On Mon, 21 Apr 2014, swati upadhyaya wrote:
> Hi All,
> I have a pattern =
> MSWinEventLog\\s*(?:(?:(?:\\s+)))\\s*(?:\\s*(?:(?:(?:\\d\\s+)))\\s*)?\\s*(?:(?P<event_log__string>(?:\\S+)))\\s*\\s*(?:(?:(?:.*?)))\\s*\\s*(?:(?:(?:\\s+)))\\s*\\s*(?:(?P<event_id__0>(?:4610|4614|4622)))\\s*\\s*(?:(?:(?:[\t]+)))\\s*\\s*(?:(?P<event_source__all>(?:.*?)))\\s*\\s*(?:(?:(?:[\t]+)))\\s*\\s*(?:(?:(?:.*?)))\\s*\\s*(?:(?:(?:[\t]+)))\\s*\\s*(?:(?:(?:.*?)))\\s*\\s*(?:(?:(?:[\t]+)))\\s*\\s*(?:(?:(?:.*?)))\\s*\\s*(?:(?:(?:[\t]+)))\\s*\\s*(?:(?:(?:.*?)))\\s*\\s*(?:(?:(?:[\t]+)))\\s*\\s*(?:(?P<event_category__all>(?:.*?)))\\s*\\s*(?:(?:(?:[\t]+)))\\s*\\s*(?:(?:(?:(A|An).*?)))\\s*\\s*(?:(?P<object__words>(?:(?:\\w+\\s?)+)))\\s*\\s*(?:(?:(?:has
> been)))\\s*\\s*(?:(?P<action__0>(?:loaded)))\\s*\\s*(?:(?:(?: by the
> )))\\s*\\s*(?:(?:(?:.*?)))\\s*\\ Package\\
> Name\\:\\s*(?:(?P<package__0>(?:\\S+)))\\s*
>
> message = <14>Mar 2 11:34:38 89.237.143.23 MSWinEventLog 1
> Security 6500 Fri Mar 02 11:34:37 2012 4610
> Microsoft-Windows-Security-Auditing N/A N/A Success Audit
> prabhat.ImmuneAps.com User Logoff A authentication package has been
> loaded by the Local Security Authority. This authentication package will be
> used to authenticate logon attempts. Authentication Package Name:
> C:\Windows\system32\msv1_0.dll : MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
>
> its not getting any match with PCRE but with re2 I am getting the
> match. Is there any issue with PCRE?
I've had a quick look, but this is too complicated a pattern for me to
spend a lot of time on. However, I suspect the pattern has got mangled
by your email client because I see it as more than one line, and trying
to join the lines produces items like \N which is not right. I also see
some redundant \s*\s* sequences, and (?:(?:(?:.*?))) several times,
which looks odd.
The pcretest program can be very helpful in trying to debug issues like
this.
I might find time to look at this again later in the week.
Philip
--
Philip Hazel
