;; iphone ;; plugin_id: 4006 ;; type: detector ;; [DEFAULT] plugin_id=4006 [config] type=detector enable=yes source=log location=/var/log/system.log # create log file if it does not exists, # otherwise stop processing this plugin create_file=false process= start=no stop=no startup= shutdown= ## rules [iphone - Youtube video started] #Dec 1 17:33:03 localhost /usr/sbin/mediaserverd: In H264 decode frame thread the first time event_type=event regexp=(\S+\s+\d+\s+\d\d:\d\d:\d\d)\s+(?P\S+)\s+([^:]+): In H264 decode frame thread the first time sensor={resolv($sensor)} date={normalize_date($1)} plugin_sid=1 sensor={resolv($sensor)} userdata1={$3} [iphone - Youtube video finished] #Dec 1 17:36:19 localhost YouTube[189]: clearing out queue event_type=event regexp=(\S+\s+\d+\s+\d\d:\d\d:\d\d)\s+(?P\S+)\s+(YouTube\[\d+\]): clearing out queue sensor={resolv($sensor)} date={normalize_date($1)} plugin_sid=2 sensor={resolv($sensor)} userdata1=YouTube [iphone - Process Crashed] #Dec 1 17:37:26 localhost crashdump[199]: Creating crash report for process vi[192] event_type=event regexp=(\S+\s+\d+\s+\d\d:\d\d:\d\d)\s+(?P\S+)\s+([^:]+): Creating crash report for process\s+(.*)\[(\d+)\] sensor={resolv($sensor)} date={normalize_date($1)} plugin_sid=3 sensor={resolv($sensor)} userdata1={$4} userdata2={$5} [iphone - Program accesed] #Dec 1 17:40:25 localhost MobileSMS[219]: SummerBoardLoader: SummerBoardService available. #Dec 1 17:47:32 localhost MobileCal[235]: SummerBoardLoader: SummerBoardService available. event_type=event regexp=(\S+\s+\d+\s+\d\d:\d\d:\d\d)\s+(?P\S+)\s+(.*)\[(\d+)\]: SummerBoardLoader: SummerBoardService available sensor={resolv($sensor)} date={normalize_date($1)} plugin_sid=4 sensor={resolv($sensor)} userdata1={$3} userdata2={$4} [iphone - Out of memory] #Dec 1 17:51:29 localhost SpringBoard[15]: Memory level is urgent (10), but there are no apps to warn! event_type=event regexp=(\S+\s+\d+\s+\d\d:\d\d:\d\d)\s+(?P\S+)\s+SpringBoard\[\d+\]: (Memory level is urgent.*$) sensor={resolv($sensor)} date={normalize_date($1)} plugin_sid=5 sensor={resolv($sensor)} userdata1={$3} [iphone - IPod started] #Dec 1 17:54:14 localhost MobileMusicPlayer[50]: initializeMainUI, Role = 2 (MediaPlayer) event_type=event regexp=(\S+\s+\d+\s+\d\d:\d\d:\d\d)\s+(?P\S+)\s+MobileMusicPlayer\[\d+\]: (initializeMainUI,.*$) sensor={resolv($sensor)} date={normalize_date($1)} plugin_sid=6 sensor={resolv($sensor)} userdata1={$3} [iphone - Installer started] #Dec 1 17:55:23 localhost Installer[51]: ATInstaller: Initializing... event_type=event regexp=(\S+\s+\d+\s+\d\d:\d\d:\d\d)\s+(?P\S+)\s+Installer\[\d+\]: (ATInstaller: Initializing.*$) sensor={resolv($sensor)} date={normalize_date($1)} plugin_sid=7 sensor={resolv($sensor)} userdata1={$3} [iphone - Source fetched] #Dec 1 17:55:29 localhost Installer[51]: ATPackageManager: Refreshing source: http://conceitedsoftware.com/iphone/ event_type=event regexp=(\S+\s+\d+\s+\d\d:\d\d:\d\d)\s+(?P\S+)\s+Installer\[\d+\]:.*Refreshing source: (.*$) sensor={resolv($sensor)} date={normalize_date($1)} plugin_sid=8 sensor={resolv($sensor)} userdata1={$3} [iphone - Installing software] #Dec 1 17:56:30 localhost Installer[51]: ATPackageManager: Perfoming operation "Install" on package "Tapp"... event_type=event regexp=(\S+\s+\d+\s+\d\d:\d\d:\d\d)\s+(?P\S+)\s+Installer\[\d+\]:.*operation "Install" on package\s+"([^"])*" sensor={resolv($sensor)} date={normalize_date($1)} plugin_sid=9 sensor={resolv($sensor)} userdata1={$3} [iphone - Uninstalling software] #Dec 1 18:25:02 localhost Installer[58]: ATPackageManager: Queued package "Tapp" for operation "Uninstall". event_type=event regexp=(\S+\s+\d+\s+\d\d:\d\d:\d\d)\s+(?P\S+)\s+Installer\[\d+\]:.*Queued package\s+"([^"])*" for operation "Uninstall" sensor={resolv($sensor)} date={normalize_date($1)} plugin_sid=10 sensor={resolv($sensor)} userdata1={$3} [iphone - Folder created] #Dec 1 17:56:30 localhost Installer[51]: ATUnpacker: Extracting folder: Tapp.app/ >> /Applications/Tapp.app event_type=event regexp=(\S+\s+\d+\s+\d\d:\d\d:\d\d)\s+(?P\S+)\s+Installer\[\d+\]:.*Extracting folder:\s+(.*)\s+>>\s+(.*$) sensor={resolv($sensor)} date={normalize_date($1)} plugin_sid=11 sensor={resolv($sensor)} userdata1={$4} userdata2={$3} filename={$4} [iphone - File created] #Dec 1 17:56:31 localhost Installer[51]: ATUnpacker: Extracting file: Tapp.app/TableApp >> /Applications/Tapp.app/TableApp event_type=event regexp=(\S+\s+\d+\s+\d\d:\d\d:\d\d)\s+(?P\S+)\s+Installer\[\d+\]:.*Extracting file:\s+(.*)\s+>>\s+(.*$) sensor={resolv($sensor)} date={normalize_date($1)} plugin_sid=12 sensor={resolv($sensor)} userdata1={$4} userdata2={$3} filename={$4} [iphone - Path removed] #Dec 1 18:25:02 localhost Installer[58]: Executing script instruction: RemovePath with arguments ("/Applications/Tapp.app") event_type=event regexp=(\S+\s+\d+\s+\d\d:\d\d:\d\d)\s+(?P\S+)\s+Installer\[\d+\]:\s+Executing script instruction: RemovePath with arguments \("([^"]+)"\) sensor={resolv($sensor)} date={normalize_date($1)} plugin_sid=13 sensor={resolv($sensor)} userdata1={$3} filename={$3} [iphone - Call Performed] #Dec 1 17:58:47 localhost MobileBluetooth[12]: Session::attach "com.apple.mobilephone1014721381" event_type=event regexp=(\S+\s+\d+\s+\d\d:\d\d:\d\d)\s+(?P\S+)\s+MobileBluetooth\[\d+\]:\s+(Session:attach.*$) sensor={resolv($sensor)} date={normalize_date($1)} plugin_sid=14 sensor={resolv($sensor)} userdata1={$3}