Parser fixes

conf/parser_custom.yaml

@@ -2,14 +2,14 @@ parsers:
   - name: rabbitmq
     # https://rubular.com/r/6ZCuwV4Xa7nfA3
     format: regex
-    regex: (?<date>[^ ]+)\s(?<time>[^ ]+)\s\[(?<log_level>[^ \]]*)\]\s(?<PID>[^ ]*)\s(?<msg>((([a-zA-Z]*\s+)+[^ ]*)+)+)
+    regex: '(?<date>[^ ]+)\s(?<time>[^ ]+)\s\[(?<log_level>[^ \]]*)\]\s(?<PID>[^ ]*)\s(?<msg>((([a-zA-Z]*\s+)+[^ ]*)+)+)'
 
   - name: neo4j
     # https://rubular.com/r/jWfJIOMKr2LgcO
     format: regex
-    regex: (?<date>[^ ]*) (?<time>[^ ]*) (?<log_level>[^ ]*)\s(?<msg>([^ ]*\s+[^ ]*)+)
+    regex: '(?<date>[^ ]*) (?<time>[^ ]*) (?<log_level>[^ ]*)\s(?<msg>([^ ]*\s+[^ ]*)+)'
 
   - name: external-dns
     # https://rubular.com/r/U8VbByp0oRPLU6
     format: regex
-    regex: ([^ ])\"(?<time>[^ ]+)\"\s([^ ]+)\=(?<log_level>[.+a-zA-Z]+)\s([^ ]+)\"(?<msg>([^ ]*\s+[^ ]*\s[a-zA-Z0-9]*)+)
+    regex: '([^ ])\"(?<time>[^ ]+)\"\s([^ ]+)\=(?<log_level>[.+a-zA-Z]+)\s([^ ]+)\"(?<msg>([^ ]*\s+[^ ]*\s[a-zA-Z0-9]*)+)'

conf/parsers.yaml

@@ -53,14 +53,15 @@ parsers:
 
   - name: docker-daemon
     format: regex
-    regex: time="(?<time>[^ ]*)" level=(?<level>[^ ]*) msg="(?<msg>[^ ].*)"
+    regex: 'time="(?<time>[^ ]*)" level=(?<level>[^ ]*) msg="(?<msg>[^ ].*)"'
     time_key: time
     time_format: '%Y-%m-%dT%H:%M:%S.%L'
     time_keep: On
 
   - name: syslog-rfc5424
+    # https://rubular.com/r/PMypubVdqyOTT0
     format: regex
-    regex: ^\<(?<pri>[0-9]{1,5})\>1 (?<time>[^ ]+) (?<host>[^ ]+) (?<ident>[^ ]+) (?<pid>[-0-9]+) (?<msgid>[^ ]+) (?<extradata>(\[(.*?)\]|-)) (?<message>.+)$
+    regex: '^\<(?<pri>[0-9]{1,5})\>1 (?<time>[^ ]+) (?<host>[^ ]+) (?<ident>[^ ]+) (?<pid>[-0-9]+) (?<msgid>[^ ]+) (?<extradata>(\[(.*?)\]|-))(?: (?<message>.+))?$'
     time_key: time
     time_format: '%Y-%m-%dT%H:%M:%S.%L%z'
     time_keep: On
@@ -74,7 +75,7 @@ parsers:
 
