#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2011
    Posts
    1
    Rep Power
    0

    RegEx Help Needed for Log


    Thanks in advance for looking at this. I am new to RegEx and have attempted to work my way through some tutorials. However, if anyone would be so kind as to help me out, I'd appreciate it. I have a log server that pulls information from all of our other servers and have the option to set up rules to extract information from each entry. There is one line "RegEx:" that allows for standard regex code to be put in here to extract certain data from the log information. I'm having difficulty pulling the information I need. Below is an example entry:

    <52>Oct 4 03:01:43 SymantecServer symantecserver2: OFFICE-COMP21,Continue,,File Write,Begin: 2011-10-04 02:56:03,End: 2011-10-04 02:56:03,Rule: Log writing to USB drives_Write File,2108, C:/WINDOWS/system32/wbim/wmiprvse.exe,0,No Module Name, E:/WD SmartWare/WelcomeAnimation.swf, User: jenkinsr, Domain: RTOFFICE, Action Type:

    Here is the information I need with it's correct data in parenthesis:

    -Computer Name: (OFFICE-COMP21)
    -User Name: (jenkinsr)
    -Source File Path: (C:/WINDOWS/system32/wbim/wmiprvse.exe)
    -Source File Extension: (.exe)
    -Destination File Path: (E:/WD SmartWare/WelcomeAnimation.swf)
    -Destination File Extension: (.swf)

    The only one I have somewhat been able to get is the computer name by using ([A-Za-z0-9]+-[A-Za-z0-9]+). Any help would be greatly appreciated!!
  2. #2
  3. Transforming Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    14,120
    Rep Power
    9398
    When I write expressions I like to be as specific as possible.
    Code:
    /^
    	\s*<\d+> # something
    	\s*(\w+\s+\d+\s+\d+:\d+:\d+) # date and time
    	\s*SymantecServer \w+: # application?
    	\s*([^,]+), # machine
    	\s*(\w+), # something
    	\s*[^,]*, # something
    	\s*([^,]+), # something
    	\s*Begin: (\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d), # begin date/time
    	\s*End: (\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d), # end date/time
    	\s*Rule: ([^,]+), # some kind of rule
    	\s*(\d+), # something
    	\s*([^,]+), # some file or application
    	\s*(\d+), # something
    	\s*([^,]+), # something
    	\s*([^,]+), # some file
    	\s*User: (\w+), # user
    	\s*Domain: (\w+), # user domain
    	\s*Action Type: .* # something, and then the rest of the line
    $/mx
    Unfortunately there is no one "standard regex". There are three. But the stuff above should be good for all of them.
    However you may need to remove the /.../mx (maybe even the leading ^ and trailing $ too) and if so then you have to remove all the comments and all the whitespace.

IMN logo majestic logo threadwatch logo seochat tools logo