Regex flavor is PCRE
I have a multi-line log that I'm trying to pull IPs from. Sometimes there's one IP listed and sometimes there are multiple IPs listed with comma as the delimiter. I had a regex that was working pulling one or more IPs, but the problem was that I needed to add additional conditions to pull the multiple IPs from one type of event only
I've been trying a ton of different regexes on regex101.com to no avail
Token\sType:(?:\n|.)*Client\sIP:\s+(?<adfs_src>:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(\K,)\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
ADFS log example:
Microsoft ADFS logs and here is an example: 05/07/2019 03:06:54 PM LogName=Security SourceName=AD FS Auditing EventCode=411 EventType=0 Type=Information ComputerName=x.y.z User=abc Sid=A-9-3-98-1231231313-1231231313-1231231313-406293 SidType=1 TaskCategory=Printers OpCode=Info RecordNumber=###### Keywords=Audit Failure, Classic Message=Token validation failed. See inner exception for more details. Additional Data Activity ID: 00000000-0000-0000-0000-000000000000 Token Type: http://schemas.microsoft.com/ws/2006/05/identitymodel/tokens/UserName Client IP: 10.1.1.1,10.1.1.2 Error message: user@foo.com -The user name or password is incorrect Exception details: System.IdentityModel.Tokens.SecurityTokenValidationException: user@foo.com ---> System.ComponentModel.Win32Exception: The user name or password is incorrect at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserHandle(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, SafeCloseHandle& tokenHandle, SafeLsaReturnBufferHandle& profileHandle) at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserInfo(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String authenticationType, String issuerName) at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUser(UserNameSecurityToken token, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String issuerName) at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token) --- End of inner exception stack trace --- at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token) at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token) System.ComponentModel.Win32Exception (0x80004005): The user name or password is incorrect at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserHandle(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, SafeCloseHandle& tokenHandle, SafeLsaReturnBufferHandle& profileHandle) at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserInfo(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String authenticationType, String issuerName) at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUser(UserNameSecurityToken token, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String issuerName) at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)
Looking for a regex that works when either one or more IPs are listed for Client IP
Thx
You could make use of repetitive matches using \G
to match Token Type and multiple occurrences of the ip numbers:
(?:(^Token\sType):\s*(?:\n(?!Client IP:).*)+\nClient IP:\s*\n|\G)(?<adfs_src>(?:\d{1,3}\.){3}\d{1,3})(?:[,\s]|$)
(?:
Non capturing group
(Token\sType)
capture in group 1(?:\n(?!Client IP:).*)+
Match while line if it does not start with Client IP:\nClient IP:\s*\n
Match newline, Client IP: then whitespace chars and newline|
Or\G
Assert position at then end of previous match(?<adfs_src>(?:\d{1,3}\.){3}\d{1,3})
Capture in group adfs_src an 'ip like' format (Note that this does not validate an ip itself))
Close non capturing group(?:[,\s]|$)
Match either a comma, whitespace character or assert the end of the string.If you want the ip numbers including the comma's you could use:
(Token\sType):\s+\S+ Client IP: (?<adfs_src>(?:\d{1,3}\.){3}\d{1,3}(?:,(?:\d{1,3}\.){3}\d{1,3})*)
Replace x
with \d{1,3
(?s)Token\sType:.*?Client\sIP:\s+(?|(?<adfs_src>:x(?:\.x){3})|x(?:\.x){3},\K(?<adfs_src>x(?:\.x){3}))
https://regex101.com/r/iw4Hm7/1
Readable regex
(?s)
Token \s Type:
.*?
Client \s IP: \s+
(?|
(?<adfs_src> # (1 start)
:x (?: \.x ){3}
) # (1 end)
|
x (?: \.x ){3}
, \K
(?<adfs_src> # (1 start)
x (?: \.x ){3}
) # (1 end)
)
PS. I had to verify 7 screens of check crosswalks. SO also logs me off when I go to regex101.com then close that window.
Note - I did add a "MVPS HOSTS file" (440 k) the other day to stave off ads.
I haven't reverted to old hosts file to test that this behavior doesn't
happen, maybe in the future I will.
User contributions licensed under CC BY-SA 3.0