Splunk_deploy/deployment-apps/Splunk_TA_alcatel/local/props.conf

[alcatel_omniswitch]
#Generic
EXTRACT-alcatel_omniswitch-generic1 = (?<device_time>\S+\s+\d{1,2} \d{2}:\d{2}:\d{2}) (?<reported_hostname>\S+)\s+(<\d+>\S+\s+\d{1,2} \d{2}:\d{2}:\d{2} )?(?<facility>[A-Za-z0-9\.]+)(:|\[\d+\]|\s*\+\+\+)?\s*(?<message_text>.*)
EXTRACT-alcatel_omniswitch-generic2 = (?<device_time>\S+\s+\d{1,2} \d{2}:\d{2}:\d{2}) (?<facility>[A-Za-z0-9\.]+) \[[0-9\.]+\] (?<mnemonic>\S+)( \(\d+\)|:)\s*(?<message_text>.*)
EXTRACT-alcatel_omniswitch-generic-swlogd = swlogd\s+(?<mnemonic>\S+)\s+(?<service>\S+)\s+((?<sub_service>[^:\s]+)\s+)?(?<severity_name>\S+):\s+(?<message_text>.*)
EXTRACT-alcatel_omniswitch-generic-ConsLog1 = ConsLog (\S+\s+\S+\s+\d{1,2} \d{2}:\d{2}:\d{2}) : (?<mnemonic>\S+)\s+(?<service>\S+)\s+(?<severity_name>\S+):?\s+(?<message_text>.*)
EXTRACT-alcatel_omniswitch-generic-Conslog2 = ConsLog \+\+\+ (?<mnemonic>\S+):\s+(?<message_text>.*)
#dest ip,port,mac
EXTRACT-alcatel_omniswitch-to_ip_port = to (?<dest_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(:(?<dest_port>\d+))?(/(?<dest_mac>[0-9a-fA-F:]{17}))?
#Conslog
EXTRACT-alcatel_omniswitch-message_severity = (?<severity_name>WARN|INFO|ERR(OR)?) message:
#MIP_GATEWAY
EXTRACT-alcatel_omniswitch-client = Client (?<vendor_action>(un)?available)
#ChassisSupervisor
EXTRACT-alcatel_omniswitch-copy_file = Copy (?<src>\S+) to (?<dest>\S+) (?<vendor_action>succeeded|failed)
EXTRACT-alcatel_omniswitch-process_action = process (completed )?(?<vendor_action>successfully|started)
#flashManager
EXTRACT-alcatel_omniswitch-compareResult = compareResult \((?<result>\d+)\)
EXTRACT-alcatel_omniswitch-calling_system = calling system\((?<command>.+)\)
EXTRACT-alcatel_omniswitch-executing = executing (?<command>.+)
EXTRACT-alcatel_omniswitch-file_not_found = File (?<file_name>\S+) (?<vendor_action>(not )?found)
EXTRACT-alcatel_omniswitch-renamed_copy_file = (?<vendor_action>renamed|copying) file (?<file_name>\S+)( size (?<file_size>\d+))?
EXTRACT-alcatel_omniswitch-saving_file = (?<vendor_action>Saving) the (?<file_name>\S+) file
EXTRACT-alcatel_omniswitch-listening_directory = listing master directory contents (?<command>.+)
#intfCmm
EXTRACT-alcatel_omniswitch-sfp_direction = SFP/XFP (?<direction>[RT]x)
EXTRACT-alcatel_omniswitch-cmm_esm_link_status_chg = (?<direction>[RT]x) CMM_ESM_LINK_STATUS_CHG from chassis (?<chassis>\d+) NI (?<NI>\d+)
EXTRACT-alcatel_omniswitch-sfp_conf_msgid = chassis (?<chassis>\d+) zslot (?<zslot>\d+) zport (?<zport>\d+) Txed conf msgId:(?<msgId>\d+)
EXTRACT-alcatel_omniswitch-direction = (?<direction>[RT]x)(ing|ed)\s+
EXTRACT-alcatel_omniswitch-link_up_down = Link (?<interface>\S+) (Alias (?<alias>.*) )?operationally (?<vendor_action>up|down)
EXTRACT-alcatel_omniswitch-port_threshold = CUSTLOG CMM Port (?<interface>\S+) (?<vendor_action>falling) below (?<direction>receive/transmit) threshold
#portMgrNi
LINKSTS (?<interface>\S+) (?<vendor_action>UP|DOWN) \(gport (?<gport>\S+)\) Speed (?<speed>\d+) Duplex (?<duplex>)
#SES
EXTRACT-alcatel_omniswitch-cli_log = CLI log, user: (?<user>\S+) \((?<src>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\), cmd: (?<command>.+), result: (?<vendor_action>[A-Za-z]+)(:? (?<cause>.+))?
EXTRACT-alcatel_omniswitch-login_by = Login by (?<user>\S+) from (?<src>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) through (?<protocol>\S+) (?<vendor_action>Success|Failed)
EXTRACT-alcatel_omniswitch-authentication = Authentication (?<vendor_action>failure) detected: user (?<user>\S+)
#sshd
EXTRACT-alcatel_omniswitch-received_authent = Received (keyboard-interactive/pam|password) for (?<user>\S+) from (?<src>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) port (?<src_port>\d+) (?<protocol>[A-Za-z]+)(?<protocol_version>[\d\.]+)?
EXTRACT-alcatel_omniswitch-proposal_mac = PROPOSAL_MAC_ALGS_CTOS = (?<PROPOSAL_MAC_ALGS_CTOS>\S+)
EXTRACT-alcatel_omniswitch-proposal_enc = PROPOSAL_ENC_ALGS_CTOS = (?<PROPOSAL_ENC_ALGS_CTOS>\S+)
#
EXTRACT-alcatel_omniswitch-dos_type_invalid = (VRF (?<vrf>\S+):\s*)?DoS type invalid ip from (?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/(?<src_mac>[0-9a-fA-F:]{17}) on port (?<src_interface>\S+)
EXTRACT-alcatel_omniswitch-dos_detected = Denial of Service attack detected:\s*(?<attack_type>.+)
#intfNi
EXTRACT-alcatel_omniswitch-eniApplyConfig = eniApplyConfig: cmd:(?<cmd>\d+) zport:(?<zport>\d+) cmdHy:(?<cmdHy>\d+), apMedia:(?<apMedia>\d+)
EXTRACT-alcatel_omniswitch-niEsmSendLinkStatusChgMsg = niEsmSendLinkStatusChgMsg\(\d+\): linkstatus (?<vendor_action>UP|DOWN)
#
EXTRACT-alcatel_omniswitch-port_violation1 = Violation (?<vendor_action>clear), chass (?<chassis>\d+), slot (?<slot>\d+), port (?<interface>\d+): source (?<vendor_source>.*), reason (?<reason>.*)
EXTRACT-alcatel_omniswitch-port_violation_clear = Port (?<interface>\S+) violation (?<vendor_action>cleared) - (source (?<vendor_source>\S+) )?reason (?<reason>.*)
EXTRACT-alcatel_omniswitch-port_violation2 = Port (?<interface>\S+) (?<vendor_action>in violation) - (source (?<vendor_source>\S+) )?reason (?<reason>.*)