perl中长短语的正则表达式

时间:2013-12-01 05:41:50

标签: regex perl

我希望使用perl脚本中的正则表达式从以下文本中提取“帐户名称”和“源网络地址”。为这样一个长短语添加正则表达式似乎需要付出很多努力。

我需要你帮助找到最好的正则表达式,或者任何想法都会有所帮助。请记住,这只是50个中的3个例子吗?与此类似的短语(不同长度)。

示例短语1:

WinEvtLog: Security: AUDIT_SUCCESS(4624): Microsoft-Windows-Security-Auditing: admin:     DOMAIN: hostname.domain.com: An account was successfully logged on. Subject:  Security ID:  S-1-0-0  Account Name:  -  Account Domain:  -  Logon ID:  0x0  Logon Type:   3      New Logon:  Security ID:  S-1-5-21-1130994204-1932287720-1813960501-1239  Account Name:  admin  Account Domain:  DOMAIN  Logon ID:  0x1d12cfff5  Logon GUID:  {AF5E2CF5-1A54-2121-D281-13381F397F41}  Process Information:  Process ID:  0x0  Process Name:  -  Network Information:  Workstation Name:   Source Network Address: 101.101.101.101  Source Port:  52616  Detailed Authentication Information:  Logon Process:  Kerberos  Authentication Package: Kerberos  Transited Services: -  Package Name (NTLM only): -  Key Length:  0  This event is generated when a logon session is created. It is generated on the computer that was accessed.

示例短语2:

WinEvtLog: Security: AUDIT_SUCCESS(4634): Microsoft-Windows-Security-Auditing: admin: DOMAIN: hostname.domain.com: An account was logged off. Subject:  Security ID:  S-1-5-21-1130554204-1932287720-1813960501-4444  Account Name:  admin  Account Domain:  DOMAIN  Logon ID:  0x1d12d000a  Logon Type:   3  This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer."  4646,1

示例短语3:

WinEvtLog: Security: AUDIT_SUCCESS(540): Security: Administrator: HOST88: HOST88: Successful Network Logon:     User Name: Administrator        Domain:     HOST88      Logon ID:   (0x14,0x6E6FB948)       Logon Type: 3       Logon Process: NtLmSsp      Authentication Package: NTLM        Workstation Name: DESKHOST88        Logon GUID: -       Caller User Name: -     Caller Domain: -        Caller Logon ID: -      Caller Process ID: -        Transited Services: -       Source Network Address: 10.10.10.10     Source Port: 43221

2 个答案:

答案 0 :(得分:1)

以下正则表达式将处理您发布的案例:

if ( $string =~ /(?<=Account Name:)\s+([^-\s]+).+(?:Source Network Address:)\s+([\d.]+)\s+/ ) {
    $account_name = $1;
    $source_addr = $2;
}

答案 1 :(得分:0)

您希望解决方案有多严格?

如果您有日志行并希望提取“帐户名称:”后面的单词以及“源网络地址:”后面的地址,那么您可以使用这样一个非常天真的正则表达式来执行此操作:

my ($account_name) = /Account Name:\s+(\S+)/;
my ($source_network_addr) = /Source Network Address:\s+(\S+)/;

这不会尝试验证行中的任何其他内容是否符合您的预期,但如果应用程序仅解析由IIS或其他任何内容生成的行,则可能不需要非常精确。 / p>

相关问题
最新问题