analysis.cfg regular expression 🔗 link

wrote:

Hi folks,


I?m having trouble with a regular expression in a LOG entry in
analysis.cfg which is monitoring a Windows log.


I?ve included some sample lines below (IP addresses changed for obvious
reasons) and I need to alert when the 12th string (space separated) is
403 (actually 500 but for testing, 403)


I?ve tried this,


LOG "%D:\Weblogs\*\u_ex*.log" "%2.{1,75} .{1,75} .{1,75} .{1,75} .{1,75}
.{1,75} .{1,75} .{1,75} .{1,75} .{1,75}- 403 .{1,75} .{1,75} .{1,75}"
COLOR=yellow


And


LOG "%D:\Weblogs\*\u_ex*.log" "%(?:\S+\s+){11}403\b? COLOR=yellow


2024-01-16 14:41:01 127.0.0.1 GET / - 80 - 127.0.0.1
Xymon+xymonnet/4.3.30-1.el8.terabithia - 403 14 0 93

2024-01-16 14:42:03 127.0.0.1 GET / - 80 - 127.0.0.1
Xymon+xymonnet/4.3.30-1.el8.terabithia - 403 14 0 83

2024-01-16 14:43:04 127.0.0.1 GET / - 80 - 127.0.0.1
Xymon+xymonnet/4.3.30-1.el8.terabithia - 403 14 0 78

2024-01-16 14:44:08 127.0.0.1 GET / - 80 - 127.0.0.1
Xymon+xymonnet/4.3.30-1.el8.terabithia - 403 14 0 110

2024-01-16 14:45:13 127.0.0.1 GET / - 80 - 127.0.0.1
Xymon+xymonnet/4.3.30-1.el8.terabithia - 403 14 0 89

2024-01-16 14:46:16 127.0.0.1 GET / - 80 - 127.0.0.1
Xymon+xymonnet/4.3.30-1.el8.terabithia - 403 14 0 62

2024-01-16 14:47:20 127.0.0.1 GET / - 80 - 127.0.0.1
Xymon+xymonnet/4.3.30-1.el8.terabithia - 403 14 0 78


Neither of these work. Can anyone help?


Kind Regards,


Neil*.*

).


Studio is a trading name of Studio Retail Trading Limited (Company no.
03994833), which is an introducer of credit not a lender. Studio Pay is
provided by Frasers Group Financial Services Limited (Registered Company
no. 00718151), which is authorised and regulated by the Financial Conduct
Authority (FRN 311908) for consumer credit and general insurance and a
member of the Finance and Leasing Association. Both companies are
registered in England and their registered office is: Church Bridge House
Henry Street Accrington BB5 4EE.

NOTE: This email and any information contained within or attached in a
separate file is confidential and intended solely for the Individual to
whom it is addressed. The information or data included is solely for the
purpose indicated or previously agreed. Any information or data included
with this e-mail remains the property of Studio Retail Trading Ltd or
Frasers Group Financial Services Ltd. The recipient will refrain from
utilising the information for any purpose other than that indicated and
upon request will destroy the information and remove it from their records.
Any views or opinions presented are solely those of the author and do not
necessarily represent those of Studio Retail Trading Ltd or Frasers Group
Financial Services Ltd. If you are not the intended recipient, be advised
that you have received this email in error and that any use, dissemination,
forwarding, printing, or copying of this email is strictly prohibited. No
warranties or assurances are made in relation to the safety and content of
this e-mail and any attachments. No liability is accepted for any
consequences arising from it. Studio Retail Trading Ltd and Frasers Group
Financial Services Ltd reserve the right to monitor all e-mail
communications through their internal and external networks. If you have
received this email in error please let us know. You can find our available
contact details by going to help.studio.co.uk and clicking ?Contact Us?.

Hi Neil

This is probably not the cause, but the closing double quotes on your second LOG line is an unprintable character representing a fancy (non-ASCII) quote symbol.

Apart from that, I can't see anything wrong with your match strings. Testing them with pcre2grep shows that they match the log lines just fine.

However, I wonder if your filename matching regular expressions is the problem. Each backslash in the match string are likely to be interpreted by the PCRE engine as the start of a special sequence, such as "\W" meaning "non-word character", and "\*" meaning a literal asterisk rather than a wildcard. For a test, try changing the filename string to be a non-regular expression (without the %) and name a single file rather than trying to use a wildcard.

