multiple multiline logic question #9162
Description
What is the multiline logic for the start of a new line?
If the parser is already past the logic for the 'start_state" and is in the logic for "cont", does the logic check ever the other "state_state" line by line or does the "cont" loop continue until "cont" is not satisfied?
In my example I used a (.*) greedy to test if the "cont" loop would stay or break when another valid line does start with a valid "start_state"; the loop stayed in the "cont" and did not break.
I would like each line to be evaluate to see if a "start_state" can be satisfied.
If I have to define every possible "cont" I think would be possible; consider this event starting with
01:12:00.869: Sending [0,UDP] 556 bytes to 10.10.3.129:5080 >>>>>
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 10.10.3.129:5080;branch=z9hG4bKac1902982255;received=10.10.3.129
From: "softphone" <sip:4006@STC>;tag=1c1234304587
To: <sip:4006@STC>;tag=00FF43BC-9A69-4F6E-ACEC-665E741C7377-357596
Call-ID: 1065851586111202111159@10.10.3.129
CSeq: 1 REGISTER
WWW-Authenticate: Digest realm="SIPSwitch_STC",qop="auth",algorithm=MD5,nonce="3A3A7894-2420-47B3-A3F2-2DCF3B05DEB6",opaque="5349505377697463685f535443"
Expires: 1800
Contact: <sip:4006@10.10.3.129:5080;ac-feu=985-10-182-7>;expires=1800
Content-Length: 0
parsers_multiline.conf
[MULTILINE_PARSER]
name sip1-multiline-regex-test
type regex
flush_timeout 1000
# rules | state name | regex pattern | next state
# ------|---------------|--------------------------------------------
rule "start_state" "/^(\d+\:\d+\:\d+\.\d+\:\s)/" "cont"
rule "cont" "/^.*/" "cont"
[MULTILINE_PARSER]
name sip2-multiline-regex-test
type regex
flush_timeout 1000
#
# ------|---------------|--------------------------------------------
rule "start_state" "/^(@\d+\:\d+\:\d+\.\d+\:\s)/" "cont"
rule "cont" "/^.*/" "cont"
[MULTILINE_PARSER]
name sip3-multiline-regex-test
type regex
flush_timeout 1000
# rules | state name | regex pattern | next state
# ------|---------------|--------------------------------------------
rule "start_state" "/^SIP/" "cont"
rule "cont" "/^.*/" "cont"
sip.log
#Sample Log:
#Lets use a simple use cases log sample, there are 3 multiline start paterns that I parse for:
#1:12:00.865: #regex: ^(?P\d+:\d+:\d+.\d+:\s)(?P.)
#@01:12:00.865: #regex: ^(?P@\d+:\d+:\d+.\d+:\s)(?P.)
#SIP/2.0 #regex: ^(?P<SIP.app>SIP/2.0\s)(?P.*)
#Sample Log:
01:12:00.865: Unable to resolve number for DN:4006
fake
@01:12:00.865: trunk ip addr 10.10.3.129
fake
01:12:00.865: gateway 'Gateway' associated with address '10.10.3.129'
fAKE
01:12:00.865: Assocaited transport for the device [1058] changed from [:0:0] to [10.10.3.129:5080:1]
FAKA
@01:12:00.869: TRNMNGR: internal domain stc.green.com
FAKE
01:12:00.869: SIPTS: handle registration event 0
fake
01:12:00.869: Sending [0,UDP] 556 bytes to 10.10.3.129:5080 >>>>>
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 10.10.3.129:5080;branch=z9hG4bKac1902982255;received=10.10.3.129
From: "softphone" <sip:4006@STC>;tag=1c1234304587
