From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org)
	by nuthatch.gentoo.org with esmtp (Exim 4.50)
	id 1EQigW-0007O4-SS
	for garchives@archives.gentoo.org; Sat, 15 Oct 2005 09:50:37 +0000
Received: from robin.gentoo.org (localhost [127.0.0.1])
	by robin.gentoo.org (8.13.5/8.13.5) with SMTP id j9F9ljiw030568;
	Sat, 15 Oct 2005 09:47:46 GMT
Received: from services-4u.net (h3629.serverkompetenz.net [81.169.159.141])
	by robin.gentoo.org (8.13.5/8.13.5) with ESMTP id j9F9iMFP022433
	for <gentoo-security@lists.gentoo.org>; Sat, 15 Oct 2005 09:44:23 GMT
Received: (qmail 25548 invoked from network); 15 Oct 2005 11:45:55 +0200
Received: from pd9507f77.dip.t-dialin.net (HELO ?217.80.127.119?) (chris@services-4u.net@217.80.127.119)
  by h3629.serverkompetenz.net with AES256-SHA encrypted SMTP; 15 Oct 2005 11:45:55 +0200
Message-ID: <4350CFD2.3060600@services-4u.net>
Date: Sat, 15 Oct 2005 11:45:54 +0200
From: Chris <chris@services-4u.net>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20051003
X-Accept-Language: en-us, en
Precedence: bulk
List-Post: <mailto:gentoo-security@lists.gentoo.org>
List-Help: <mailto:gentoo-security+help@gentoo.org>
List-Unsubscribe: <mailto:gentoo-security+unsubscribe@gentoo.org>
List-Subscribe: <mailto:gentoo-security+subscribe@gentoo.org>
List-Id: Gentoo Linux mail <gentoo-security.gentoo.org>
X-BeenThere: gentoo-security@gentoo.org
Reply-to: gentoo-security@lists.gentoo.org
MIME-Version: 1.0
To: gentoo-security@lists.gentoo.org
Subject: Re: [gentoo-security] prelude-lml and log_prefix_regex
References: <E1EQiQ5-0006HN-5Y@cp02.buyhttp.com>
In-Reply-To: <E1EQiQ5-0006HN-5Y@cp02.buyhttp.com>
X-Enigmail-Version: 0.92.0.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Archives-Salt: 766310a2-e86f-4c48-be86-1b443b706f43
X-Archives-Hash: 87bd84046c64d5306cb2bd344b4d355c

Yeah, this did the trick :)
Thanks alot Sheran, now i'm able to get some sleep *smiling from one ear
to the other*

Greets, Chris






Sheran Gunasekera wrote:

>Hi Chris,
>Give this a go:
>(?P<timestamp>.{15}).*?\>\s(?P<hostname>.*?)\s(?:(?P<process>\S+?)(?:\[(?P<pid>[0-9]+)\])?:)
>
>I'm not using either Snort or Prelude, but I tried this on Python and I
>think it
>yields the results you require.  I wonder about only capturing the first 15
>characters for the timestamp, though.  It comes up a bit short.  As I am
>unsure
>of the context it is being used, I cannot comment, but I would capture
>at least
>19 characters:
>
>(?P<timestamp>.{19}).*?\>\s(?P<hostname>.*?)\s(?:(?P<process>\S+?)(?:\[(?P<pid>[0-9]+)\])?:)
>
>Take care,
>Sheran 
>  
>
-- 
gentoo-security@gentoo.org mailing list