in reply to Re: Re: Cisco Log Files: broken REGEX
in thread Cisco Log Files: broken REGEX
I still don't have it working, but I do have a few suggestions.
Don't escape everything in sight, you'll go nuts. : and , don't need \, really.
m@@x is your friend.
Could you detect what you need to extract without matching the whole line? Note that ICMP and TCP have different "port" parts, so making a general regex is gonna bite.
Anyhow, here's my test bench, with my latest non-working version of the regex:
#!/usr/bin/perl -w use strict; while(<DATA>) { if(m@ ^ ([A-Z][a-z]+\s+\d+\s+\d+:\d+:\d+) \s+ \[ ([\.\d]+) \] \s+ (\d+): \s+ ([A-Z][a-z]+\s+\d+\s+\d+:\d+:\d+) \s+ ([A-Z]{3}):\s+\%SEC\-6\-[A-Z]+: \s+ list \s+ \d+ ([a-z]+) \s+ ([a-z]+) \s+ (\d+\.\d+\.\d+\.\d+) \(\d+\)? # for tcp \s* -> \s+ (\d+\.\d+\.\d+\.\d+) \(\d+\)? # this is only right for TCP, I think \s* (?: \s+ \(\d+\/\d+\) )? , \s+ (\d) \s+packet$@x) { print "Matched, $1-$2-$3-$4\n"; } else { print "No match\n"; } } __DATA__ Aug 21 19:00:36 [1.1.1.3.200.125] 410381: Aug 21 23:00:35 UTC: %SEC-6- +IPACCESSLOGP: list 101 denied tcp 10.161.24.153(3988) -> 10.158.24.10 +(135), 1 packet Aug 21 19:00:36 [1.1.1.3.200.125] 410382: Aug 21 23:00:35 UTC: %SEC-6- +IPACCESSLOGDP: list 101 denied icmp 10.165.4.150 -> 211.95.79.233 (8/ +0), 1 packet
|
|---|