1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2011
    Rep Power

    RegEx Help Needed for Log

    Thanks in advance for looking at this. I am new to RegEx and have attempted to work my way through some tutorials. However, if anyone would be so kind as to help me out, I'd appreciate it. I have a log server that pulls information from all of our other servers and have the option to set up rules to extract information from each entry. There is one line "RegEx:" that allows for standard regex code to be put in here to extract certain data from the log information. I'm having difficulty pulling the information I need. Below is an example entry:

    <52>Oct 4 03:01:43 SymantecServer symantecserver2: OFFICE-COMP21,Continue,,File Write,Begin: 2011-10-04 02:56:03,End: 2011-10-04 02:56:03,Rule: Log writing to USB drives_Write File,2108, C:/WINDOWS/system32/wbim/wmiprvse.exe,0,No Module Name, E:/WD SmartWare/WelcomeAnimation.swf, User: jenkinsr, Domain: RTOFFICE, Action Type:

    Here is the information I need with it's correct data in parenthesis:

    -Computer Name: (OFFICE-COMP21)
    -User Name: (jenkinsr)
    -Source File Path: (C:/WINDOWS/system32/wbim/wmiprvse.exe)
    -Source File Extension: (.exe)
    -Destination File Path: (E:/WD SmartWare/WelcomeAnimation.swf)
    -Destination File Extension: (.swf)

    The only one I have somewhat been able to get is the computer name by using ([A-Za-z0-9]+-[A-Za-z0-9]+). Any help would be greatly appreciated!!
  2. #2
  3. Did you steal it?
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Washington, USA
    Rep Power
    When I write expressions I like to be as specific as possible.
    	\s*<\d+> # something
    	\s*(\w+\s+\d+\s+\d+:\d+:\d+) # date and time
    	\s*SymantecServer \w+: # application?
    	\s*([^,]+), # machine
    	\s*(\w+), # something
    	\s*[^,]*, # something
    	\s*([^,]+), # something
    	\s*Begin: (\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d), # begin date/time
    	\s*End: (\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d), # end date/time
    	\s*Rule: ([^,]+), # some kind of rule
    	\s*(\d+), # something
    	\s*([^,]+), # some file or application
    	\s*(\d+), # something
    	\s*([^,]+), # something
    	\s*([^,]+), # some file
    	\s*User: (\w+), # user
    	\s*Domain: (\w+), # user domain
    	\s*Action Type: .* # something, and then the rest of the line
    Unfortunately there is no one "standard regex". There are three. But the stuff above should be good for all of them.
    However you may need to remove the /.../mx (maybe even the leading ^ and trailing $ too) and if so then you have to remove all the comments and all the whitespace.

IMN logo majestic logo threadwatch logo seochat tools logo