   - name: syslog-rfc3164
     format: regex
-    regex: '/^\<(?<pri>[0-9]+)\>(?<time>[^ ]* {1,2}[^ ]* [^ ]*) (?<host>[^ ]*) (?<ident>[a-zA-Z0-9_\/\.\-]*)(?:\[(?<pid>[0-9]+)\])?(?:[^\:]*\:)? *(?<message>.*)$/'
+    regex: '^\<(?<pri>[0-9]+)\>(?<time>[^ ]* {1,2}[^ ]* [^ ]*) (?<host>[^ ]*) (?<ident>[a-zA-Z0-9_\/\.\-]*)(?:\[(?<pid>[0-9]+)\])?(?:[^\:]*\:)? *(?<message>.*)$'
     time_key: time
     time_format: '%b %d %H:%M:%S'
     time_keep: On
@@ -105,7 +106,7 @@ parsers:
   - name: cri
     # https://rubular.com/r/tjUt3Awgg4
     format: regex
-    regex: ^(?<time>[^ ]+) (?<stream>stdout|stderr) (?<logtag>[^ ]*) (?<message>.*)$
+    regex: '^(?<time>[^ ]+) (?<stream>stdout|stderr) (?<logtag>[^ ]*) (?<message>.*)$'
     time_key: time
     time_format: '%Y-%m-%dT%H:%M:%S.%L%z'
     time_keep: On
@@ -117,6 +118,34 @@ parsers:
   - name: kmsg-netfilter-log
     # Examples: TCP: https://rubular.com/r/Q8YY6fHqlqwGI0  UDP: https://rubular.com/r/B0ID69H9FvN0tp
     format: regex
-    regex: '^\<(?<pri>[0-9]{1,5})\>1 (?<time>[^ ]+) (?<host>[^ ]+) kernel - - - \[[0-9\.]*\] (?<logprefix>[^ ]*)\s?IN=(?<in>[^ ]*) OUT=(?<out>[^ ]*) MAC=(?<macsrc>[0-9a-f]{2}:[0-9a-f]{2}:[0-9a-f]{2}:[0-9a-f]{2}:[0-9a-f]{2}:[0-9a-f]{2}):(?<macdst>[0-9a-f]{2}:[0-9a-f]{2}:[0-9a-f]{2}:[0-9a-f]{2}:[0-9a-f]{2}:[0-9a-f]{2}):(?<ethtype>[0-9a-f]{2}:[0-9a-f]{2}) SRC=(?<saddr>[^ ]*) DST=(?<daddr>[^ ]*) LEN=(?<len>[^ ]*) TOS=(?<tos>[^ ]*) PREC=(?<prec>[^ ]*) TTL=(?<ttl>[^ ]*) ID=(?<id>[^ ]*) (D*F*)\s*PROTO=(?<proto>[^ ]*)\s?((SPT=)?(?<sport>[0-9]*))\s?((DPT=)?(?<dport>[0-9]*))\s?((LEN=)?(?<protolen>[0-9]*))\s?((WINDOW=)?(?<window>[0-9]*))\s?((RES=)?(?<res>0?x?[0-9]*))\s?(?<flag>[^ ]*)\s?((URGP=)?(?<urgp>[0-9]*))'
+    regex: |
+      (?x)
+      ^
+        \<(?<pri>[0-9]{1,5})\>1\s
+        (?<time>[^\s]+)\s
+        (?<host>[^\s]+)\s
+        kernel\s -\s -\s -\s \[\s*[0-9\.]*\]\s
+        (?<logprefix>[^\s]*)\s?
+        IN=(?<in>[^\s]*)\s
+        OUT=(?<out>[^\s]*)\s
+        MAC= (?<macdst>[0-9a-f]{2}:[0-9a-f]{2}:[0-9a-f]{2}:[0-9a-f]{2}:[0-9a-f]{2}:[0-9a-f]{2})
+        :    (?<macsrc>[0-9a-f]{2}:[0-9a-f]{2}:[0-9a-f]{2}:[0-9a-f]{2}:[0-9a-f]{2}:[0-9a-f]{2})
+        :    (?<ethtype>[0-9a-f]{2}:[0-9a-f]{2})\s
+        SRC=(?<saddr>[^\s]*)\s
+        DST=(?<daddr>[^\s]*)\s
+        LEN=(?<len>[^\s]*)\s
+        TOS=(?<tos>[^\s]*)\s
+        PREC=(?<prec>[^\s]*)\s
+        TTL=(?<ttl>[^\s]*)\s
+        ID=(?<id>[^\s]*)\s
+        (D*F*)\s*
+        PROTO=(?<proto>[^\s]*)\s?
+        ( (SPT=)? (?<sport>[0-9]*) )\s?
+        ( (DPT=)? (?<dport>[0-9]*) )\s?
+        ( (LEN=)? (?<protolen>[0-9]*) )\s?
+        ( (WINDOW=)? (?<window>[0-9]*) )\s?
+        ( (RES=)? (?<res>0?x?[0-9]*) )\s?
+        (?<flag>[^\s]*)\s?
+        ( (URGP=)? (?<urgp>[0-9]*) )
     time_key: time
     time_format: '%Y-%m-%dT%H:%M:%S.%L%z'

