Anonymous_User Absent Member.
Absent Member.
390 views

Windows Connector Filter & regex


Hi there,

The docs for Windows Event (WMI) Connector 1011.1r1 talks about using
regex methods to filter out certain Windows Event Codes. Like below:
If you want to filter events with EventIdentifier 515, 565, and 567:
Value = .*2:EI3:(515|565|567).*
If you want to filter events with EventIdentifier 515, 7036, and 567:
Value = .*2:EI(3|4):(515|7036|567).*
Similarly, for EventCode, replace EI with EC in the value.

I have this syntax working for filtering out all occurrences for a
certain event code for the s_raw_message2 field and Case Insensitive +
ignore line breaks.

Now I want to check for a 565 event & for any Source User Name ending
with $ so as to filter these out. Has anyone got a "less than basic"
regex working as a filter?

My regex constructs that do not work (yet were validated OK by
RegexBudy) were:
..*2:ec3:565.*Primary User Name:<\\\\t>[^<$]+\$<.*

Explanation:
Match any single character that is not a line break character «.*»
Between zero and unlimited times, as many times as possible, giving
back as needed (greedy) «*»
Match the characters “2:ec3:565” literally «2:ec3:565»
Match any single character that is not a line break character «.*»
Between zero and unlimited times, as many times as possible, giving
back as needed (greedy) «*»
Match the characters “Primary User Name:<” literally «Primary User
Name:<»
Match the character “\” literally «\\»
Match the character “\” literally «\\»
Match the characters “t>” literally «t>»
Match a single character NOT present in the list “<$” «[^<$]+»
Between one and unlimited times, as many times as possible, giving
back as needed (greedy) «+»
Match the character “$” literally «\$»
Match the character “<” literally «<»
Match any single character that is not a line break character «.*»
Between zero and unlimited times, as many times as possible, giving
back as needed (greedy) «*»


and I tried a Positive Look Ahead method:
^(?=.*?2:ec3:565)(?=.*?Primary User Name:<\\\\t>[^$<]*\$<).*

Explanation of Regex:
Assert position at the beginning of a line (at beginning of the string
or after a line break character) «^»
Assert that the regex below can be matched, starting at this position
(positive lookahead) «(?=.*?2:ec3:565)»
Match any single character that is not a line break character «.*?»
Between zero and unlimited times, as few times as possible,
expanding as needed (lazy) «*?»
Match the characters “2:ec3:565” literally «2:ec3:565»
Assert that the regex below can be matched, starting at this position
(positive lookahead) «(?=.*?Primary User Name:<\\\\t>[^$<]*\$<)»
Match any single character that is not a line break character «.*?»
Between zero and unlimited times, as few times as possible,
expanding as needed (lazy) «*?»
Match the characters “Primary User Name:<” literally «Primary User
Name:<»
Match the character “\” literally «\\»
Match the character “\” literally «\\»
Match the characters “t>” literally «t>»
Match a single character NOT present in the list “$<” «[^$<]*»
Between zero and unlimited times, as many times as possible,
giving back as needed (greedy) «*»
Match the character “$” literally «\$»
Match the character “<” literally «<»
Match any single character that is not a line break character «.*»
Between zero and unlimited times, as many times as possible, giving
back as needed (greedy) «*»

** I really like RegexBudy for testing this stuff out.

cheers,
Kirk


--
kmaule
------------------------------------------------------------------------
kmaule's Profile: https://forums.netiq.com/member.php?userid=306
View this thread: https://forums.netiq.com/showthread.php?t=46325

0 Likes
3 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Windows Connector Filter & regex

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I haven't tried, but could you post a snippet from a Connector Dump (in
a 'Code' section or on a pasting site like SUSE Paste) to see how things
line up?

