Thanks Philip,
Thanks for your replt,it will be great if you can
shot out my problem...I have tried with many pattern and found that PCRE
talkes lesser time then any other regex lib thats why want to use PCRE but
there are some pattern like the one abpve for which its unable to match.
thanks again
On Wed, Apr 23, 2014 at 11:24 PM, <ph10@???> wrote:
> On Mon, 21 Apr 2014, swati upadhyaya wrote:
>
> > Hi All,
> > I have a pattern =
> >
> MSWinEventLog\\s*(?:(?:(?:\\s+)))\\s*(?:\\s*(?:(?:(?:\\d\\s+)))\\s*)?\\s*(?:(?P<event_log__string>(?:\\S+)))\\s*\\s*(?:(?:(?:.*?)))\\s*\\s*(?:(?:(?:\\s+)))\\s*\\s*(?:(?P<event_id__0>(?:4610|4614|4622)))\\s*\\s*(?:(?:(?:[\t]+)))\\s*\\s*(?:(?P<event_source__all>(?:.*?)))\\s*\\s*(?:(?:(?:[\t]+)))\\s*\\s*(?:(?:(?:.*?)))\\s*\\s*(?:(?:(?:[\t]+)))\\s*\\s*(?:(?:(?:.*?)))\\s*\\s*(?:(?:(?:[\t]+)))\\s*\\s*(?:(?:(?:.*?)))\\s*\\s*(?:(?:(?:[\t]+)))\\s*\\s*(?:(?:(?:.*?)))\\s*\\s*(?:(?:(?:[\t]+)))\\s*\\s*(?:(?P<event_category__all>(?:.*?)))\\s*\\s*(?:(?:(?:[\t]+)))\\s*\\s*(?:(?:(?:(A|An).*?)))\\s*\\s*(?:(?P<object__words>(?:(?:\\w+\\s?)+)))\\s*\\s*(?:(?:(?:has
> > been)))\\s*\\s*(?:(?P<action__0>(?:loaded)))\\s*\\s*(?:(?:(?: by the
> > )))\\s*\\s*(?:(?:(?:.*?)))\\s*\\ Package\\
> > Name\\:\\s*(?:(?P<package__0>(?:\\S+)))\\s*
> >
> > message = <14>Mar 2 11:34:38 89.237.143.23 MSWinEventLog 1
> > Security 6500 Fri Mar 02 11:34:37 2012 4610
> > Microsoft-Windows-Security-Auditing N/A N/A Success Audit
> > prabhat.ImmuneAps.com User Logoff A authentication package has
> been
> > loaded by the Local Security Authority. This authentication package will
> be
> > used to authenticate logon attempts. Authentication Package Name:
> > C:\Windows\system32\msv1_0.dll : MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> >
> > its not getting any match with PCRE but with re2 I am getting
> the
> > match. Is there any issue with PCRE?
>
> I've had a quick look, but this is too complicated a pattern for me to
> spend a lot of time on. However, I suspect the pattern has got mangled
> by your email client because I see it as more than one line, and trying
> to join the lines produces items like \N which is not right. I also see
> some redundant \s*\s* sequences, and (?:(?:(?:.*?))) several times,
> which looks odd.
>
> The pcretest program can be very helpful in trying to debug issues like
> this.
>
> I might find time to look at this again later in the week.
>
> Philip
>
> --
> Philip Hazel
>