From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.50) id 1EQhBx-0002ys-L8 for garchives@archives.gentoo.org; Sat, 15 Oct 2005 08:14:58 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.5/8.13.5) with SMTP id j9F8C89Z023015; Sat, 15 Oct 2005 08:12:08 GMT Received: from services-4u.net (h3629.serverkompetenz.net [81.169.159.141]) by robin.gentoo.org (8.13.5/8.13.5) with ESMTP id j9F88mMA003181 for ; Sat, 15 Oct 2005 08:08:48 GMT Received: (qmail 25291 invoked from network); 15 Oct 2005 10:10:20 +0200 Received: from pd9507f77.dip.t-dialin.net (HELO ?217.80.127.119?) (chris@services-4u.net@217.80.127.119) by h3629.serverkompetenz.net with AES256-SHA encrypted SMTP; 15 Oct 2005 10:10:20 +0200 Message-ID: <4350B96A.5000506@services-4u.net> Date: Sat, 15 Oct 2005 10:10:18 +0200 From: Chris User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20051003 X-Accept-Language: en-us, en Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-security@gentoo.org Reply-to: gentoo-security@lists.gentoo.org MIME-Version: 1.0 To: gentoo-security@lists.gentoo.org Subject: [gentoo-security] prelude-lml and log_prefix_regex References: In-Reply-To: X-Enigmail-Version: 0.92.0.0 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 7bit X-Archives-Salt: d48d7ae4-4c7b-4339-a789-7d6ecc8d8fab X-Archives-Hash: ab1c31c4c003c331f55f9c0fe3da1b40 Hello listmembers, i'm setting up a prelude/snort system and so far everything works quite well, but i have absolutely no clue about regular expressions. i tried to get it for a few hours now, but damn, this is really hard stuff... :( all i need is an expression for setting up the prelude-lml variable: "log_prefix_regex" with my syslog-ng entries, but i don't get it, so i thought i might ask if someone with the needed knowledge could help me out. my logentries look like this: 2005-10-15T10:01:20+0100 balmoral su(pam_unix)[741]: session opened for user root by (uid=1000) using this syslog-ng entry: template("$ISODATE <$FACILITY.$PRIORITY> $HOST $MSG\n") and prelude-lml want's to use this expression to extract the data: time-format = "%Y-%m-%dT%H:%M:%S" prefix-regex = "^(?P.{15}) (?P\S+) (?:(?P\S+?)(?:\[(?P[0-9]+)\])?: )?" all i get using this regex is the following error: could not match log_prefix_regex against log entry: 2005-10-15T10:01:20+0100 balmoral su(pam_unix)[741]: session opened for user root by (uid=1000) the time-format was the only thing i could change accordingly and using date "+%Y-%m-%dT%H:%M:%S" produces the used log-date. so, if someone could create a working regular expression for me (or gimme some other help), as slowly my brain begins to smoke while i'm totally stuck, i would appreciate it very much. greetings, chris > > -- gentoo-security@gentoo.org mailing list