我有一个应用程序,需要提取三个不同的事件:连接、命令、断开连接。 我正在尝试让解码器工作,但即使我做了
<regex>*</regex>示例日志:
[Sat 19:24:16 INFO Event/User] usernameishere[/123.456.789:5432] logged in with user id 1046770 at ([h18n5]randomstringhere)
[Sat 19:24:33 INFO Event/User] usernameishere ran command: /command is here with spaces
[Sat 19:24:43 INFO Event/User] usernameishere lost connection: reasonhere
因为我对 wazuh 还很陌生,所以我不知道我在这里做了什么:
<decoder name="login_decoder">
<parent>json</parent>
<regex>^\[\w+\s+\d+:\d+:\d+\s+(?<level>[A-Z]+)\s+Event\/User\]\s+(?<username>\S+)\[(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\:(?<port>\d+)\] logged in with user id (?<user_id>\d+) at \(\[\S+\](?:\S+)\)$</regex>
</decoder>
<decoder name="command_decoder">
<parent>json</parent>
<regex>^\[\w+\s+\d+:\d+:\d+\s+(?<level>[A-Z]+)\s+Event\/User\]\s+(?<username>\S+)\s+ran command:\s+(?<command>.*?)(?=\s+\[|\s*$)</regex>
</decoder>
<decoder name="disconnect_decoder">
<parent>json</parent>
<regex>^\[\w+\s+\d+:\d+:\d+\s+(?<level>[A-Z]+)\s+Event\/User\]\s+(?<username>\S+)\s+lost connection.*$</regex>
</decoder>
任何帮助或链接表示赞赏