On Mon, 21 Apr 2014, swati upadhyaya wrote: > Hi All, > I have a pattern = > MSWinEventLog\\s*(?:(?:(?:\\s+)))\\s*(?:\\s*(?:(?:(?:\\d\\s+)))\\s*)?\\s*(?:(?P<event_log__string>(?:\\S+)))\\s*\\s*(?:(?:(?:.*?)))\\s*\\s*(?:(?:(?:\\s+)))\\s*\\s*(?:(?P<event_id__0>(?:4610|4614|4622)))\\s*\\s*(?:(?:(?:[\t]+)))\\s*\\s*(?:(?P<event_source__all>(?:.*?)))\\s*\\s*(?:(?:(?:[\t]+)))\\s*\\s*(?:(?:(?:.*?)))\\s*\\s*(?:(?:(?:[\t]+)))\\s*\\s*(?:(?:(?:.*?)))\\s*\\s*(?:(?:(?:[\t]+)))\\s*\\s*(?:(?:(?:.*?)))\\s*\\s*(?:(?:(?:[\t]+)))\\s*\\s*(?:(?:(?:.*?)))\\s*\\s*(?:(?:(?:[\t]+)))\\s*\\s*(?:(?P<event_category__all>(?:.*?)))\\s*\\s*(?:(?:(?:[\t]+)))\\s*\\s*(?:(?:(?:(A|An).*?)))\\s*\\s*(?:(?P<object__words>(?:(?:\\w+\\s?)+)))\\s*\\s*(?:(?:(?:has > been)))\\s*\\s*(?:(?P<action__0>(?:loaded)))\\s*\\s*(?:(?:(?: by the > )))\\s*\\s*(?:(?:(?:.*?)))\\s*\\ Package\\ > Name\\:\\s*(?:(?P<package__0>(?:\\S+)))\\s* > > message = <14>Mar 2 11:34:38 89.237.143.23 MSWinEventLog 1 > Security 6500 Fri Mar 02 11:34:37 2012 4610 > Microsoft-Windows-Security-Auditing N/A N/A Success Audit > prabhat.ImmuneAps.com User Logoff A authentication package has been > loaded by the Local Security Authority. This authentication package will be > used to authenticate logon attempts. Authentication Package Name: > C:\Windows\system32\msv1_0.dll : MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 > > its not getting any match with PCRE but with re2 I am getting the > match. Is there any issue with PCRE?
I've had a quick look, but this is too complicated a pattern for me to spend a lot of time on. However, I suspect the pattern has got mangled by your email client because I see it as more than one line, and trying to join the lines produces items like \N which is not right. I also see some redundant \s*\s* sequences, and (?:(?:(?:.*?))) several times, which looks odd. The pcretest program can be very helpful in trying to debug issues like this. I might find time to look at this again later in the week. Philip -- Philip Hazel -- ## List details at https://lists.exim.org/mailman/listinfo/pcre-dev
