I’m trying to create four regex extractors for messages similar to the one below which comes from Windows eventvwr. My input is gelf_udp on graylog 2.4.6.
_An error occurred while processing the outgoing e-mail message with subject “I am a test email” for SMTP: https://mail.domain.com/contoso for delivery through smtp.office365.com. System.Net.Mail.SmtpException: Mailbox unavailable. The server response was: 5.7.60 SMTP; Client does not have permissions to send as this sender [blah.blah.prod.outlook.com]
Of the four extractors, only the first one below named Email_Subject is working. I can see it in graylog as a field.
For new field: Email_Subject
Matched text should be: I am a test email
Regex: (".*")
These three below do not work. I don’t see them as fields. I’ve tested these expressions with several sites and they match accordingly.
For new field: Email_Server
Matched text should be: smtp.office365.com.
Regex: (?<=for.delivery.through.)[^\s]*
For new field: Email_Organization
Matched text should be: contoso
Regex: (?<=mail.domain.com/)[^\s]*
For new field: Email_Reason
Matched text should be: Mailbox unavailable. The server response was: 5.7.60 SMTP; Client does not have permissions to send as this sender [blah.blah.prod.outlook.com]
Regex: (?<=Exception:\s)[^.].*
Do I have my expressions wrong?