conf/parsers_extra.yaml

@@ -53,11 +53,11 @@ parsers:
 
   - name: universal
     format: regex
-    regex: ^(?<message>.*)$
+    regex: '^(?<message>.*)$'
 
   - name: uuid
     format: regex
-    regex: (?<uuid>[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12})
+    regex: '(?<uuid>[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12})'
     #UUID v1 :
     #/^[0-9A-F]{8}-[0-9A-F]{4}-[1][0-9A-F]{3}-[89AB][0-9A-F]{3}-[0-9A-F]{12}$/i
     #UUID v2 :
@@ -68,13 +68,170 @@ parsers:
     #/^[0-9A-F]{8}-[0-9A-F]{4}-[4][0-9A-F]{3}-[89AB][0-9A-F]{3}-[0-9A-F]{12}$/i
     #UUID v5 :
     #/^[0-9A-F]{8}-[0-9A-F]{4}-[5][0-9A-F]{3}-[89AB][0-9A-F]{3}-[0-9A-F]{12}$/i
-    #
-    # Parse IP Tables rules - this one regex should capture pretty much any IP Tables rule and split it into the various fields
 
   - name: iptables
+    # Parse IP Tables rules
+    # N.B. ipv4 only
+    # https://regex101.com/r/DujdAl/1
     format: regex
-    regex: '\[(?<rule_chain>\w*)-(?<rule_name>\w*)-(?<accept_or_drop>\w*)\]IN=(?<in_interface>[\w.]+)? OUT=(?<out_interface>[\w.]+)? MAC=(?<mac_address>[\w:]+)? SRC=(?<source>(?:[0-9]{1,3}\.){3}[0-9]{1,3}) DST=(?<dest>(?:[0-9]{1,3}\.){3}[0-9]{1,3}) LEN=(?<pkt_len>\d+) TOS=(?<pkt_tos>[\w\d]+) PREC=(?<pkt_prec>[\w\d]+) TTL=(?<pkt_ttl>\d+) ID=(?<pkt_id>\d+)\s?(?<pkg_frg>[A-Z\s].?)\s?PROTO=(?<protocol>[\w\d]+) (SPT=(?<source_port>.*) DPT=(?<dest_port>.*) (LEN=(?<proto_pkt_len>\w+)?)?(WINDOW=(?<proto_window_size>\d+) RES=(?<pkt_res>\w+)? (?<pkt_type>\w+)\s((?<pkt_flag>\w+)?)\s?URGP=(?<pkg_urgency>\d))? )?(TYPE=(?<pkt_icmp_type>\d+) CODE=(?<pkt_icmp_code>\d+) ID=(?<pkt_icmp_id>\d+) SEQ=(?<pkt_icmp_seq>\d+) )?$'
-    types: 'source_port:integer,dest_port:integer,pkt_ttl:integer,pkt_tos:integer,pkt_len:integer'
+    regex: |
+      (?x)
+
+       # kernel timestamp - optional, and may have already been consumed
+       (?: \[\s* (?<kernel_uptime>[0-9]+\.[0-9]+) \]\s )?
+
+       # Log prefix - depends on the rule-building tools
+       (?:
+
+        # Original Fluent-Bit PR #3108
+        \[
+        (?<rule_chain>\w*) -
+        (?<rule_name>\w*) -
+        (?<accept_or_drop>\w*)
+        \]
+       |
+
+        # UFW
+        \[ UFW\s (?<accept_or_drop> (?: ALLOW | AUDIT | BLOCK ) ) \] \s
+       |
+
+        # firewalld
+        (?<rule_chain>[^_]+)_
+        (?<fw_direction> (?: FWD | IN | OUT ) )_
+        (?: (?<fw_zone>[a-z0-9]+) _ )?
+        (?<accept_or_drop>[A-Z]+) : \s
+       |
+
+        # Calico
+        calico-
+        (?<accept_or_drop>\w*)
+        : \s
+       |
+
+        # other
+        FW:\s (?<fw_direction>[a-z]+) \s
+        (?<accept_or_drop>[A-Z]+) \s
+       |
+
+        # Conntrack error
+        nf_ct_proto_6:\s
+        (?:
+         (?<nf_ct_err>bad\s checksum)
+        |
+         (?<nf_ct_err>challenge-ack\s ignored)
+        |
+         (?<nf_ct_err>invalid \s
+           (?: new | rst | tcp\s flag\s combination | truncated\s packet )
+         )
+        |
+         packet\s \( index\s [0-3] \) \s
+         in\s dir\s [01]\s
+         (?<nf_ct_err>ignored) ,\s
+         state\s (?<tcp_state>[A-Z0-9_]+)