Cheers
Jeremy

On Wed, 17 Jan 2024 at 02:28, Neil Simmonds <user-884b0aec6dbf@xymon.invalid<mailto:user-884b0aec6dbf@xymon.invalid>> wrote:
Hi folks,

I'm having trouble with a regular expression in a LOG entry in analysis.cfg which is monitoring a Windows log.

I've included some sample lines below (IP addresses changed for obvious reasons) and I need to alert when the 12th string (space separated) is 403 (actually 500 but for testing, 403)

I've tried this,

LOG "%D:\Weblogs\*\u_ex*.log" "%2.{1,75} .{1,75} .{1,75} .{1,75} .{1,75} .{1,75} .{1,75} .{1,75} .{1,75} .{1,75}- 403 .{1,75} .{1,75} .{1,75}" COLOR=yellow

And

LOG "%D:\Weblogs\*\u_ex*.log" "%(?:\S+\s+){11}403\b" COLOR=yellow

2024-01-16 14:41:01 127.0.0.1 GET / - 80 - 127.0.0.1 Xymon+xymonnet/4.3.30-1.el8.terabithia - 403 14 0 93
2024-01-16 14:42:03 127.0.0.1 GET / - 80 - 127.0.0.1 Xymon+xymonnet/4.3.30-1.el8.terabithia - 403 14 0 83
2024-01-16 14:43:04 127.0.0.1 GET / - 80 - 127.0.0.1 Xymon+xymonnet/4.3.30-1.el8.terabithia - 403 14 0 78
2024-01-16 14:44:08 127.0.0.1 GET / - 80 - 127.0.0.1 Xymon+xymonnet/4.3.30-1.el8.terabithia - 403 14 0 110
2024-01-16 14:45:13 127.0.0.1 GET / - 80 - 127.0.0.1 Xymon+xymonnet/4.3.30-1.el8.terabithia - 403 14 0 89
2024-01-16 14:46:16 127.0.0.1 GET / - 80 - 127.0.0.1 Xymon+xymonnet/4.3.30-1.el8.terabithia - 403 14 0 62
2024-01-16 14:47:20 127.0.0.1 GET / - 80 - 127.0.0.1 Xymon+xymonnet/4.3.30-1.el8.terabithia - 403 14 0 78

Neither of these work. Can anyone help?

Kind Regards,

Neil.
).


Studio is a trading name of Studio Retail Trading Limited (Company no. 03994833), which is an introducer of credit not a lender. Studio Pay is provided by Frasers Group Financial Services Limited (Registered Company no. 00718151), which is authorised and regulated by the Financial Conduct Authority (FRN 311908) for consumer credit and general insurance and a member of the Finance and Leasing Association. Both companies are registered in England and their registered office is: Church Bridge House Henry Street Accrington BB5 4EE.

Studio is a trading name of Studio Retail Trading Limited (Company no. 03994833), which is an introducer of credit not a lender. Studio Pay is provided by Frasers Group Financial Services Limited (Registered Company no. 00718151), which is authorised and regulated by the Financial Conduct Authority (FRN 311908) for consumer credit and general insurance and a member of the Finance and Leasing Association. Both companies are registered in England and their registered office is: Church Bridge House Henry Street Accrington BB5 4EE.

NOTE: This email and any information contained within or attached in a separate file is confidential and intended solely for the Individual to whom it is addressed. The information or data included is solely for the purpose indicated or previously agreed. Any information or data included with this e-mail remains the property of Studio Retail Trading Ltd or Frasers Group Financial Services Ltd. The recipient will refrain from utilising the information for any purpose other than that indicated and upon request will destroy the information and remove it from their records. Any views or opinions presented are solely those of the author and do not necessarily represent those of Studio Retail Trading Ltd or Frasers Group Financial Services Ltd. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. No warranties or assurances are made in relation to the safety and content of this e-mail and any attachments. No liability is accepted for any consequences arising from it. Studio Retail Trading Ltd and Frasers Group Financial Services Ltd reserve the right to monitor all e-mail communications through their internal and external networks. If you have received this email in error please let us know. You can find our available contact details by going to help.studio.co.uk and clicking 'Contact Us'.