LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
Reload this Page regex + syslog-ng group patterns
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Closed Thread
  Search this Thread
Old 02-03-2017, 07:24 AM   #1
jogyulas
Member
 
Registered: May 2014
Location: Hungary
Posts: 32

Rep: Reputation: Disabled
regex + syslog-ng group patterns

Hi Guys

I need some help and I hope somebody can help me
I would like to capture specific windows security logs with syslog-ng.
Part of a windows event log for example:
Destination Port: 51365
Layer Run-Time ID: 44 (EventID 5156)
Dynamic columns:
.sdata.timequality.issynced=0 |
.sdata.timequality.tzknown=1 |
.sdata.meta.sequenceid=536797 |
.sdata.win@18372.4.event_category=Filtering Platform Connection |
.sdata.win@18372.4.event_facility=16 |
.sdata.win@18372.4.event_id=5156 |
.sdata.win@18372.4.event_level=0 |
.sdata.win@18372.4.event_name=Security |
.sdata.win@18372.4.event_rec_num=705976102 |
.sdata.win@18372.4.event_sid=N/A |
.sdata.win@18372.4.event_source=Microsoft Windows security auditing. |
.sdata.win@18372.4.event_task=Filtering Platform Connection |
.sdata.win@18372.4.event_type=Success Audit |

And here it is my filter from syslog-ng:
filter event_id_ad { match("(?:event_id=)(1102|4612|4624|4625|4656|4663|4672|4676|4704|4705|4719|4720|4722|4723|4724|4725 |4726|4728|4729|4731|4732|4733|4734|4737|4738|4739|4740|4754|4755|4756|4757|4758|4771|4776|4781|4911 |4913|5136|6279
)" value("MESSAGE")); };

I know it isn't so nice but my biggest problem is I don't know how to concatenate "event_id=" and the exact event ids which are needed for me for example 4624. As you can see unfortunately it collects this message because it matches with estination Port: 51365

Ty in advance
 
Old 02-03-2017, 09:58 AM   #2
jeremy
root
 
Registered: Jun 2000
Distribution: Debian, Red Hat, Slackware, Fedora, Ubuntu
Posts: 13,596

Rep: Reputation: 4080Reputation: 4080Reputation: 4080Reputation: 4080Reputation: 4080Reputation: 4080Reputation: 4080Reputation: 4080Reputation: 4080Reputation: 4080Reputation: 4080
Please post your thread in only one forum. Posting a single thread in the most relevant forum will make it easier for members to help you and will keep the discussion in one place. This thread is being closed because it is a duplicate.

--jeremy
 
  


Closed Thread


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Would like to share some common regex patterns... Madhu Desai Linux - Newbie 4 12-11-2013 12:19 AM
[SOLVED] AWK: Insert a blank line after each group of patterns matched cristalp Programming 6 10-22-2013 08:07 AM
[SOLVED] regex question - weed repeating chars/patterns samji9999 Programming 5 08-20-2010 08:42 AM
Perl only matching single-character regex patterns? Lordandmaker Programming 3 01-20-2009 08:59 AM
sed: howto group regex's into AND/OR clauses? jhwilliams Linux - Software 5 08-01-2007 02:19 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 05:07 AM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration