在使用regex (在wazuh解码器中)选择列时卡住

Question

我有这个日志，但我不知道如何选择几个列。

04.07.2021 12:11:31.801 [25760] info  MainForm  -  Database(s) loaded: CA_2021,beforetest,FL_2,FL_Jan_2021,jhon,DC_City_Jan_2021,Statetest,Benchmark_2021

我使用了(\d\d\d\d) (\d+:\d+:\d+)并能够选择

2021 12:11:31

有人能帮我选择吗？

2021 12:11:31 [25760] info FL_Jan_2021 DC_City_Jan_2021 Benchmark_2021

https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/regex.html

Answer 1

您可以使用下列自定义解码器提取所有字段：

<decoder name="log1">
  <prematch>^\d\d.\d\d.\d\d\d\d \d\d:\d\d:\d\d.\d\d\d [\d+]\s+\w+\s+\w+\s+- </prematch>
  <regex>^(\d\d.\d\d.\d\d\d\d \d\d:\d\d:\d\d.\d\d\d) [(\d+)]\s+(\w+)\s+(\w+)\s+-\s+(\.+):\s+(\S+),(\S+),(\S+),(\S+),(\S+),(\S+),(\S+),(\S+)</regex>
  <order>decoded.date,decoded.pid,decoded.type,decoded.source,decoded.action,field1,field2,field3,field4,field5,field6,field7,field8</order>
</decoder>

其中，您提到的字段分别被提取为decoded.date、decoded.pid、decoded.type、field4、field6和field8。如果不希望提取其他字段，则可以从<regex>标记中删除它们的括号，并从<order>标记中删除它们的名称。

在wazuh-logtest中配置此解码器之后，通过/var/ossec/etc/decoders/local_decoders.xml实用程序运行日志的结果是：

**Phase 1: Completed pre-decoding.
    full event: '14.07.2021 12:11:31.801 [25760] info  MainForm  -  Database(s) loaded: CA_2021,beforetest,FL_2,FL_Jan_2021,jhon,DC_City_Jan_2021,Statetest,Benchmark_2021'

**Phase 2: Completed decoding.
    name: 'log1'
    decoded.action: ' Database(s) loaded'
    decoded.date: '14.07.2021 12:11:31.801'
    decoded.pid: '25760'
    decoded.source: 'MainForm'
    decoded.type: 'info'
    field1: 'CA_2021'
    field2: 'beforetest'
    field3: 'FL_2'
    field4: 'FL_Jan_2021'
    field5: 'jhon'
    field6: 'DC_City_Jan_2021'
    field7: 'Statetest'
    field8: 'Benchmark_2021'