LogFileHighlighting/PaloAltoNetworksADEM.sublime-syntax at main · PaloAltoNetworks/LogFileHighlighting · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
%YAML 1.2
---

# Version:          0.02
# Author:           Nolan Rumble
# Last modified:    2022/06/07
# Github:           https://github.com/PaloAltoNetworks/LogFileHighlighting

# See http://www.sublimetext.com/docs/3/syntax.html
name: PAN - ADEM Endpoint
file_extensions:
  - log
scope: palo_alto_networks_dem_agent.log|palo_alto_networks_dem_agent.1.log

variables:
  date: '\d{4}-\d{2}-\d{2}'
  time: '\d{2}\:\d{2}\:\d{2}.\d{3}'
  log_level: '\bdebug\b|\berror\b|\binfo\b|\bwarn\b'
  ipv4: '(?:[0-9]{1,3}\.){3}[0-9]{1,3}'
  ipv6: '([a-f0-9:]+:+)+[a-f0-9]+'

contexts:
  LinePrefix:
    - match: '\[({{date}})\s({{time}})\]\s\[(default)\]'
      captures:
        1: keyword.control.example-c
        2: keyword.control.example-c
        3: punctuation.definition.string

  LineInfoSuffix:
    - match: 'WireProtocolClient\sincoming\smessage\s\[.*\]\swith\spayload:\s'

  LineInfo:
    - match: '\s\[info\]\s'
      scope: keyword.control.example-c

    - include: LineInfoSuffix

  LineWarning:
    - match: '\s\[warning\]\s.*'
      scope: entity.name.constant

  LineError:
    - match: '\s\[error\]\s.*'
      scope: constant.language.null

  PKI:
    - match: 'Certificate\shas\ssubject\s(.*)\sby issuer\s(.*)\sand\shas\scryptographic\ssignature\sof\s(.*)'
      captures:
        1: constant.numeric.value
        2: string.quoted
        3: constant.numeric.value

    - match: 'Loaded\sroot\scertificate,\sit\shas\ssubject\s(.*),\sissuer\s(.*),\sand\ssignature\s(.*)'
      captures:
        1: constant.numeric.value
        2: string.quoted
        3: constant.numeric.value

    - match: 'A\sclient\scert\shas\sbeen\sprovided\sfor\sthis\sconnection\.\sIt\shas\ssubject\s(.*),\sissuer\s(.*)\sand\ssignature\s(.*)'
      captures:
        1: constant.numeric.value
        2: string.quoted
        3: constant.numeric.value

  JSON:
    - match: '\s*(?={|\[)'
      captures:
        1: punctuation.definition.json.begin.log
      embed: scope:source.json
      escape: (?=^\[{{date}}\s)  # the date of the next log item

  IPAddresses:
    - match: '{{ipv4}}|{{ipv6}}'
      scope: constant.numeric.value

  main:
    - include: LinePrefix
    - include: LineInfo
    - include: LineWarning
    - include: LineError
    - include: PKI
    - include: JSON
    - include: IPAddresses