-   Linux - Software (
-   -   regex concatenate? (

jogyulas 02-03-2017 06:36 AM

regex concatenate?
Hi Guys

I need some help and I hope somebody can help me :)
I would like to capture specific windows security logs with syslog-ng.
Part of a windows event log for example:
Destination Port: 51365
Layer Run-Time ID: 44 (EventID 5156)
Dynamic columns:
.sdata.timequality.issynced=0 |
.sdata.timequality.tzknown=1 |
.sdata.meta.sequenceid=536797 | Platform Connection | | | | | | | Windows security auditing. | Platform Connection | Audit |

And here it is my filter from syslog-ng:
filter event_id_ad { match("(?:event_id=)(1102|4612|4624|4625|4656|4663|4672|4676|4704|4705|4719|4720|4722|4723|4724|4725 |4726|4728|4729|4731|4732|4733|4734|4737|4738|4739|4740|4754|4755|4756|4757|4758|4771|4776|4781|4911 |4913|5136|6279
)" value("MESSAGE")); };

I know it isn't so nice :) but my biggest problem is I don't know how to concatenate "event_id=" and the exact event ids which are needed for me for example 4624. As you can see unfortunately it collects this message because it matches with estination Port: 51365

Ty in advance

syg00 02-04-2017 12:24 AM

When you don't understand what regex is or isn't doing, first step is to reduce the complexity. Any reason you can't reduce that expression to basic (POSIX) regex ?. There's always the possibility the engine in use isn't fully PCRE compliant.

All times are GMT -5. The time now is 03:42 AM.