Ad Widget

Collapse

3.4 preprocessing - multiline regexp ?

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • EGDaniel
    Junior Member
    • Dec 2016
    • 6
    #1

    3.4 preprocessing - multiline regexp ?

    Greetings,

    I've been playing with the new v3.4 item preprocessing function.
    I'm trying to extract some specific details from collected Windows event logs, like: https://docs.microsoft.com/en-us/win...ing/event-4625
    Example of a section I would like to extract into the "Dependent item":
    Account For Which Logon Failed:
    Security ID: S-1-0-0

    Account Name: WORKSTATION$

    Account Domain: DOMAIN
    Please note, that there are several occurrences in the log of these details: "Security ID", "Account Name", "Account Domain".

    Normally a PCRE regexp like "(?m)Account For Which Logon Failed\n\n.*\n\n.*\n\n.*)" would be enough.
    But I'm still a little bit confused, about how to convert this PCRE into ZBX item preprocessing regexp?

    Thank you in advance.
    Last edited by EGDaniel; 17-10-2017, 09:13.
    Tags: None
    • jan.garaj
      Senior Member
      Zabbix Certified Specialist
      • Jan 2010
      • 506
      #2
      Try to play with grep -P command http://zabbix.org/wiki/Testing_Of_Preprocessing
      Devops Monitoring Expert advice: Dockerize/automate/monitor all the things.
      My DevOps stack: Docker / Kubernetes / Mesos / ECS / Terraform / Elasticsearch / Zabbix / Grafana / Puppet / Ansible / Vagrant

        Comment

        • EGDaniel
          Junior Member
          • Dec 2016
          • 6
          #3
          Well, that's the joke of it.
          At the online utilities the regex "(?m)Account For Which Logon Failed(.*\n\n.*\n\n.*\n\n.*)" works like expected.
          With grep -P or in ZBX preprocessing field, it doesn't.

          Because even grep is matching against individual lines, and could only show other lines with additional parameters like -A(num), -B(num), ... .
          Hence the question, will the ZBX regex preprocessing work with multiline?
          Because the solution is eluding to me.

            Comment

            • jan.garaj
              Senior Member
              Zabbix Certified Specialist
              • Jan 2010
              • 506
              #4
              That's a community doc. If you think it's a joke, then please improve it, instead of laughing at it!

              BTW: I wrote that doc, just to have some guidance for the community instead of nothing.
              Devops Monitoring Expert advice: Dockerize/automate/monitor all the things.
              My DevOps stack: Docker / Kubernetes / Mesos / ECS / Terraform / Elasticsearch / Zabbix / Grafana / Puppet / Ansible / Vagrant

                Comment

                • EGDaniel
                  Junior Member
                  • Dec 2016
                  • 6
                  #5
                  No no, I was not laughing at that community doc of yours, rather than at my situation.
                  Sorry for the misunderstanding.

                    Comment

                    • jan.garaj
                      Senior Member
                      Zabbix Certified Specialist
                      • Jan 2010
                      • 506
                      #6
                      OK, I guess you don't need multiline matching anymore. Just create 3 dependent items with different regexp, for example, the item for parsing account domain - preprocessing regexp:
                      Code:
                      Account Domain: (.*)$
                      Devops Monitoring Expert advice: Dockerize/automate/monitor all the things.
                      My DevOps stack: Docker / Kubernetes / Mesos / ECS / Terraform / Elasticsearch / Zabbix / Grafana / Puppet / Ansible / Vagrant

                        Comment

                        • EGDaniel
                          Junior Member
                          • Dec 2016
                          • 6
                          #7
                          Sorry for my delay, have been busy elsewhere.
                          Thanks for that hint, although I would love to have a multiline regex extraction in one item instead of multiple items, I guess this will suit as well.

                          The event in log is bit more complex, (with at least two lines with "Account Name" and "Account Domain") like:
                          An account failed to log on.

                          Subject:
                          Security ID: S-1-0-0
                          Account Name: -
                          Account Domain: -
                          Logon ID: 0x0

                          Logon Type: 3

                          Account For Which Logon Failed:
                          Security ID: S-1-0-0
                          Account Name: WORKSTATION$
                          Account Domain: DOMAIN

                          Failure Information:
                          Failure Reason: Unknown user name or bad password.
                          Status: 0xC000006D
                          Sub Status: 0xC0000064
                          ...
                          Therefore a more complex regex could be required (in order to avoid the first occurrence with dash characters only), like:
                          First line: (.*)
                          Account Name: Account Name.*[a-zA-Z][$])
                          Account Domain: Account Domain.*[a-zA-Z])
                          Workstation Name: Workstation Name.*)
                          Source Network Address: Source Network Address.*)

                          Thanks for pointing me to the right direction.

                            Comment

                            • djet
                              Junior Member
                              • Sep 2016
                              • 3
                              #8
                              I had success with "(?s)" modifier.

                              An example:
                              Code:
                              (?s)EKINOPS-MIB::ekinops.3000.1.2.0 type=6  value=OID: ENTITY-MIB::(.*?)\n.*EKINOPS-MIB::ekinops.3000.1.8.0 type=4  value=STRING: "(.*?)"\n.*EKINOPS-MIB::ekinops.3000.1.13.0 type=4  value=STRING: "(.*?)"

                                Comment

                                • EGDaniel
                                  Junior Member
                                  • Dec 2016
                                  • 6
                                  #9
                                  FYI, in the meanwhile, I've found a workaround at https://support.zabbix.com/browse/ZB...comment-187283 , by using [[:cntrl:]], which perfectly works.

                                    Comment

                                    Previous template Next
                                    Working...