LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 02-03-2017, 06:36 AM   #1
jogyulas
Member
 
Registered: May 2014
Location: Hungary
Posts: 32

Rep: Reputation: Disabled
regex concatenate?


Hi Guys

I need some help and I hope somebody can help me
I would like to capture specific windows security logs with syslog-ng.
Part of a windows event log for example:
Destination Port: 51365
Layer Run-Time ID: 44 (EventID 5156)
Dynamic columns:
.sdata.timequality.issynced=0 |
.sdata.timequality.tzknown=1 |
.sdata.meta.sequenceid=536797 |
.sdata.win@18372.4.event_category=Filtering Platform Connection |
.sdata.win@18372.4.event_facility=16 |
.sdata.win@18372.4.event_id=5156 |
.sdata.win@18372.4.event_level=0 |
.sdata.win@18372.4.event_name=Security |
.sdata.win@18372.4.event_rec_num=705976102 |
.sdata.win@18372.4.event_sid=N/A |
.sdata.win@18372.4.event_source=Microsoft Windows security auditing. |
.sdata.win@18372.4.event_task=Filtering Platform Connection |
.sdata.win@18372.4.event_type=Success Audit |


And here it is my filter from syslog-ng:
filter event_id_ad { match("(?:event_id=)(1102|4612|4624|4625|4656|4663|4672|4676|4704|4705|4719|4720|4722|4723|4724|4725 |4726|4728|4729|4731|4732|4733|4734|4737|4738|4739|4740|4754|4755|4756|4757|4758|4771|4776|4781|4911 |4913|5136|6279
)" value("MESSAGE")); };


I know it isn't so nice but my biggest problem is I don't know how to concatenate "event_id=" and the exact event ids which are needed for me for example 4624. As you can see unfortunately it collects this message because it matches with estination Port: 51365

Ty in advance
 
Old 02-04-2017, 12:24 AM   #2
syg00
LQ Veteran
 
Registered: Aug 2003
Location: Australia
Distribution: Lots ...
Posts: 19,783

Rep: Reputation: 3574Reputation: 3574Reputation: 3574Reputation: 3574Reputation: 3574Reputation: 3574Reputation: 3574Reputation: 3574Reputation: 3574Reputation: 3574Reputation: 3574
When you don't understand what regex is or isn't doing, first step is to reduce the complexity. Any reason you can't reduce that expression to basic (POSIX) regex ?. There's always the possibility the engine in use isn't fully PCRE compliant.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Need to convert nginx regex to apache regex centosfan Linux - Server 1 12-08-2016 05:22 AM
Confusing issue with Perl regEx - Regex check seems to require variable being set EnderX Programming 1 09-07-2013 04:36 AM
[SOLVED] differences between shell regex and php regex and perl regex and javascript and mysql golden_boy615 Linux - General 2 04-19-2011 01:10 AM
Perl to find regex and print following 5 lines after regex casperdaghost Linux - Newbie 3 08-29-2010 08:08 PM
regex with sed to process file, need help on regex dwynter Linux - Newbie 5 08-31-2007 05:10 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 10:36 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration