1 |
Hello listmembers, |
2 |
|
3 |
i'm setting up a prelude/snort system and so far everything works quite |
4 |
well, but i have absolutely no clue about regular expressions. |
5 |
i tried to get it for a few hours now, but damn, this is really hard |
6 |
stuff... :( |
7 |
all i need is an expression for setting up the prelude-lml variable: |
8 |
"log_prefix_regex" with my syslog-ng entries, but i don't get it, so i |
9 |
thought i might ask if someone with the needed knowledge could help me out. |
10 |
|
11 |
my logentries look like this: |
12 |
2005-10-15T10:01:20+0100 <auth.info> balmoral su(pam_unix)[741]: |
13 |
session opened for user root by (uid=1000) |
14 |
|
15 |
using this syslog-ng entry: |
16 |
template("$ISODATE <$FACILITY.$PRIORITY> $HOST $MSG\n") |
17 |
|
18 |
and prelude-lml want's to use this expression to extract the data: |
19 |
time-format = "%Y-%m-%dT%H:%M:%S" |
20 |
prefix-regex = "^(?P<timestamp>.{15}) (?P<hostname>\S+) |
21 |
(?:(?P<process>\S+?)(?:\[(?P<pid>[0-9]+)\])?: )?" |
22 |
|
23 |
|
24 |
all i get using this regex is the following error: |
25 |
could not match log_prefix_regex against log entry: |
26 |
2005-10-15T10:01:20+0100 <auth.info> balmoral su(pam_unix)[741]: session |
27 |
opened for user root by (uid=1000) |
28 |
the time-format was the only thing i could change accordingly and using |
29 |
date "+%Y-%m-%dT%H:%M:%S" produces the used log-date. |
30 |
|
31 |
so, if someone could create a working regular expression for me (or |
32 |
gimme some other help), as slowly my brain begins to smoke while i'm |
33 |
totally stuck, i would appreciate it very much. |
34 |
|
35 |
greetings, chris |
36 |
|
37 |
|
38 |
> |
39 |
> |
40 |
-- |
41 |
gentoo-security@g.o mailing list |