Highlight pack — syslog / journald¶
Practical starter for generic syslog, journald, and systemd output. Rules cover:
- RFC 5424 severity keywords (
emerg/crit/errred,noticeyellow,debugdim) [ OK ]/[FAILED]/[WARN]markers from sysv-style boot scripts and many init systems- sshd events — "Accepted publickey" green, "Failed password" / "Invalid user" red
- systemd unit lifecycle ("Started …" / "Reached target" green, "Stopped" / "Failed to start" red)
- Daemon tags (
sshd:,kernel:,systemd:,cron:, …) blue - PIDs
[1234]dim - RFC 3164 priority prefix
<NN>dim
Import via Settings → Syntax Highlighting → Import pack…, or drop
the file directly into
$SUPPORT_DIR/highlight/syslog-example.json. Stack with the
Baudrun default pack to also pick up IPs, MACs, and the generic
status keywords.
The rule playground is the easiest way to
tweak — drop a real journalctl or /var/log/syslog capture into
the right pane and watch the colors apply live as you edit the JSON.
Download¶
Or copy from the block below.
Pack contents¶
{
"id": "syslog-example",
"name": "Syslog (example)",
"description": "Example importable pack for generic syslog/journald/dmesg output — RFC 3164/5424 severity keywords, systemd unit states, sshd events, kernel messages, common [OK]/[FAILED] markers. Rename and edit freely; the id must be alphanum, hyphen, or underscore.",
"rules": [
{
"pattern": "\\[\\s*OK\\s*\\]",
"color": "green",
"ignoreCase": false,
"group": "marker-ok"
},
{
"pattern": "\\[\\s*FAILED?\\s*\\]",
"color": "red",
"ignoreCase": false,
"group": "marker-fail"
},
{
"pattern": "\\[\\s*WARN(?:ING)?\\s*\\]",
"color": "yellow",
"ignoreCase": false,
"group": "marker-warn"
},
{
"pattern": "\\[\\s*INFO\\s*\\]",
"color": "dim",
"ignoreCase": false,
"group": "marker-info"
},
{
"pattern": "\\b(?:emerg(?:ency)?|panic|fatal|alert|crit(?:ical)?)\\b",
"color": "red",
"ignoreCase": true,
"group": "severity-critical"
},
{
"pattern": "\\b(?:err(?:or)?)\\b",
"color": "red",
"ignoreCase": true,
"group": "severity-error"
},
{
"pattern": "\\bnotice\\b",
"color": "yellow",
"ignoreCase": true,
"group": "severity-notice"
},
{
"pattern": "\\b(?:debug|trace)\\b",
"color": "dim",
"ignoreCase": true,
"group": "severity-debug"
},
{
"pattern": "^<\\d{1,3}>",
"color": "dim",
"ignoreCase": false,
"group": "priority-prefix"
},
{
"pattern": "\\bAccepted\\s+(?:publickey|password|keyboard-interactive)\\b",
"color": "green",
"ignoreCase": false,
"group": "sshd-accepted"
},
{
"pattern": "\\b(?:Failed\\s+password|Invalid\\s+user|authentication\\s+failure|PAM\\s+\\d+\\s+more\\s+authentication\\s+failures?|Disconnected\\s+from\\s+authenticating\\s+user)\\b",
"color": "red",
"ignoreCase": false,
"group": "sshd-denied"
},
{
"pattern": "\\bsession\\s+(?:opened|started|closed|terminated)\\b",
"color": "yellow",
"ignoreCase": false,
"group": "session-event"
},
{
"pattern": "\\b(?:Started|Reached\\s+target|Listening\\s+on|Mounted)\\b",
"color": "green",
"ignoreCase": false,
"group": "systemd-good"
},
{
"pattern": "\\b(?:Stopped|Unmounted|Failed\\s+to\\s+start|Deactivated|Job\\s+.+\\s+failed)\\b",
"color": "red",
"ignoreCase": false,
"group": "systemd-bad"
},
{
"pattern": "\\b(?:kernel|systemd|sshd|sudo|cron|crond|dhclient|dhcpcd|NetworkManager|wpa_supplicant|rsyslogd|journal|auditd|dbus-daemon|polkitd|avahi-daemon|systemd-resolved|systemd-networkd|systemd-logind|systemd-timesyncd)(?:\\[\\d+\\])?(?=:)",
"color": "blue",
"ignoreCase": false,
"group": "daemon-tag"
},
{
"pattern": "\\[\\d+\\]",
"color": "dim",
"ignoreCase": false,
"group": "pid"
}
]
}