Regex works for search but not stream

mahesh.khetani · 2019-01-17 10:51:51 UTC

Hi All,

I’ve just setup a new graylog server and am trying to create a new stream for our domain controller event logs. Our domain controllers have a specific format: eg: ENF-DC01.COMPANY. COM or AST-DC1.COMPANY. COM (we have 15 in total)

so i’ve created a new rule under a stream where source should match the regex:

.{4}(dc01 |DC01|dc1|DC1)(.company.com|.COMPANY. COM)

I’ve verified that this regex works using online generators and it also works if i search all messages using:

source: /.{4}(dc01 |DC01|dc1|DC1)(.company.com|.COMPANY. COM)/

But the stream just doesn’t seem to match any logs. When i load a message to test the rule it says:

“This message would not be routed to this stream”

I dont understand why the regex works in a search but not a stream.

Any help would be appreciated. Thanks

Ponet · 2019-01-17 16:52:41 UTC

Hi @mahesh.khetani

Try escaping the ‘.’ characters in your regular expression.

So, your regex should become something like:

.{4}(dc01 |DC01|dc1|DC1)(\.company\.com|\.COMPANY\.COM)

Thanks.

mahesh.khetani · 2019-01-17 12:23:03 UTC

Bingo!

Sending you a virtual hi-5 Jesse, ive been racking my brains out for the past couple of days.

Many Thanks

Ponet · 2019-01-17 12:38:56 UTC

Success.

It did appear that the original regex you posted (minus the space infront of the last .com) did parse correctly and match as expected but, after testing in another parser - It failed.

It’s always best to be as exact as you can with your regex otherwise you can encounter strange things such as this

Remember to mark a response as a solution so people can see that the thread has resolution.

Thanks

system · 2019-01-31 12:39:04 UTC

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.