From d2a953756802bd7cf63f5f5f792371f52f5cba8c Mon Sep 17 00:00:00 2001
From: jamesstout <stoutyhk@gmail.com>
Date: Tue, 30 Apr 2013 04:14:36 +0800
Subject: [PATCH] ENH: extra daemon info regex

for matching log lines like:
Mar 29 05:20:09 dusky sshd[19558]: [ID 800047 auth.info] Failed
keyboard-interactive for james from 205.186.180.30 port 54520 ssh2

this matches  [ID 800047 auth.info]
---
 config/filter.d/common.conf | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/config/filter.d/common.conf b/config/filter.d/common.conf
index 18bf41c5..d13b6adb 100644
--- a/config/filter.d/common.conf
+++ b/config/filter.d/common.conf
@@ -28,6 +28,10 @@ __pid_re = (?:\[\d+\])
 # EXAMPLES: pam_rhosts_auth, [sshd], pop(pam_unix)
 __daemon_re = [\[\(]?%(_daemon)s(?:\(\S+\))?[\]\)]?:?
 
+# extra daemon info
+# EXAMPLE: [ID 800047 auth.info]
+__daemon_extra_re = (?:\[ID \d+ \S+\])
+
 # Combinations of daemon name and PID
 # EXAMPLES: sshd[31607], pop(pam_unix)[4920]
 __daemon_combs_re = (?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)
@@ -43,5 +47,5 @@ __hostname = \S+
 #
 #       [hostname] [vserver tag] daemon_id spaces
 # this can be optional (for instance if we match named native log files)
-__prefix_line = \s*(?:%(__hostname)s )?(?:%(__kernel_prefix)s )?(?:@vserver_\S+ )?%(__daemon_combs_re)s?\s*
+__prefix_line = \s*(?:%(__hostname)s )?(?:%(__kernel_prefix)s )?(?:@vserver_\S+ )?%(__daemon_combs_re)s?\s%(__daemon_extra_re)s?\s*