Gentoo Archives: gentoo-security

From: Chris <chris@×××××××××××.net>
To: gentoo-security@l.g.o
Subject: [gentoo-security] prelude-lml and log_prefix_regex
Date: Sat, 15 Oct 2005 08:14:58
Message-Id: 4350B96A.5000506@services-4u.net
In Reply to: RE: [gentoo-security] hosts.{allow,deny} vs. iptables. by "Łukasz C. Jokiel"
1 Hello listmembers,
2
3 i'm setting up a prelude/snort system and so far everything works quite
4 well, but i have absolutely no clue about regular expressions.
5 i tried to get it for a few hours now, but damn, this is really hard
6 stuff... :(
7 all i need is an expression for setting up the prelude-lml variable:
8 "log_prefix_regex" with my syslog-ng entries, but i don't get it, so i
9 thought i might ask if someone with the needed knowledge could help me out.
10
11 my logentries look like this:
12 2005-10-15T10:01:20+0100 <auth.info> balmoral su(pam_unix)[741]:
13 session opened for user root by (uid=1000)
14
15 using this syslog-ng entry:
16 template("$ISODATE <$FACILITY.$PRIORITY> $HOST $MSG\n")
17
18 and prelude-lml want's to use this expression to extract the data:
19 time-format = "%Y-%m-%dT%H:%M:%S"
20 prefix-regex = "^(?P<timestamp>.{15}) (?P<hostname>\S+)
21 (?:(?P<process>\S+?)(?:\[(?P<pid>[0-9]+)\])?: )?"
22
23
24 all i get using this regex is the following error:
25 could not match log_prefix_regex against log entry:
26 2005-10-15T10:01:20+0100 <auth.info> balmoral su(pam_unix)[741]: session
27 opened for user root by (uid=1000)
28 the time-format was the only thing i could change accordingly and using
29 date "+%Y-%m-%dT%H:%M:%S" produces the used log-date.
30
31 so, if someone could create a working regular expression for me (or
32 gimme some other help), as slowly my brain begins to smoke while i'm
33 totally stuck, i would appreciate it very much.
34
35 greetings, chris
36
37
38 >
39 >
40 --
41 gentoo-security@g.o mailing list