Regular-Expression
卡在使用正則表達式選擇列(在 wazuh 解碼器中)
我有這個日誌,但我不知道如何選擇幾列。
04.07.2021 12:11:31.801 [25760] info MainForm - Database(s) loaded: CA_2021,beforetest,FL_2,FL_Jan_2021,jhon,DC_City_Jan_2021,Statetest,Benchmark_2021我使用
(\d\d\d\d) (\d+:\d+:\d+)並且能夠選擇2021 12:11:31任何人都可以幫助選擇
2021 12:11:31 [25760] info FL_Jan_2021 DC_City_Jan_2021 Benchmark_2021https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/regex.html
您可以使用以下自定義解碼器來提取所有欄位:
<decoder name="log1"> <prematch>^\d\d.\d\d.\d\d\d\d \d\d:\d\d:\d\d.\d\d\d [\d+]\s+\w+\s+\w+\s+- </prematch> <regex>^(\d\d.\d\d.\d\d\d\d \d\d:\d\d:\d\d.\d\d\d) [(\d+)]\s+(\w+)\s+(\w+)\s+-\s+(\.+):\s+(\S+),(\S+),(\S+),(\S+),(\S+),(\S+),(\S+),(\S+)</regex> <order>decoded.date,decoded.pid,decoded.type,decoded.source,decoded.action,field1,field2,field3,field4,field5,field6,field7,field8</order> </decoder>您提到的欄位分別提取為
decoded.date、decoded.pid、decoded.type、field4和。如果您不想提取其他欄位,您可以刪除標籤上的括號和標籤中的名稱。field6``field8``<regex>``<order>
wazuh-logtest配置此解碼器後,通過實用程序執行日誌的結果/var/ossec/etc/decoders/local_decoders.xml是:**Phase 1: Completed pre-decoding. full event: '14.07.2021 12:11:31.801 [25760] info MainForm - Database(s) loaded: CA_2021,beforetest,FL_2,FL_Jan_2021,jhon,DC_City_Jan_2021,Statetest,Benchmark_2021' **Phase 2: Completed decoding. name: 'log1' decoded.action: ' Database(s) loaded' decoded.date: '14.07.2021 12:11:31.801' decoded.pid: '25760' decoded.source: 'MainForm' decoded.type: 'info' field1: 'CA_2021' field2: 'beforetest' field3: 'FL_2' field4: 'FL_Jan_2021' field5: 'jhon' field6: 'DC_City_Jan_2021' field7: 'Statetest' field8: 'Benchmark_2021'