Hi All,
I have a pattern =
MSWinEventLog\\s*(?:(?:(?:\\s+)))\\s*(?:\\s*(?:(?:(?:\\d\\s+)))\\s*)?\\s*(?:(?P<event_log__string>(?:\\S+)))\\s*\\s*(?:(?:(?:.*?)))\\s*\\s*(?:(?:(?:\\s+)))\\s*\\s*(?:(?P<event_id__0>(?:4610|4614|4622)))\\s*\\s*(?:(?:(?:[\t]+)))\\s*\\s*(?:(?P<event_source__all>(?:.*?)))\\s*\\s*(?:(?:(?:[\t]+)))\\s*\\s*(?:(?:(?:.*?)))\\s*\\s*(?:(?:(?:[\t]+)))\\s*\\s*(?:(?:(?:.*?)))\\s*\\s*(?:(?:(?:[\t]+)))\\s*\\s*(?:(?:(?:.*?)))\\s*\\s*(?:(?:(?:[\t]+)))\\s*\\s*(?:(?:(?:.*?)))\\s*\\s*(?:(?:(?:[\t]+)))\\s*\\s*(?:(?P<event_category__all>(?:.*?)))\\s*\\s*(?:(?:(?:[\t]+)))\\s*\\s*(?:(?:(?:(A|An).*?)))\\s*\\s*(?:(?P<object__words>(?:(?:\\w+\\s?)+)))\\s*\\s*(?:(?:(?:has
been)))\\s*\\s*(?:(?P<action__0>(?:loaded)))\\s*\\s*(?:(?:(?: by the
)))\\s*\\s*(?:(?:(?:.*?)))\\s*\\ Package\\
Name\\:\\s*(?:(?P<package__0>(?:\\S+)))\\s*
message = <14>Mar 2 11:34:38 89.237.143.23 MSWinEventLog 1
Security 6500 Fri Mar 02 11:34:37 2012 4610
Microsoft-Windows-Security-Auditing N/A N/A Success Audit
prabhat.ImmuneAps.com User Logoff A authentication package has been
loaded by the Local Security Authority. This authentication package will be
used to authenticate logon attempts. Authentication Package Name:
C:\Windows\system32\msv1_0.dll : MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
its not getting any match with PCRE but with re2 I am getting the
match. Is there any issue with PCRE?
with re2 we have
event_source_all: Microsoft-Windows-Security-Auditing
package: C:\\Windows\\system32\\msv1_0.dll
event_id: 4610
object :authentication package
event_log_string: Security
event_category: User Logoff
action_word: loaded
like this match