/usr/share/logsparser/normalizers/normalizer.dtd is in python-logsparser 0.4-1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 | <!--++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-->
<!-- -->
<!-- pylogparser - Logs parsers python library -->
<!-- Copyright (C) 2011 Wallix Inc. -->
<!-- -->
<!--++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-->
<!-- -->
<!-- This package is free software; you can redistribute -->
<!-- it and/or modify it under the terms of the GNU Lesser -->
<!-- General Public License as published by the Free Software -->
<!-- Foundation; either version 2.1 of the License, or (at -->
<!-- your option) any later version. -->
<!-- -->
<!-- This package is distributed in the hope that it will be -->
<!-- useful, but WITHOUT ANY WARRANTY; without even the implied -->
<!-- warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR -->
<!-- PURPOSE. See the GNU Lesser General Public License for -->
<!-- more details. -->
<!-- -->
<!-- You should have received a copy of the GNU Lesser General -->
<!-- Public License along with this package; if not, write -->
<!-- to the Free Software Foundation, Inc., 59 Temple Place, -->
<!-- Suite 330, Boston, MA 02111-1307 USA -->
<!-- -->
<!--++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-->
<!ELEMENT normalizer (description?,authors?,tagTypes?,callbacks?,prerequisites?,patterns,commonTags?,finalCallbacks?)>
<!-- The given name of the normalizer -->
<!ATTLIST normalizer name CDATA #REQUIRED>
<!-- The version of this normalizer -->
<!ATTLIST normalizer version CDATA #REQUIRED>
<!-- Compile the associated regexps with the UNICODE flag -->
<!ATTLIST normalizer unicode (no|yes) "yes">
<!-- Compile the associated regexps with the IGNORECASE flag -->
<!ATTLIST normalizer ignorecase (no|yes) "yes">
<!-- Patterns are multiline -->
<!ATTLIST normalizer multiline (no|yes) "yes">
<!-- how to match the pattern : "match" to match at the beginning of the sample,
or "search" to match anywhere in the sample -->
<!ATTLIST normalizer matchtype (match|search) "match">
<!-- What tag will the patterns be applied to ? Set the value to "raw" for
protocol normalizers, "body" for application or generic normalizers -->
<!ATTLIST normalizer appliedTo CDATA #REQUIRED>
<!-- A set of descriptions, language is specified as the usual language code -->
<!-- The service taxonomy, if relevant, of the normalizer. See README.rst -->
<!ATTLIST normalizer taxonomy CDATA #IMPLIED>
<!ELEMENT description (localized_desc+)>
<!ELEMENT localized_desc (#PCDATA)>
<!ATTLIST localized_desc language CDATA #REQUIRED>
<!ELEMENT authors (author+)>
<!ELEMENT author (#PCDATA)>
<!-- Here one can define specific regexp blocks (this should be rare, with
most cases being covered by default tagTypes.). Once extracted, the result
is passed to the callbacks in order. -->
<!ELEMENT tagTypes (tagType+)>
<!ELEMENT tagType (description?,regexp)>
<!-- the name of the tag type preferably in camelCase, for example
"syslogDate", "EPOCH", "IP", etc -->
<!ATTLIST tagType name CDATA #REQUIRED>
<!-- The expected python type of the extracted value once the callbacks
have been fired. Not used yet, might be in the future. -->
<!ATTLIST tagType type (integer|float|basestring|datetime) "basestring">
<!-- the regular expression the data must match to qualify, for example
"[A-Z][a-z]{2} [ 0-9]\d \d{2}:\d{2}:\d{2}" -->
<!ELEMENT regexp (#PCDATA)>
<!-- Python functions to call after the data has been extracted with the regular
expression. The functions are called in order of definition.-->
<!ELEMENT callbacks (callback+)>
<!ELEMENT callback (#PCDATA)>
<!-- a name is REQUIRED as an attribute when defining the function, and
unnecessary when associated to a tag definition. Instead, the name MUST be
mentioned as text between the <callback> tags. -->
<!ATTLIST callback name CDATA #IMPLIED>
<!-- does a tag need to match a value before we should apply this normalizer ? -->
<!ELEMENT prerequisites (prereqTag+)>
<!ELEMENT prereqTag (#PCDATA)>
<!ATTLIST prereqTag name CDATA #REQUIRED>
<!ELEMENT value (#PCDATA)>
<!-- Define the patterns associated to this normalizer. -->
<!ELEMENT patterns (pattern+)>
<!ELEMENT pattern (description?,text,tags,commonTags?,examples?)>
<!-- a handy name for the pattern. Patterns are applied in alphabetical order
of names.-->
<!ATTLIST pattern name CDATA #REQUIRED>
<!-- a meta description of the log line covered by this pattern, for example
<SYSLOGCODE>SYSLOGDATE SOURCE PROGRAM\[PID\]: BODY
Regular expressions' metacharacters are not escaped by default, to provide
their full power without the hassle.-->
<!ELEMENT text (#PCDATA)>
<!-- The type of pattern. The default if type is not specified
is a regexp pattern. "type" attribute can be "csv" to force normalizer engine
to use csv python module in order to extract fields. The meta description
for a csv pattern type must be as follow DATE,IP,USER,BODY where fields
will be substitute by defined tags.-->
<!ATTLIST text type CDATA #IMPLIED>
<!-- If attribute "type" is "csv" this attribute is used to define the csv separator.
By default separator is a comma.-->
<!ATTLIST text separator CDATA #IMPLIED>
<!-- If attribute "type" is "csv" this attribute is used to define the csv quotechar.
By default quotechar is a quote.-->
<!ATTLIST text quotechar CDATA #IMPLIED>
<!-- a list of real-life examples that can be used for auto-generating some
documentation and unit testing. -->
<!ELEMENT examples (example+)>
<!ELEMENT example (description?,text,expectedTags)>
<!-- a (non necessarily complete) list of tags this normalizer will extract
from this example. These tags must be present after normalizing the
example for this normalizer to be considered valid.-->
<!ELEMENT expectedTags (expectedTag+)>
<!ELEMENT expectedTag (#PCDATA)>
<!ATTLIST expectedTag name CDATA #REQUIRED>
<!-- A list of tags associated to the meta description in the pattern. -->
<!ELEMENT tags (tag+)>
<!ELEMENT tag (description?,substitute,callbacks?)>
<!-- The name of the tag, as it will appear in the WallixLog.
if the name starts with '__' it is considered a temporary value (typically
processed in callbacks) that will therefore not appear after normalization.-->
<!ATTLIST tag name CDATA #REQUIRED>
<!-- the tag type, used to determine the regular expression that will be
substituted in the pattern. It must be either a built-in tagType,
or one defined in the current tagTypes markup. Newly defined tagTypes
take precedence over built-in ones in case of a naming conflict. -->
<!ATTLIST tag tagType CDATA "Anything">
<!-- The string chain that will be replaced by the tagType's regular
expression in the pattern. -->
<!ELEMENT substitute (#PCDATA)>
<!-- If necessary, define here tags that must be set even though they weren't
found in the pattern. -->
<!ELEMENT commonTags (commonTag+)>
<!ELEMENT commonTag (#PCDATA)>
<!ATTLIST commonTag name CDATA #REQUIRED>
<!-- If necessary, add here calls to callbacks to execute after
the regular normalization. An arbitrary value argument set to
None will be passed to the callback. -->
<!ELEMENT finalCallbacks (callback+)>
|