To: <sip:4006@STC>;tag=00FF43BC-9A69-4F6E-ACEC-665E741C7377-357596
Call-ID: 1065851586111202111159@10.10.3.129
CSeq: 1 REGISTER
WWW-Authenticate: Digest realm="SIPSwitch_STC",qop="auth",algorithm=MD5,nonce="3A3A7894-2420-47B3-A3F2-2DCF3B05DEB6",opaque="5349505377697463685f535443"
Expires: 1800
Contact: <sip:4006@10.10.3.129:5080;ac-feu=985-10-182-7>;expires=1800
Content-Length: 0
Output:
[2024/08/04 06:40:04] [ info] [input:tail:tail.0] inotify_fs_add(): inode=1179667 watch_fd=1 name=sip.log
[0] tail.0: [[1722753604.468859924, {}], {"log"=>"#Lets use a simple use cases log sample, there are 3 multiline start paterns that I parse for:
"}]
[1] tail.0: [[1722753604.468875634, {}], {"log"=>"#01:12:00.865: #regex: ^(?P<time>\d+\:\d+\:\d+\.\d+\:\s)(?P<message>.*)
"}]
[2] tail.0: [[1722753604.468878214, {}], {"log"=>"#@01:12:00.865: #regex: ^(?P<time>\@\d+\:\d+\:\d+\.\d+\:\s)(?P<message>.*)
"}]
[3] tail.0: [[1722753604.468880444, {}], {"log"=>"#SIP/2.0 #regex: ^(?P<SIP.app>SIP\/2\.0\s)(?P<message>.*)
"}]
[4] tail.0: [[1722753604.468881924, {}], {"log"=>"#Sample Log:
"}]
[0] tail.0: [[1722753604.468882974, {}], {"log"=>"01:12:00.865: Unable to resolve number for DN:4006
fake
@01:12:00.865: trunk ip addr 10.10.3.129
fake
01:12:00.865: gateway 'Gateway' associated with address '10.10.3.129'
fAKE
01:12:00.865: Assocaited transport for the device [1058] changed from [:0:0] to [10.10.3.129:5080:1]
FAKA
@01:12:00.869: TRNMNGR: internal domain stc.green.com
FAKE
01:12:00.869: SIPTS: handle registration event 0
fake
01:12:00.869: Sending [0,UDP] 556 bytes to 10.10.3.129:5080 >>>>>
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 10.10.3.129:5080;branch=z9hG4bKac1902982255;received=10.10.3.129
From: "softphone" <sip:4006@STC>;tag=1c1234304587
To: <sip:4006@STC>;tag=00FF43BC-9A69-4F6E-ACEC-665E741C7377-357596
Call-ID: 1065851586111202111159@10.10.3.129
CSeq: 1 REGISTER
WWW-Authenticate: Digest realm="SIPSwitch_STC",qop="auth",algorithm=MD5,nonce="3A3A7894-2420-47B3-A3F2-2DCF3B05DEB6",opaque="5349505377697463685f535443"
Expires: 1800
Contact: <sip:4006@10.10.3.129:5080;ac-feu=985-10-182-7>;expires=1800
Content-Length: 0
"}]
[1] tail.0: [[1722753604.468889784, {}], {"log"=>"01:12:00.865: gateway 'Gateway' associated with address '10.10.3.129'
fAKE
01:12:00.865: Assocaited transport for the device [1058] changed from [:0:0] to [10.10.3.129:5080:1]
FAKA
@01:12:00.869: TRNMNGR: internal domain stc.green.com
FAKE
01:12:00.869: SIPTS: handle registration event 0
fake
01:12:00.869: Sending [0,UDP] 556 bytes to 10.10.3.129:5080 >>>>>
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 10.10.3.129:5080;branch=z9hG4bKac1902982255;received=10.10.3.129
From: "softphone" <sip:4006@STC>;tag=1c1234304587
To: <sip:4006@STC>;tag=00FF43BC-9A69-4F6E-ACEC-665E741C7377-357596
Call-ID: 1065851586111202111159@10.10.3.129
CSeq: 1 REGISTER
WWW-Authenticate: Digest realm="SIPSwitch_STC",qop="auth",algorithm=MD5,nonce="3A3A7894-2420-47B3-A3F2-2DCF3B05DEB6",opaque="5349505377697463685f535443"
Expires: 1800
Contact: <sip:4006@10.10.3.129:5080;ac-feu=985-10-182-7>;expires=1800
Content-Length: 0