On Wed, Jul 5, 2017 at 10:41 PM, Ian Brown <zestys...@gmail.com> wrote: > Dan, > > All my regex experience comes from Perl. It's clear this regex does things > a bit differently than how I expected. In Perl \.+ means only match 1 or > more periods. > > Another difference I've discovered is that Perl's regex is greedy -- it'll > match all it can. It looks like this regex will only match the least number > of characters it can. If I understand the difference correctly, \.+ in this > regex would be .+? in Perl. > > In Perl, [0-9A-Fx]+ means match one or more from the following set: 0 > through 9, A through F and x. I guess that's done differently here. :) > > Thanks for helping me understand this better. >
Our regex is weird. > > On 7/5/2017 6:45 PM, dan (ddp) wrote: >> >> On Mon, Jul 3, 2017 at 11:28 AM, Ian Brown <zestys...@gmail.com> wrote: >>> >>> I believe I've figured it out -- I think the decoder isn't matching the >>> full >>> log string and is thus stripping the ip address information. Also after >>> looking at the regex in the decoder, I've discovered that it doesn't even >>> match against the first three example strings provided: >>> >>> Here's an example from the comments (After prematch): >>> Security: AUDIT_FAILURE(0x000002A9): Security: SYSTEM: NT AUTHORITY: The >>> logon to account: xyz by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from >>> workstation: la failed. The error code was: 3221225572 >>> >>> yet, the regex is: >>> ^\.+: (\w+)\((\d+)\): (\.+): >>> >>> The second (\d+) will only match against numbers, so (0x000002A9) will >>> never >>> match. It should be ([0-9A-Fx]+) >> >> I don't think this does what you want it to. But dealing with the hex >> might be an issue we'll have to look into. >> >>> Also, why is it escaping the period at the beginning and at the end? >>> shouldn't the regex be: >>> ^.+: (\w+)\((\d+)\): (.+): >>> >> Not if you want to match any character, that should only match '.'. >> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google Groups >>> "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to ossec-list+unsubscr...@googlegroups.com. >>> For more options, visit https://groups.google.com/d/optout. > > > > -- > > --- You received this message because you are subscribed to the Google > Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.