+        ) \s
+       |
+
+        # support arbitrary unknown prefixes rather than fail to match
+        (?<fw_unknown_prefix>.{1,64}?)
+       )
+
+       IN=(?<in_interface>[\w.]+)?\s
+       OUT=(?<out_interface>[\w.]+)?\s
+
+       # MAC can be missing or empty
+       (?:
+        MAC=
+        (?:
+         (?<macdst>[0-9a-f]{2} (?: :[0-9a-f]{2}){5} )
+         :
+         (?<macsrc>[0-9a-f]{2} (?: :[0-9a-f]{2}){5} )
+         :
+         # Ether type can be longer when processing incoming VLAN-tagged packets
+         (?<ethtype>[0-9a-f]{2} (?::[0-9a-f]{2})+ )
+        )?
+        \s
+       )?
+
+       SRC=(?<source>(?:[0-9]{1,3}\.){3}[0-9]{1,3})\s
+       DST=(?<dest>(?:[0-9]{1,3}\.){3}[0-9]{1,3})\s
+       LEN=(?<pkt_len>\d+)\s
+       # kernel nf_log_syslog.c mixes 0x%x and 0x%X for various hex outputs,
+       # be defensive in case someone decides to standardize some day
+       TOS=(?<pkt_tos>0x[A-Fa-f0-9]+)\s
+       PREC=(?<pkt_prec>0x[A-Fa-f0-9]+)\s
+       TTL=(?<pkt_ttl>\d+)\s
+       ID=(?<pkt_id>\d+)\s
+       (?: (?<ip_df>DF) \s )?
+
+       # Get what we can out of each protocol
+       PROTO=
+       (?:
+        (?<proto>TCP) \s
+        SPT=(?<src_port>\d+) \s
+        DPT=(?<dst_port>\d+) \s
+        # Some logs are missing SEQ= and ACK=
+        (?:
+         SEQ=\d+ \s
+         ACK=\d+ \s
+        )?
+        WINDOW=(?<tcp_win>[0-9]+) \s
+        RES=0x[A-Fa-f0-9]{2} \s
+        (?: (?<tcp_flag_cwr>CWR) \s )?
+        (?: (?<tcp_ewe>EWE) \s )?
+        (?: (?<tcp_urg>URG) \s )?
+        (?: (?<tcp_ack>ACK) \s )?
+        (?: (?<tcp_psh>PSH) \s )?
+        (?: (?<tcp_rst>RST) \s )?
+        (?: (?<tcp_syn>SYN) \s )?
+        (?: (?<tcp_fin>FIN) \s )?
+        URGP=\d+ \s
+        (?: OPT \s \( [^)\s]+ \) \s )?
+       |
+        (?<proto>UDP) \s
+        SPT=(?<src_port>\d+) \s
+        DPT=(?<dst_port>\d+) \s
+        LEN=(?<udp_len>\d+) \s
+       |
+        (?<proto>ICMP) \s
+        TYPE=(?<icmp_type>\d+) \s
+        CODE=(?<icmp_code>\d+) \s
+        # Some ICMP errors have an embedded packet header inside
+        (?:
+         ID=(?<icmp_id>\d+) \s
+         SEQ=(?<icmp_seq>\d+) \s
+        |
+         \[
+         SRC= (?<icmp_err_src_ip>[0-9.]{7,15}) \s
+         DST= (?<icmp_err_dst_ip>[0-9.]{7,15}) \s
+         .*
+         PROTO=(?<icmp_err_proto>[^ ]+) \s
+         (?:
+          SPT=(?<icmp_err_src_port>\d+) \s
+          DPT=(?<icmp_err_dst_port>\d+) \s
+         )?
+         [^\]]*
+         \] .*
+        )?
+       |
+        (?<proto>ESP) \s
+        SPI=(?<esp_spi>0x[A-Fa-f0-9]+) \s
+       |
+        (?<proto>[^ ]+) \s
+        (?: (?<proto_extra>[^\s].*) \s )?
+       )
+
+       # Output rules might have --log-uid applied
+       (?:
+        UID=(?<uid>[0-9]+) \s
+        GID=(?<gid>[0-9]+) \s
+       )?
+       # Packet markings
+       (?: MARK=(?<pkt_mark>0x[A-Fa-f0-9]+) \s )?
+
+       # support arbitrary unknown suffixes rather than fail to match
+       (?<fw_unknown_suffix>.*)
+       $
+    types: 'src_port:integer,dst_port:integer,pkt_ttl:integer,pkt_tos:integer,pkt_len:integer'
 
