正则表达式 - 匹配括号内的用户名并前置字符串

发布于 2025-01-16 23:55:35 字数 736 浏览 5 评论 0原文

我有这样的系统日志消息：

03-25-2022  18:02:51    Local1.Notice   192.168.1.1 Mar 25 18:02:51 2022 192.168.1.1 stm[6358]: <501199> <NOTI> AP:AP01 <192.168.1.1 aa:bb:cc:dd:ee>  User authenticated, mac-aa:bb:cc:dd:ee, username-my.username, IP-192.168.250.100, method-802.1x, role-blahblah

我的第一个目标是：每当该行包含“用户已验证”时，提取 username- 之后的字符串（在本例中为：my.username）并添加到前面一个字符串。

想要的结果：

MYPREPENDSTRING\my.username

第二个目标：之后我需要另一个 REGEX 来提取此行中以 IP- 开头的 IP 地址 (IP-192.168.250.100)。最终结果：

想要的结果：

192.168.250.100

这两个目标只能使用正则表达式来完成......不知道是否可能。

注意：这将在防火墙上使用，允许我们通过 Syslog 映射用户名和 IP。它使用 1 个正则表达式来匹配用户名，使用另一个正则表达式来匹配 ip

非常感谢！

原文

I've a syslog message like this:

03-25-2022  18:02:51    Local1.Notice   192.168.1.1 Mar 25 18:02:51 2022 192.168.1.1 stm[6358]: <501199> <NOTI> AP:AP01 <192.168.1.1 aa:bb:cc:dd:ee>  User authenticated, mac-aa:bb:cc:dd:ee, username-my.username, IP-192.168.250.100, method-802.1x, role-blahblah

My first goal is: everytime that the line contains "User authenticated", extract the string that comes after username- (in this case: my.username) and prepend a string.

Wanted Result:

MYPREPENDSTRING\my.username

Second goal: After that I would need another REGEX that can extract the ip address in this line that starts with IP- (IP-192.168.250.100). Final result:

Wanted result:

192.168.250.100

These two goals have to be done only with regex... don't know if it's possible.

NOTE: This is to be used on a Firewall that allows us, via Syslog, to map usernames and IP's. It uses 1 regex to match the username and another regex to match the ip

Much appreciated!!

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

司马昭之心 2025-01-23 23:55:35

username-(?<username>[a-zA-Z0-9\.-_]*),.*IP-(?<ip>(?:[0-9]{1,3}\.){3}[0-9]{1,3}),

测试

假设用户名可以是字母数字并包含点、破折号和下划线。

还假设日志行中的 ip 始终位于 username 之后。

IP-(?(?:[0-9]{1,3}\.){3}[0-9]{1,3}), 将匹配 IPv4名为 ip 的组中的地址（请注意，这将接受 999.999.999.999 作为有效的 IP4v 地址）
用户名-(?<用户名>[a-zA- Z0-9\.-_]*), 将匹配名为 username 的组中的用户名。

username-(?<username>[a-zA-Z0-9\.-_]*),.*IP-(?<ip>(?:[0-9]{1,3}\.){3}[0-9]{1,3}),

Test

Assuming that username can be alphanumeric and contain dots, dashes and underscores.

Also assuming that the ip is always after the username in the log lines.

IP-(?<ip>(?:[0-9]{1,3}\.){3}[0-9]{1,3}), will match the IPv4 address in a group named ip (note that this will accept 999.999.999.999 as a valid IP4v address)
username-(?<username>[a-zA-Z0-9\.-_]*), will match the username in a group named username.

回复收藏 0 原文

初懵 2025-01-23 23:55:35

这应该可以解决问题：

(?<=username-)(\w+\.\w+).*?IP-((\d{1,3}\.){3}(\d{1,3}))

用户名位于第一个捕获组中，IP 位于第二个捕获组中。请注意，这仅适用于 IPv4 地址。

示例

说明：

(?<=username-)(\w+\.\w+).*?IP-((\d{1,3}\.){3}(\d{1,3}))
(?<=         )                                          #positive lookbehind
    username-                                           #matches text "username-"
              (        )                                #capturing group 1
               \w+\.\w+                                 #matches any word character between 1 and infinity, followed by a dot "." followed by any word character
                        .*?                             #matches any character between 0 and infinity, non greedy
                           IP-                          #matches the string "IP-"
                              (                       ) #second canturing group
                               (\d{1,3}\.)              # matches any digit between 1 to 3 times, followed by a dot "."
                                          {3}           #quantifies previous match 3 times
                                             (\d{1,3})  #matches any digit between 1 to 3 times

编辑：
经过澄清，似乎要求提供两个单独的正则表达式。只需对现有正则表达式进行非常小的修改即可实现：

用户名：

(?<=username-)(\w+\.\w+)

IP 地址：

(?<=IP-)((\d{1,3}\.){3}(\d{1,3}))

That should do the trick:

(?<=username-)(\w+\.\w+).*?IP-((\d{1,3}\.){3}(\d{1,3}))

The username is in your first capturing group and the IP in the second. Note that this will only work with IPv4 addresses.

Example

Explanation:

(?<=username-)(\w+\.\w+).*?IP-((\d{1,3}\.){3}(\d{1,3}))
(?<=         )                                          #positive lookbehind
    username-                                           #matches text "username-"
              (        )                                #capturing group 1
               \w+\.\w+                                 #matches any word character between 1 and infinity, followed by a dot "." followed by any word character
                        .*?                             #matches any character between 0 and infinity, non greedy
                           IP-                          #matches the string "IP-"
                              (                       ) #second canturing group
                               (\d{1,3}\.)              # matches any digit between 1 to 3 times, followed by a dot "."
                                          {3}           #quantifies previous match 3 times
                                             (\d{1,3})  #matches any digit between 1 to 3 times

Edit:
After clarification, it seems that it was asked for two separate regular expressions. This is possible with very minor modification of the existing regular expression:

username: