Hi list, I'm trying to use a negative lookahead in my pattern for a particular event in my audit log and it doesn't appear to be working. I was wondering if negative lookaheads work to begin with, and if they do, I was hoping someone could spot my mistake.
I am using a pair type. Basically I want to find patterns that match everything in that pattern except for that number in the negative lookahead, and then, match that filterkey=backend-script line type=pair ptype=regexp pattern=audit\(\d+\.\d+\:(\d+)\).*success\=yes\s[0-9a-zA-Z= ]+\suid\=(?!12653) desc="Successful command execution" action=none ptype2=regexp pattern2=^.*audit\(\d+\.\d+\:(\d+)\)\:.*filterkey\=backend\-script desc2=$0 action2=shellcmd /sbin/ausearch -a $1 window=2 And a sample of logs type=SYSCALL msg=audit(1213918944.731:15585): arch=40000003 syscall=5 success=yes exit=3 a0=984abd8 a1=8000 a2=0 a3=8000 items=1 pid=29557 auid=4294967295 uid=12653 gid=12653 euid=12653 suid=12653 fsuid=12653 egid=12653 sgid=12653 fsgid=12653 comm="pwreset_backend" exe="/bin/bash" type=FS_WATCH msg=audit(1213918944.731:15585): watch_inode=3347157 watch="backend.sh" filterkey=backend-script perm=4 perm_mask=4 type=FS_INODE msg=audit(1213918944.731:15585): inode=3347157 inode_uid=1733 inode_gid=100 inode_dev=03:02 inode_rdev=00:00 So for instance, I dont want to match that first line, because it has uid=12653. But I would want to match that line if it had any other number in-place of that 12653, so this should match type=SYSCALL msg=audit(1213918944.731:15585): arch=40000003 syscall=5 success=yes exit=3 a0=984abd8 a1=8000 a2=0 a3=8000 items=1 pid=29557 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="pwreset_backend" exe="/bin/bash" However my pair is matching the 12653 line. Any ideas? Thanks in advance, Tim ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