   - name: couchbase_json_log_nanoseconds
     # Various parsers for Couchbase Server logs

conf/parsers_java.yaml

@@ -1,6 +1,6 @@
 parsers:
   - name: java_multiline
     format: regex
-    regex: '/^(?<time>\d{4}-\d{1,2}-\d{1,2} \d{1,2}:\d{1,2}:\d{1,2}) \[(?<thread>.*)\] (?<level>[^\s]+)(?<message>.*)/'
+    regex: '^(?<time>\d{4}-\d{1,2}-\d{1,2} \d{1,2}:\d{1,2}:\d{1,2}) \[(?<thread>.*)\] (?<level>[^\s]+)(?<message>.*)'
     time_key: time
     time_format: '%Y-%m-%d %H:%M:%S'

conf/parsers_mult.yaml

@@ -1,21 +1,21 @@
 parsers:
   - name: mult_first
     format: regex
-    regex: Started (?<method>[^ ]+) "(?<path>[^"]+)" for (?<host>[^ ]+) at (?<time>[^ ]+ [^ ]+ [^ ]+)
+    regex: 'Started (?<method>[^ ]+) "(?<path>[^"]+)" for (?<host>[^ ]+) at (?<time>[^ ]+ [^ ]+ [^ ]+)'
     time_key: time
     time_format: '%Y-%m-%d %H:%M:%S %z'
 
   - name: mult_1
     format: regex
-    regex: /Processing by (?<controller>[^\u0023]+)\u0023(?<controller_method>[^ ]+) as (?<format>[^ ]+?)$/
+    regex: 'Processing by (?<controller>[^\u0023]+)\u0023(?<controller_method>[^ ]+) as (?<format>[^ ]+?)$'
 
   - name: mult_2
     format: regex
     regex: '(  Parameters: (?<parameters>[^ ]+))?'
 
