0

我正在尝试解析以两种不同格式报告的 modsecurity 审计日志……一种如下

[modsecurity] [client 111.222.333.444 [domain somedomain.com] [403] [/apache/20150718/20150718-1412/20150718-141258-VapQ2kDQOQ1qTs5mQAsHDQAAAIs]  [file \"/etc/httpd/modsecurity.d/10_asl_rules.conf\"] [line \"93\"] [id \"392301\"] [rev \"7\"] [msg \"Atomicorp.com WAF Rules: Request Containing Content, but Missing Content-Type header\"] [severity \"NOTICE\"] [tag \"no_ar\"] Access denied with connection close (phase 1). Match of \"rx ^0$\" against \"REQUEST_HEADERS:Content-Length\" required.

第二个喜欢

[modsecurity] [client 111.222.333.444] [domain somedomain.com] [200] [/apache/20150718/20150718-1429/20150718-142952-VapUz0DQOQ1qTs5mQAsHfAAAAIg]  [file "/etc/httpd/modsecurity.d/localrules.conf"] [line "3"] [id "999999"] [msg "My WAF Rules - Blocking Wordpress Login Attempt by Country Code"] Warning. Matched phrase "CN" at GEO:COUNTRY_CODE.

我使用正则表达式匹配了第二条规则:

 /^\[(?<app>\w+)\](\s+)\[client (?<src_ip>\d+.\d+.\d+.\d+)\](\s+)\[domain (?<domain>.*)\](\s+)\[(?<rcode>\d+)\](\s+)\[(?<audit_data>.*)\](\s+)\[(?<modsec_file>.*)\](\s+)\[line "(?<modsec_line>\d+)"\](\s+)\[id "(?<modsec_ruleid>\d+)"\](\s+)\[msg "(?<modsec_msg>.*)"\].*$/

但我想要的是能够匹配这两种格式,所以基本上如果值

[rev "\d+"]

不存在那么只要其他一切都匹配就没有关系了。请问这可能吗?

谢谢。

4

1 回答 1

0

这个正则表达式应该适合你:

/^\[(?<app>\w+)\]\s+\[client (?<src_ip>\d+.\d+.\d+.\d+)\]\s+\[domain (?<domain>.*?)\]\s+\[(?<rcode>\d+)\]\s+\[(?<audit_data>.*?)\]\s+\[(?<modsec_file>.*?)\]\s+\[line "(?<modsec_line>\d+)"\]\s+\[id "(?<modsec_ruleid>\d+)"\]\s+(?:\[rev "\d+"\]\s+)?\[msg "(?<modsec_msg>.*)"\].*$/

正则表达式演示

于 2015-07-18T13:50:15.507 回答