正则表达式的味道是PCRE
我有一个多行日志,我正在尝试从中提取IP。有时列出一个IP,有时列出多个以逗号作为分隔符的IP。我有一个正则表达式正在工作以提取一个或多个IP,但是问题是我需要添加其他条件才能仅从一种事件中提取多个IP
我一直在regex101.com上尝试大量不同的正则表达式,但无济于事
Token\sType:(?:\n|.)*Client\sIP:\s+(?<adfs_src>:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(\K,)\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
ADFS日志示例:
Microsoft ADFS logs and here is an example: 05/07/2019 03:06:54 PM LogName=Security SourceName=AD FS Auditing EventCode=411 EventType=0 Type=Information ComputerName=x.y.z User=abc Sid=A-9-3-98-1231231313-1231231313-1231231313-406293 SidType=1 TaskCategory=Printers OpCode=Info RecordNumber=###### Keywords=Audit Failure, Classic Message=Token validation failed. See inner exception for more details. Additional Data Activity ID: 00000000-0000-0000-0000-000000000000 Token Type: http://schemas.microsoft.com/ws/2006/05/identitymodel/tokens/UserName Client IP: 10.1.1.1,10.1.1.2 Error message: user@foo.com -The user name or password is incorrect Exception details: System.IdentityModel.Tokens.SecurityTokenValidationException: user@foo.com ---> System.ComponentModel.Win32Exception: The user name or password is incorrect at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserHandle(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, SafeCloseHandle& tokenHandle, SafeLsaReturnBufferHandle& profileHandle) at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserInfo(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String authenticationType, String issuerName) at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUser(UserNameSecurityToken token, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String issuerName) at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token) --- End of inner exception stack trace --- at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token) at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token) System.ComponentModel.Win32Exception (0x80004005): The user name or password is incorrect at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserHandle(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, SafeCloseHandle& tokenHandle, SafeLsaReturnBufferHandle& profileHandle) at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserInfo(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String authenticationType, String issuerName) at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUser(UserNameSecurityToken token, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String issuerName) at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)
寻找当列出一个或多个IP作为客户端IP时起作用的正则表达式
Thx
答案 0 :(得分:2)
您可以使用\G进行重复匹配,以匹配令牌类型和IP地址的多次出现:
(?:(^Token\sType):\s*(?:\n(?!Client IP:).*)+\nClient IP:\s*\n|\G)(?<adfs_src>(?:\d{1,3}\.){3}\d{1,3})(?:[,\s]|$)
(?:非捕获组
(Token\sType)在第1组中的捕获(?:\n(?!Client IP:).*)+如果不是以客户端IP开头的话,则在一行中匹配:\nClient IP:\s*\n匹配客户端IP换行符:然后是空白字符和换行符|或\G在上一场比赛的结束时声明位置(?<adfs_src>(?:\d{1,3}\.){3}\d{1,3})在adfs_src组中捕获“ ip like”格式(请注意,这不会验证ip本身))关闭非捕获组(?:[,\s]|$)匹配逗号,空格字符或断言字符串的结尾。如果您想要IP地址(包括逗号),可以使用:
(Token\sType):\s+\S+ Client IP: (?<adfs_src>(?:\d{1,3}\.){3}\d{1,3}(?:,(?:\d{1,3}\.){3}\d{1,3})*)
答案 1 :(得分:1)
将x替换为\d{1,3
(?s)Token\sType:.*?Client\sIP:\s+(?|(?<adfs_src>:x(?:\.x){3})|x(?:\.x){3},\K(?<adfs_src>x(?:\.x){3}))
https://regex101.com/r/iw4Hm7/1
可读正则表达式
(?s)
Token \s Type:
.*?
Client \s IP: \s+
(?|
(?<adfs_src> # (1 start)
:x (?: \.x ){3}
) # (1 end)
|
x (?: \.x ){3}
, \K
(?<adfs_src> # (1 start)
x (?: \.x ){3}
) # (1 end)
)
PS。我必须验证检查人行横道的7个屏幕。 所以当我进入regex101.com然后关闭该窗口时,也会注销我。
注意-前几天,我确实添加了一个“ MVPS HOSTS文件”(440 k)来阻止广告。
我还没有还原到旧的主机文件来测试这种行为是否没有
发生,也许将来会。