Hello,
I am trying to get regex to work in ingest actions to match a list of event codes from Window Security Logs.
The following regex matches sample text on regex101.com
^(EventCode=(1102|4616|4624|4625|4634|46484657|4697|4698|4699|4700|4701|4702|4719|4720|4722|4723|4725|4728|4732|4735|4737|4738|4740|4755|4756|4767|4772|4777|4782|4946|4947|4950|4954|4964|5025|5031|5152|5153|5155|5157|5447))$
But it doesn't find in matches when using in ingest actions.
Given the eventcodes listed above, can someone assist me with finding the correct regex that will work inside of ingest actions?
Thanks!
Eliminate the ^ and $ from the regex. The position of the matching text within the line/event doesn't matter and it's unlikely there will be a random "EventCode=4689" in other events.
Eliminate the ^ and $ from the regex. The position of the matching text within the line/event doesn't matter and it's unlikely there will be a random "EventCode=4689" in other events.
@richgalloway How could I flip that so the regex matches anything that is not in that list?
Thanks,
Garry
Regex doesn't do negation well, but you can try this
EventCode=(?!1102|4616|4624|4625|4634|46484657|4697|4698|4699|4700|4701|4702|4719|4720|4722|4723|4725|4728|4732|4735|4737|4738|4740|4755|4756|4767|4772|4777|4782|4946|4947|4950|4954|4964|5025|5031|5152|5153|5155|5157|5447)
Beautiful! Too easy 🙂
Thanks so much.