   - name: mult_3
     format: regex
-    regex: /  Rendered (?<template>[^ ]+) within (?<layout>.+) \([\d\.]+ms\)/
+    regex: '  Rendered (?<template>[^ ]+) within (?<layout>.+) \([\d\.]+ms\)'
 
   - name: mult_4
     format: regex

conf/parsers_multiline.yaml

@@ -4,9 +4,9 @@ multiline_parsers:
     flush_timeout: 1000
     rules:
       - state: start_state
-        regex: '/(Dec \d+ \d+\:\d+\:\d+)(.*)/'
+        regex: '(Dec \d+ \d+\:\d+\:\d+)(.*)'
         next_state: cont
 
       - state: cont
-        regex: /^\s+at.*/
+        regex: '^\s+at.*'
         next_state: cont

tests/internal/data/config_format/convert/parsers.syslog-rfc5424.test

@@ -0,0 +1,3 @@
+<34>1 2003-10-11T22:14:15.003Z mymachine.example.com su - ID47 - BOM'su root' failed for lonvick on /dev/pts/8
+<165>1 2003-10-11T22:14:15.003Z mymachine.example.com evntslog - ID47 [exampleSDID@32473 iut="3" eventSource= "Application" eventID="1011"] BOMAn application event log entry...
+<165>1 2003-10-11T22:14:15.003Z mymachine.example.com evntslog - ID47 [exampleSDID@32473 iut="3" eventSource= "Application" eventID="1011"][examplePriority@32473 class="high"]

