How do I pull multiple IPs from a multi-line log?

Question

How do I pull multiple IPs from a multi-line log?

Regex flavor is PCRE

I have a multi-line log that I'm trying to pull IPs from. Sometimes there's one IP listed and sometimes there are multiple IPs listed with comma as the delimiter. I had a regex that was working pulling one or more IPs, but the problem was that I needed to add additional conditions to pull the multiple IPs from one type of event only

I've been trying a ton of different regexes on regex101.com to no avail

Token\sType:(?:\n|.)*Client\sIP:\s+(?<adfs_src>:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(\K,)\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

ADFS log example:

Microsoft ADFS logs and here is an example: 05/07/2019 03:06:54 PM LogName=Security SourceName=AD FS Auditing EventCode=411 EventType=0 Type=Information ComputerName=x.y.z User=abc Sid=A-9-3-98-1231231313-1231231313-1231231313-406293 SidType=1 TaskCategory=Printers OpCode=Info RecordNumber=###### Keywords=Audit Failure, Classic Message=Token validation failed. See inner exception for more details. Additional Data Activity ID: 00000000-0000-0000-0000-000000000000 Token Type: http://schemas.microsoft.com/ws/2006/05/identitymodel/tokens/UserName Client IP: 10.1.1.1,10.1.1.2  Error message: user@foo.com -The user name or password is incorrect Exception details: System.IdentityModel.Tokens.SecurityTokenValidationException: user@foo.com ---> System.ComponentModel.Win32Exception: The user name or password is incorrect at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserHandle(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, SafeCloseHandle& tokenHandle, SafeLsaReturnBufferHandle& profileHandle) at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserInfo(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String authenticationType, String issuerName) at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUser(UserNameSecurityToken token, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String issuerName) at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token) --- End of inner exception stack trace --- at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token) at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token) System.ComponentModel.Win32Exception (0x80004005): The user name or password is incorrect at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserHandle(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, SafeCloseHandle& tokenHandle, SafeLsaReturnBufferHandle& profileHandle) at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserInfo(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String authenticationType, String issuerName) at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUser(UserNameSecurityToken token, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String issuerName) at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)

Looking for a regex that works when either one or more IPs are listed for Client IP

Thx

regex

asked on Stack Overflow May 7, 2019 by

user3723206 • edited May 7, 2019 by

user3723206

2 Answers

You could make use of repetitive matches using \G to match Token Type and multiple occurrences of the ip numbers:

(?:(^Token\sType):\s*(?:\n(?!Client IP:).*)+\nClient IP:\s*\n|\G)(?<adfs_src>(?:\d{1,3}\.){3}\d{1,3})(?:[,\s]|$)

(?: Non capturing group
- (Token\sType) capture in group 1
- (?:\n(?!Client IP:).*)+ Match while line if it does not start with Client IP:
- \nClient IP:\s*\n Match newline, Client IP: then whitespace chars and newline
- | Or
- \G Assert position at then end of previous match
- (?<adfs_src>(?:\d{1,3}\.){3}\d{1,3}) Capture in group adfs_src an 'ip like' format (Note that this does not validate an ip itself)
) Close non capturing group
(?:[,\s]|$) Match either a comma, whitespace character or assert the end of the string.

Regex demo

If you want the ip numbers including the comma's you could use:

(Token\sType):\s+\S+ Client IP: (?<adfs_src>(?:\d{1,3}\.){3}\d{1,3}(?:,(?:\d{1,3}\.){3}\d{1,3})*)

Regex demo

answered on Stack Overflow May 7, 2019 by

The fourth bird • edited May 7, 2019 by

The fourth bird

Replace x with \d{1,3

(?s)Token\sType:.*?Client\sIP:\s+(?|(?<adfs_src>:x(?:\.x){3})|x(?:\.x){3},\K(?<adfs_src>x(?:\.x){3}))

https://regex101.com/r/iw4Hm7/1

Readable regex

 (?s)
 Token \s Type:
 .*? 
 Client \s IP: \s+ 

 (?|
      (?<adfs_src>                  # (1 start)
           :x (?: \.x ){3}
      )                             # (1 end)
   |  
      x (?: \.x ){3}
      , \K 
      (?<adfs_src>                  # (1 start)
           x (?: \.x ){3}
      )                             # (1 end)
 )

PS. I had to verify 7 screens of check crosswalks. SO also logs me off when I go to regex101.com then close that window.

Note - I did add a "MVPS HOSTS file" (440 k) the other day to stave off ads.
I haven't reverted to old hosts file to test that this behavior doesn't
happen, maybe in the future I will.

answered on Stack Overflow May 7, 2019 by

sln • edited May 7, 2019 by

sln

User contributions licensed under CC BY-SA 3.0