- <decoder name="auditd-user">
- <parent>auditd</parent>
- <regex offset="after_parent">^(USER_\S+) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): user pid=\d+ uid=\d+ auid=\d+|</regex>
- <regex>^(CRED_\S+) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): user pid=\d+ uid=\d+ auid=\d+</regex>
- <order>action,id</order>
- </decoder>
-
- <decoder name="auditd-user">
- <parent>auditd</parent>
- <regex offset="after_regex"> acct="(\.+)" : exe="(\.+)" \(hostname=\S+, addr=(\S+), terminal=\S+$</regex>
- <order>user,extra_data,srcip</order>
- </decoder>
-
- <decoder name="auditd-user">
- <parent>auditd</parent>
- <regex offset="after_regex"> ses=\d+ subj=\S+ msg='\.+ acct="(\.+)" exe="(\.+)" hostname=\S+ addr=(\S+) terminal=\S+ res=(\S+)$</regex>
- <order>user,extra_data,srcip,status</order>
- </decoder>
-
- <decoder name="auditd-user">
- <parent>auditd</parent>
- <regex offset="after_regex"> subj=\S+ msg='\.+ acct="(\.+)" \p*\s*exe="(\.+)" \(hostname=\S+, addr=(\S+), terminal=\S+ res=(\S+)\)'$</regex>
- <order>user,extra_data,srcip,status</order>
- </decoder>
-
- <decoder name="auditd-user">
- <parent>auditd</parent>
- <regex offset="after_regex"> subj=\S+ msg='\.+ exe="(\.+)" \(hostname=\S+, addr=(\S+), terminal=\S+ res=(\S+)\)'$</regex>
- <order>extra_data,srcip,status</order>
- </decoder>
+<decoder name="auditd-user">
+ <parent>auditd</parent>
+ <regex offset="after_parent">^(USER_\S+) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): user pid=\d+ uid=\d+ auid=\d+|</regex>
+ <regex>^(CRED_\S+) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): user pid=\d+ uid=\d+ auid=\d+</regex>
+ <order>action,id</order>
+</decoder>
+
+<decoder name="auditd-user">
+ <parent>auditd</parent>
+ <regex offset="after_regex"> acct="(\.+)" : exe="(\.+)" \(hostname=\S+, addr=(\S+), terminal=\S+$</regex>
+ <order>user,extra_data,srcip</order>
+</decoder>
+
+<decoder name="auditd-user">
+ <parent>auditd</parent>
+ <regex offset="after_regex"> ses=\d+ subj=\S+ msg='\.+ acct="(\.+)" exe="(\.+)" hostname=\S+ addr=(\S+) terminal=\S+ res=(\S+)$</regex>
+ <order>user,extra_data,srcip,status</order>
+</decoder>
+
+<decoder name="auditd-user">
+ <parent>auditd</parent>
+ <regex offset="after_regex"> subj=\S+ msg='\.+ acct="(\.+)" \p*\s*exe="(\.+)" \(hostname=\S+, addr=(\S+), terminal=\S+ res=(\S+)\)'$</regex>
+ <order>user,extra_data,srcip,status</order>
+</decoder>
+
+<decoder name="auditd-user">
+ <parent>auditd</parent>
+ <regex offset="after_regex"> subj=\S+ msg='\.+ exe="(\.+)" \(hostname=\S+, addr=(\S+), terminal=\S+ res=(\S+)\)'$</regex>
+ <order>extra_data,srcip,status</order>
+</decoder>
+
+<!--
+mptscsih \ mptbase decoder
+
+Description: module for SCSI controllers.
+
+Examples:
+[ 5008.286061] mptscsih: ioc0: task abort: FAILED (rv=2003) (sc=ffff88007a8a9f00)
+
+[ 6498.769248] mptbase: ioc0: RAID STATUS CHANGE for PhysDisk 1 id=8
+[ 6498.769252] mptbase: ioc0: PhysDisk is now failed, out of sync
+
+[ 6498.775783] mptbase: ioc0: RAID STATUS CHANGE for VolumeID 0
+[ 6498.775788] mptbase: ioc0: volume is now degraded, enabled
+-->
+<decoder name="mptscsih-1">
+ <parent>iptables</parent>
+ <prematch>^[\s\d+.\d+] mptscsih: </prematch>
+ <regex>^[\s\d+.\d+] (\w+): (\w+): task abort: (\w+)</regex>
+ <order>id,data,status</order>
+</decoder>
+
+<decoder name="mptbase-1">
+ <parent>iptables</parent>
+ <prematch>^[\s\d+.\d+] mptbase: </prematch>
+ <regex>^[\s\d+.\d+] (\w+): (\w+):\s+\w+ is now (\w+)\p\s(\D+)$</regex>
+ <order>id,data,action,status</order>
+</decoder>
+
+<!-- Grandstream HT502 VoIP gateway decoder
+Author and (c): Michael Starks, 2014 -->
+
+<!-- HT502: [00:0B:82:14:5B:94] Transport error (-1) for transaction 2677 -- >
+
+<decoder name="grandstream-ata">
+ <prematch>^HT286: [\w\w:\w\w:\w\w:\w\w:\w\w:\w\w]\p*\.+\p* |</prematch>
+ <prematch>^HT502: [\w\w:\w\w:\w\w:\w\w:\w\w:\w\w]\p*\.+\p* |</prematch>
+ <prematch>^HT503: [\w\w:\w\w:\w\w:\w\w:\w\w:\w\w]\p*\.+\p* </prematch>
+</decoder>
+
+<decoder name="grandstream-registration">
+ <parent>grandstream-ata</parent>
+ <prematch>Received </prematch>
+ <regex offset="after_prematch">^(\d+) response for transaction (\d+)\((\w+)\)$</regex>
+ <order>status, id, action</order>
+</decoder>
+
+<decoder name="grandstream-fts-registered">
+ <parent>grandstream-ata</parent>
+ <prematch>Account </prematch>
+ <regex offset="after_prematch">^(\d+) (registered), tried \d+; Next registration in \d+ seconds \(\d+/\d+\) on (\.+)$</regex>
+ <order>id, status, extra_data</order>
+ <fts>name, location, extra_data</fts>
+</decoder>
+
+<decoder name="grandstream-incoming-cid">
+ <parent>grandstream-ata</parent>
+ <prematch>Vinetic::</prematch>
+ <regex offset="after_prematch">^(startRing) with CID, Attempting to deliver CID (\d+) on port \d+$</regex>
+ <order>action, id</order>
+</decoder>
+
+<decoder name="grandstream-outgoing-call">
+ <parent>grandstream-ata</parent>
+ <regex offset="after_parent">^(Dialing) (\d+)$</regex>
+ <order>action, id</order>
+</decoder>