tests/internal/data/config_format/convert/parsers_extra.iptables.test

@@ -0,0 +1,27 @@
+[LAN_IN-2001-A]IN=eth1.40 OUT=eth1 MAC=fc:ec:da:47:47:e6:64:5d:86:dd:43:66:08:00:45:00:00:4c SRC=10.231.40.102 DST=10.231.1.21 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=47001 DF PROTO=UDP SPT=52295 DPT=53 LEN=56 
+[LAN_LOCAL-default-A]IN=eth1 OUT= MAC= SRC=10.231.1.1 DST=224.0.0.251 LEN=257 TOS=0x00 PREC=0x00 TTL=255 ID=19888 PROTO=UDP SPT=5353 DPT=5353 LEN=237 
+[LAN_IN-2005-A]IN=eth1 OUT=eth1.20 MAC=fc:ec:da:47:47:e6:b4:2e:99:19:8e:79:08:00 SRC=10.231.1.21 DST=10.231.20.2 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=47505 DF PROTO=TCP SPT=54668 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 
+[LAN_IN-2001-A]IN=eth1.40 OUT=eth1 MAC=fc:ec:da:47:47:e6:3e:28:89:63:06:05:08:00:45:00:00:50 SRC=10.231.40.100 DST=10.231.1.21 LEN=80 TOS=0x00 PREC=0x00 TTL=63 ID=39238 PROTO=UDP SPT=50915 DPT=53 LEN=60 
+[LAN_LOCAL-default-A]IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:68:54:5a:6f:b9:c7:08:00 SRC=10.231.1.135 DST=10.231.1.255 LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=19104 DF PROTO=UDP SPT=57621 DPT=57621 LEN=52 
+[LAN_LOCAL-default-A]IN=eth1 OUT= MAC= SRC=10.231.1.1 DST=224.0.0.251 LEN=257 TOS=0x00 PREC=0x00 TTL=255 ID=32703 DF PROTO=UDP SPT=5353 DPT=5353 LEN=237 
+[LAN_LOCAL-default-A]IN=eth1 OUT= MAC= SRC=10.231.1.1 DST=224.0.0.251 LEN=810 TOS=0x00 PREC=0x00 TTL=255 ID=33948 DF PROTO=UDP SPT=5353 DPT=5353 LEN=790 
+[WAN_LOCAL-default-D]IN=pppoe0 OUT= MAC= SRC=111.50.82.233 DST=51.148.135.105 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=28588 DF PROTO=TCP SPT=61114 DPT=1433 WINDOW=8192 RES=0x00 SYN URGP=0 
+[LAN_LOCAL-default-A]IN=eth1.20 OUT= MAC= SRC=10.231.20.1 DST=224.0.0.2 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2 
+[LAN_LOCAL-default-A]IN=eth1 OUT= MAC=fc:ec:da:47:47:e6:74:83:c2:d3:96:c9:08:00 SRC=10.231.1.2 DST=10.231.1.1 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=13257 DF PROTO=TCP SPT=8080 DPT=55045 WINDOW=348 RES=0x00 ACK FIN URGP=0 
+[LAN_LOCAL-default-A]IN=eth1.20 OUT= MAC=fc:ec:da:47:47:e6:14:0a:c5:8c:ae:e6:08:00:45:00:00:54 SRC=10.231.20.52 DST=10.231.20.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=44298 DF PROTO=ICMP TYPE=8 CODE=0 ID=56026 SEQ=47360 
+[LAN_LOCAL-default-A]IN=eth1 OUT= MAC=fc:ec:da:47:47:e6:74:83:c2:d3:96:c9:08:00 SRC=10.231.1.2 DST=10.231.1.1 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=13257 DF PROTO=TCP SPT=8080 DPT=55045 WINDOW=348 RES=0x00 ACK PSH FIN URGP=0 
+[17043827.627166] filter_IN_public_REJECT: IN=ens18 OUT= MAC=ff:ff:ff:ff:ff:ff:4c:41:42:60:17:f7:08:00 SRC=172.33.9.172 DST=172.54.7.213 LEN=229 TOS=0x00 PREC=0x00 TTL=128 ID=715 PROTO=UDP SPT=138 DPT=138 LEN=209 
+[17286083.004815] [UFW ALLOW] IN= OUT=ens18 SRC=172.27.6.134 DST=172.22.3.8 LEN=275 TOS=0x00 PREC=0x00 TTL=255 ID=1957 DF PROTO=UDP SPT=26622 DPT=514 LEN=255 
+[17286084.151998] [UFW AUDIT] IN=ens18 OUT= MAC=bc:24:11:43:51:f1:90:e2:ba:03:35:f9:08:00 SRC=172.22.3.8 DST=172.27.6.134 LEN=48 TOS=0x00 PREC=0x00 TTL=255 ID=47061 DF PROTO=TCP SPT=43848 DPT=22 WINDOW=64240 RES=0x00 SYN URGP=0 
