A first example for a rulebase you can download at http://blog.gerhards.net/2010/11/log-normalization-first-results.html I will use an excerpt of that rulebase to show you the most common expressions. rule=:%date:date-rfc3164% %host:word% %tag:char-to:\x3a%: no longer listening on %ip:ipv4%#%port:number%’ That excerpt is a common rule. A rule contains different “parts”/properties, like the message you want to normalize (e.g. Host, IP, […]