correct, I think that it is.
On Wed, Jan 27, 2016 at 11:06 PM, Fredrik wrote:
> Hi Santiago!
>
>
> Thanks for your input. As you pointed out the \D+ is out of place and I
> couldn't figure out why that would match whereas the latter regex, that I
> believed to be more complete, wouldn't. With in
Hi Santiago!
Thanks for your input. As you pointed out the \D+ is out of place and I
couldn't figure out why that would match whereas the latter regex, that I
believed to be more complete, wouldn't. With input from Dan and yourself, I
realize that OSSEC is offering a helping hand in stripping
Thanks Dan! I obviously didn't realize that this was the case :( This means
that I should create a regex that take the missing entry part into account
and hence matches: Jan 27 9:32:28 st4600fw01n1 not the full string I
was aiming for? This would then explain the, from my point of view,
som
Agree with Dan, also double check the regexes, as it looks like there are
some inconsistencies at the end. I don't think that \D+ is in the right
place.
Best
On Wed, Jan 27, 2016 at 7:08 AM, dan (ddp) wrote:
>
> On Jan 27, 2016 10:06 AM, "Fredrik" wrote:
> >
> > HI All,
> >
> >
> > Been workin
On Jan 27, 2016 10:06 AM, "Fredrik" wrote:
>
> HI All,
>
>
> Been working on a regex to match highlighted part of the (event) string
below:
>
> Jan 27 09:41:01 127.0.0.1 Jan 27 9:32:28 st4600fw01n1 allow http://www.aliveproxy.com/;
proxy_src_ip: 192.168.1.15 product: Application Control; service:
HI All,
Been working on a regex to match highlighted part of the (event) string
below:
*Jan 27 09:41:01 127.0.0.1 Jan 27 9:32:28 st4600fw01n1 *allow http://www.aliveproxy.com/; proxy_src_ip: 192.168.1.15 product: Application
Control; service: http; s_port: 58579; product_family: Network;
...