+[17377855.003423] [UFW BLOCK] IN=ens18 OUT= MAC=bc:24:11:43:51:f1:bc:24:11:90:09:82:08:00 SRC=172.15.5.77 DST=172.27.6.134 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=43316 DF PROTO=TCP SPT=43902 DPT=999 WINDOW=64240 RES=0x00 SYN URGP=0 
+[UFW BLOCK] IN=ens18 OUT= MAC=01:00:5e:00:00:fb:4c:41:42:3c:cf:1c:08:00 SRC=172.79.1.173 DST=226.2.1.222 LEN=73 TOS=0x00 PREC=0x00 TTL=255 ID=37808 DF PROTO=UDP SPT=5353 DPT=5353 LEN=53 
+[4805310.266869] FW: forward DROP IN=ppp0 OUT=eth1 MAC= SRC=49.208.208.102 DST=31.11.105.81 LEN=40 TOS=0x00 PREC=0x00 TTL=237 ID=63854 PROTO=TCP SPT=41651 DPT=17828 SEQ=1604673260 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 
+FW: output ACCEPT IN= OUT=ppp0 SRC=80.45.189.60 DST=124.223.255.7 LEN=120 TOS=0x00 PREC=0x00 TTL=255 ID=26952 PROTO=UDP SPT=34698 DPT=53 LEN=100 UID=40 GID=40 
+FW: input ACCEPT IN=eth0 OUT= MAC=b4:2e:99:a3:85:67:c4:ad:34:32:32:df:08:00 SRC=10.6.2.3 DST=10.24.22.19 LEN=576 TOS=0x00 PREC=0xC0 TTL=254 ID=64723 PROTO=ICMP TYPE=3 CODE=4 [SRC=10.24.22.19 DST=203.61.18.149 LEN=2083 TOS=0x00 PREC=0x00 TTL=254 ID=31331 DF PROTO=TCP SPT=18252 DPT=443 WINDOW=502 RES=0x00 ACK PSH URGP=0 ] MTU=1492 
+FW: forward DROP IN=ppp0 OUT=eth1 MAC= SRC=19.155.185.156 DST=51.56.241.88 LEN=119 TOS=0x00 PREC=0xC0 TTL=53 ID=31027 PROTO=ICMP TYPE=3 CODE=3 [SRC=51.56.241.88 DST=19.155.185.156 LEN=91 TOS=0x00 PREC=0x00 TTL=243 ID=63387 PROTO=UDP SPT=46210 DPT=25172 LEN=71 ] 
+[4805310.137667] nf_ct_proto_6: packet (index 1) in dir 1 ignored, state SYN_RECV IN=eth1 OUT= MAC=00:ec:ac:ce:b3:63:00:1b:21:54:1c:3d:08:00 SRC=39.76.232.40 DST=246.97.70.56 LEN=48 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=TCP SPT=443 DPT=14129 SEQ=158435768 ACK=2043537019 WINDOW=65340 RES=0x00 ACK SYN URGP=0 OPT (020405AC01030307) 
+nf_ct_proto_6: invalid new IN=eth2 OUT= MAC=00:ec:ac:ce:b3:64:50:e0:85:84:a1:61:08:00 SRC=192.168.9.182 DST=109.250.21.12 LEN=71 TOS=0x00 PREC=0x00 TTL=128 ID=29429 DF PROTO=TCP SPT=61919 DPT=443 SEQ=438203318 ACK=2825421336 WINDOW=510 RES=0x00 ACK PSH FIN URGP=0 
+[4805337.689552] nf_ct_proto_6: bad checksum IN=ppp0 OUT= MAC= SRC=155.146.130.32 DST=39.76.232.40 LEN=447 TOS=0x00 PREC=0x00 TTL=55 ID=39575 DF PROTO=TCP SPT=36187 DPT=443 SEQ=3240783289 ACK=3631033297 WINDOW=1386 RES=0x00 ACK PSH URGP=0 
+nf_ct_proto_6: packet (index 1) in dir 1 ignored, state ESTABLISHED IN=eth1 OUT= MAC=00:ec:ac:ce:b3:63:90:b1:1c:3e:e7:a2:08:00 SRC=64.99.143.10 DST=42.162.203.2 LEN=48 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=TCP SPT=443 DPT=16426 SEQ=739183654 ACK=166439761 WINDOW=65340 RES=0x00 ACK SYN URGP=0 OPT (020405AC01030307) 
+[ 1156.246182] calico-drop: IN=tunl0 OUT=cali76be879f658 MAC= SRC=192.168.128.30 DST=192.168.157.26 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=56743 DF PROTO=TCP SPT=56248 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 MARK=0xa000000 
+FW: input ACCEPT IN=ib0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:08:00:00:00 SRC=10.2.7.172 DST=10.2.6.6 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=51724 DF PROTO=TCP SPT=934 DPT=60219 SEQ=1823043416 ACK=0 WINDOW=65480 RES=0x00 SYN URGP=0