Re^2: Perl Regex

Thanks for the Help. I already tried the given regex and it's not working. Here is my Perl script.

#!/usr/bin/perl

chdir("/tmp") or die "$!";
opendir (DIR, ".") or die "$!";
my @files = grep {/2010*/}  readdir DIR;
close DIR;
{   local @ARGV = @files;


foreach my $file (@files) 
{
   open(FILE,"/tmp/$file") or die "No file!";
        
###############################

while ($fields = <FILE>)
    {

    @logs = split (/ /,$fields); # split log fields by space.

            foreach $msg (@logs)

            { 
        
            #if ( $msg=~(/^msg="(.*?)"/))
            #if ( $msg=~(/msg=/))
            if ( $msg=~/\bmsg="[^"]*"/)
            #if ($message =~ /msg=\"+((?:([^:,]+):\s|)([^,]+?)\s*(?:\s
+*,.*?|))\"+/)
                {
                print "$msg\n";
                }
            }
   
        }
   close(FILE);

    }

}
close FILE;
exit(0);
[download]

And here is the log file format:
20 Nov 17:43:1 10 28 2010 02:18:33: date=2010-10-28 time=00:27:54 log_id=2 type=ips subtype=signature pri=alert fwver=040002 severity=medium carrier_ep="N/A" profile="IPS" src=X.X.X.X dst=X.X.X.X src_int="wan1" dst_int="internal" policyid=2 status=detected proto=17 service=1434/udp vd="root" count=1 src_port=111 dst_port=80 attack_id=10328 sensor="IPS_sensor" ref="http://www.fortinet.com/ids/VID10328" user="N/A" group="N/A" incident_serialno=2004954881 msg="database: MS.SQL.Server.Resolution.Service.Stack.Overflow"

Am I missing anything in my code, I tried debugging but could not do anything inside debugger.

Comment on Re^2: Perl Regex Download Code

Replies are listed 'Best First'.
Re^3: Perl Regex by afoken (Chancellor) on Nov 23, 2010 at 11:03 UTC
Please define "not working". What do you expect to happen? What happens instead? Any warning or error messages? And here is the log file format: No, that's just some crap copied and pasted from elsewhere. Inside <code></code>, it may have been a little bit helpful, as an example, but not in this form. All of the possible whitespace characters have collapsed to a single space, due to the way HTML works. And it looks like you have editied the example, making things even worse. A proper specification of the log format would really be useful. If you don't have that, post several unmodified(!) log lines inside <code></code>. If the log comes from a well-known piece of software, tell us the name and version of that software. Alexander -- Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)	[reply]
Re^4: Perl Regex by cipher (Acolyte) on Nov 23, 2010 at 11:12 UTC
It's not working means I do not get any output when I print $msg, I expect it to print the actual string from log, I have mentioned this in my first post. Here is the log file inside code: 20 Nov 17:43:1 10 28 2010 02:18:33: date=2010-10-28 time=00:27:54 log_ +id=2 type=ips subtype=signature pri=alert fwver=040002 severity=mediu +m carrier_ep="N/A" profile="IPS" src=X.X.X.X dst=X.X.X.X src_int="wan +1" dst_int="internal" policyid=2 status=detected proto=17 service=143 +4/udp vd="root" count=1 src_port=111 dst_port=80 attack_id=10328 sens +or="IPS_sensor" ref="http://www.fortinet.com/ids/VID10328" user="N/A" + group="N/A" incident_serialno=2004954881 msg="database: MS.SQL.Serve +r.Resolution.Service.Stack.Overflow" [download] All other fields are matching and working fine except this one. I tried debugging and regex matches the string but not when I run my perl script. `DB<10> $msg = q(some_fields msg="http_decoder: HTTP.Unknown.Tunnelli +ng" some_fields) DB<11> x $ msg 0 'some_fields msg="http_decoder: HTTP.Unknown.Tunnelling" some_field +s' DB<12> x $msg =~/msg=\"(.?)\"/ 0 'http_decoder: HTTP.Unknown.Tunnelling' DB<13> x $msg =~ /msg=\"+((?:([^:,]+):\s\|)([^,]+?)\s(?:\s,.?\|))\" ++/ 0 'http_decoder: HTTP.Unknown.Tunnelling' 1 'http_decoder' 2 'HTTP.Unknown.Tunnelling'` [download]	[reply] [d/l] [select]
Re^5: Perl Regex by cipher (Acolyte) on Nov 23, 2010 at 11:53 UTC
I think this maybe because I am splitting the fields by space and there is a space after msg="database:space I am trying to match my regex on two fields. 20 Nov 17:43:1 10 28 2010 02:18:33: date=2010-10-28 time=00:27:54 log_ +id=2 type=ips subtype=signature pri=alert fwver=040002 severity=mediu +m carrier_ep="N/A" profile="IPS" src=X.X.X.X dst=X.X.X.X src_int="wan +1" dst_int="internal" policyid=2 status=detected proto=17 service=143 +4/udp vd="root" count=1 src_port=111 dst_port=80 attack_id=10328 sens +or="IPS_sensor" ref="http://www.fortinet.com/ids/VID10328" user="N/A" + group="N/A" incident_serialno=2004954881 msg="database: MS.SQL.Serve +r.Resolution.Service.Stack.Overflow" [download]	[reply] [d/l]
Re^6: Perl Regex by CountZero (Bishop) on Nov 23, 2010 at 16:31 UTC