)\))?(?:\[([\:\w]+)\]\s+)?(.*)
FORMAT = Pri::$1 Type::$2 HostUpTime::$3 Cpu::$4 WorldId::$5 SubComp::$6 Message::$7

[esx_generic_fields_syslogserver]
REGEX = (?:^<(\d+)>)?^(?:\w{3}\s+\d+\s+[\d\:]{8}\s+(?:(?:Section for VMware ESX,)\s+)?[^ ]+\s+)?([A-Za-z\-]+)(?:[^:]*):?\s*(.*)$
FORMAT = Pri::$1 Application::$2 Message::$3

####### SYSLOG - HOST AND SOURCETYPE EXTRACTION #######
# When using syslog server, sourcetype extraction can be done from event itself For example if event has the following format:  "Mar 26 19:00:20 esx1.abc.com Hostd:"
# uncomment the line and add stanza name "set_syslog_sourcetype_syslogserver" into props.conf "TRANSFORMS-vmsyslogsourcetype" list
#[set_syslog_sourcetype_syslogserver]
#REGEX = ^(?:\w{3}\s+\d+\s+[\d\:]{8}\s+[^ ]+\s+)?([A-Za-z\-]+)(?:[^:]*)[:\[]
#DEST_KEY = MetaData:Sourcetype
#FORMAT = sourcetype::vmware:esxlog:$1

# When using syslog server host extraction can be done from event itself. For example if event has the following format:  "Mar 26 19:00:20 esx1.abc.com Hostd:"
# uncomment the line
#[set_host]
#REGEX = ^(?:\w{3}\s+\d+\s+[\d\:]{8}\s+(?:(?:Section for VMware ESX,)\s+)?([^ ]+)\s+)
#DEST_KEY = MetaData:Host
#FORMAT = host::$1

########################################################

#########
#NullQueues
[vmware_generic_level_null]
DEST_KEY = queue
FORMAT = nullQueue
REGEX = (?:verbose|trivia)[:\s]

[vmware_generic_level_null_4x]
DEST_KEY = queue
FORMAT = nullQueue
REGEX = ^\w+\s+\d+\s+[\d\:]{8}\s+[^ ]+\s+\w+\s+\d+\s+[\d\:]{8}\s.*(?:verbose|trivia).*

# The below regex is used to support for ESX 4x version for syslog 
# Please uncomment the below regEx if VC contains ESX 4x version, also update props.conf with these values
#[set_syslog_sourcetype_esx_4x]
#REGEX = ^\w+\s+\d+\s+[\d\:]{8}\s+[^ ]+\s+(?:\w+\s+\d+\s+[\d\:]{8}\s+)?([^\[\:]+)
#DEST_KEY = MetaData:Sourcetype
#FORMAT = sourcetype::vmware:esxlog:$1

#[esx_hostd_fields_esx_4x]
#REGEX = ^\w+\s+\d+\s+[\d\:]{8}\s+[^ ]+\s+(?:\w+\s+\d+\s+[\d\:]{8}\s+)?(?:[^\[\:]+)(?:\[\d+\])?:\s*(?:\[(?:'([^']+)'\s+)?(\w+)\s+(\w+)(?:\s+'([^']+)'(?:\s+opID=([^\s\x00-\x20]+))?)?\]\s+)?(?:\[([\:\w]+)\]\s+)?(.*)
#FORMAT = Application::$1 Offset::$2 Level::$3 Object::$4 opID::$5 SubComp::$6 Message::$7

#[esx_vmkernel_fields_esx_4x]
#REGEX = ^\w+\s+\d+\s+[\d\:]{8}\s+[^ ]+\s+(?:\w+\s+\d+\s+[\d\:]{8}\s+)?(vmkernel|vmkwarning):\s+(?:([\d\:\.]+)\s+)?(cpu\d+):(?:(\d+)\))?(?:\[([\:\w]+)\]\s+)?(.*)
#FORMAT = Type::$1 HostUpTime::$2 Cpu::$3 WorldId::$4 SubComp::$5 Message::$6

#[esx_generic_fields_esx_4x]
#REGEX =  ^\w+\s+\d+\s+[\d\:]{8}\s+[^ ]+\s+(?:\w+\s+\d+\s+[\d\:]{8}\s+)?(?:[^\[\:]+)(?:\[\d+\])?:\s*(.*)
#FORMAT = Message::$1

#[vmware_generic_level_null_esx_4x]
#DEST_KEY = queue
#FORMAT = nullQueue
#REGEX = ^\w+\s+\d+\s+[\d\:]{8}\s+[^ ]+\s+(?:\w+\s+\d+\s+[\d\:]{8}\s+)?.*(verbose|trivia)