; YYYY/MM/DD HH:MM:SS [LEVEL] PID:TID yadda yadda
[Nginx messages grouped.]
log 1 pass = 2014/12/30 06:07:37 [yadda] 80:2 yadda yadda

rule = 31300
alert = 0
decoder = nginx-errorlog

[Nginx error message.]
log 1 pass = 2014/12/30 06:07:37 [error] 80:2 yadda yadda

rule = 31301
alert = 3
decoder = nginx-errorlog

[Nginx warning message.]
log 1 pass = 2014/12/30 06:07:37 [warn] 80:2 yadda yadda

rule = 31302
alert = 3
decoder = nginx-errorlog

[Nginx critical message.]
log 1 pass = 2014/12/30 06:07:37 [crit] 80:2 

rule = 31303
alert = 5
decoder = nginx-errorlog

[Server returned 404 (reported in the access.log).]
log 1 pass = 2015/01/08 11:31:23 [error] 80:2 blah blah failed (2: No such file or directory)
log 2 pass = 2015/01/08 11:31:23 [error] 80:2 blah blah is not found (2: No such file or directory)

rule = 31310
alert = 0
decoder = nginx-errorlog

[Incomplete client request.]
log 1 pass = 2015/01/08 11:31:23 [error] 80:2 blah blah accept() failed (53: Software caused connection abort)

rule = 31311
alert = 0
decoder = nginx-errorlog

[Initial 401 authentication request.]
log 1 pass = 2015/01/08 11:31:23 [error] 80:2 no user/password was provided for basic authentication

rule = 31312
alert = 0
decoder = nginx-errorlog

[Web authentication failed.]
log 1 pass = 2015/01/08 11:31:23 [error] 80:2 yadda password mismatch, client yadda
log 2 pass = 2015/01/08 11:31:23 [error] 80:2 yadda was not found in yadda

rule = 31315
alert = 5
decoder = nginx-errorlog

# Can't yet test frequency   <rule id="31316" level="10" frequency="6" timeframe="240">
;[Multiple web authentication failures.]
;
;rule = 31316
;alert = 10
;decoder = nginx-errorlog

[Common cache error when files were removed.]
log 1 pass = 2015/01/08 11:31:23 [crit] 80:2 yadda yadda failed (2: No such file or directory

rule = 31317
alert = 0
decoder = nginx-errorlog

[Invalid URI, file name too long.]
log 1 pass = 2015/01/08 11:31:23 [error] 80:2 yadda yadda failed (36: File name too long)

rule = 31320
alert = 10
decoder = nginx-errorlog