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBAgAGBQJQx1dUAAoJEF+XTK08PnB5nTIP/1lPMGZRCn2ErSlL5EYjD37G
e8oKOYAg05Cmg7UgG7g0v4sV/obwILTzeEfbKAPwdODpwAV1SHwp04y0AW7VzQbE
begHc4Om0dmhEh+NBJi/i0vaDcnB16sMZwJWZfDxcfIZ/njfven0CsdLL0KSMX1E
LKt7+uWZV7hAVdz+ouvc+QjoQQet+Qftb0qSwi3g8MAX3r1X1XxoRF0W6PYwm5Ab
Dc1PVaMQ2vAEHM8npa1/mOEifnPlYyy5VXhG5zwayfDm60hlYRiNvi/+LJggpqjb
nn1ADOzA9rnF+lZXcRkTfP3S/fE2K6RsyN/ScY60KLcMYX9ICaA1u0ow7KRwlBUs
PFcVJDvmyEY3UI0s8brRUPZ0JWOTYDk/F62i3gJZJY+KDSCGWqHcgMR90SkuK1G5
bbmXLyKyA2BEYBztvte6cIxJhrXOu9h+dorW+tRz9exKvpGrQU9NrrvDmXyqHXx1
f6POQO0Z5L7k5GZohXJ3SKRZjIRepTCW4Cufw8sabFqz3Px0DYjcfSIIikdwFJnh
h+gFGnoAV2qKpyex0I/CPyZDqYjVvZhffscRIaQGCEHeFnRhff4jQr+F5AezTNOi
1SuviZEMFiDxl8u4REljaJff2RnFaczQt8ZUwsIoU+fswXfKpuVIZLbunnuSonwu
8XdykirWY6YbHD0iusF1
=Cx9P
-----END PGP SIGNATURE-----
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Windows Connector Filter & regex


Hi there,

The "s_raw_message2" field contains a single slash in "Primary User
Name:<\t>DC01$<", HOWEVER the raw data file for the event has two
slashes "Primary User Name:<\\t>DC01$<". I had been using the raw data
file to model the regex filter. The lessoned learned is to use the
actual s_raw_message2 data or remember that the raw data file already
has escape backslashes.

Both of the following regex will work on the Connector filter but the
positive look ahead method of the former is MUCH more efficient than the
latter in determining a match (1,521 vs 18,425 iterations) or non-match
(10,109 vs 19,745) on my sample data:

^(?=.*?2:ec3:565)(?=.*?Primary User Name:<\\t>[^$<]*\$<).*
and
..*2:ec3:565.*Primary User Name:<\\t>[^<$]+\$<.*

Cheers,
Kirk


--
kmaule
------------------------------------------------------------------------
kmaule's Profile: https://forums.netiq.com/member.php?userid=306
View this thread: https://forums.netiq.com/showthread.php?t=46325

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Windows Connector Filter & regex

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thank-you for the follow-up. Great information, especially on the regex
efficiency.

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBAgAGBQJQyIJxAAoJEF+XTK08PnB54KwP/35BMpIGSmcDP+b9FMgs1vs/
8YutnvgemLwMJrQIVPNdClwkAVC42U2ISMc7uJrwKdCCtuGe4lWs61migEnpM2qC
72S7VtAuISquf75VFcMM3iQlp3Hu0/wBahAdTv1x9zt7N9dUEMQVIs7F7svspsQl
4Lq8Mo+2u/ACavGY0MHb3Mg8ksqKRgTi4LEjsJlbmgD/uIOKF003K8XcVBQGNXIZ
khEn9Wx8FLEGam/8wCwAOfZ4DBx0jIiS6O1V/lIiMuEbZjfhGGL5OkhYl4KBr/ZK
mi/kfr6LkvnzLL0kcWUsEu/nQ+w6v0V+T1KoZe2gkZOopZoGyl8WiS67d/thR3wV
hW5I8WldKen132IeuRMJDg+Rafr4qOD4/cKrArIGUKvm9vOJwr4rlAYQtx3OBeQw
GGUb0eDK1o7x7xH5DZN6oGWu+P68RmGjpQ2FXRyebQzujrrmbnms0+1VbuUzfSqx
0KcfOvyBMjo4Y12OJ33Bt2yVkUfBwaDvmcJuGF+/fQueQq2hMmQD1pfEBUDf/W4n
Hmw2wmbuIQFB+aRPbZPDQ1H9khlpm4bKIup7tLLycuPDOCghI4yrQNstGBSLbF4Z
tpveH/ulcWSLkHEi+q//3KCK621tF2KLvo2BxkSScu/8tYnmTkrD6l8hcL3HdhEn
UjwLKfQIoZ25UMQ9The0
=hTlN
-----END PGP SIGNATURE-----
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.