Dan,All my regex experience comes from Perl. It's clear this regex does things a bit differently than how I expected. In Perl \.+ means only match 1 or more periods.
Another difference I've discovered is that Perl's regex is greedy -- it'll match all it can. It looks like this regex will only match the least number of characters it can. If I understand the difference correctly, \.+ in this regex would be .+? in Perl.
In Perl, [0-9A-Fx]+ means match one or more from the following set: 0 through 9, A through F and x. I guess that's done differently here. :)
Thanks for helping me understand this better. On 7/5/2017 6:45 PM, dan (ddp) wrote:
On Mon, Jul 3, 2017 at 11:28 AM, Ian Brown <zestys...@gmail.com> wrote:I believe I've figured it out -- I think the decoder isn't matching the full log string and is thus stripping the ip address information. Also after looking at the regex in the decoder, I've discovered that it doesn't even match against the first three example strings provided: Here's an example from the comments (After prematch): Security: AUDIT_FAILURE(0x000002A9): Security: SYSTEM: NT AUTHORITY: The logon to account: xyz by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from workstation: la failed. The error code was: 3221225572 yet, the regex is: ^\.+: (\w+)\((\d+)\): (\.+): The second (\d+) will only match against numbers, so (0x000002A9) will never match. It should be ([0-9A-Fx]+)I don't think this does what you want it to. But dealing with the hex might be an issue we'll have to look into.Also, why is it escaping the period at the beginning and at the end? shouldn't the regex be: ^.+: (\w+)\((\d+)\): (.+):Not if you want to match any character, that should only match '.'.-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
----- You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
smime.p7s
Description: S/MIME Cryptographic Signature
