Custom rule - Regex match if missing word

[Lucio Emanuel Soldo]

Hi everybody, how are you doing?

Well, shor question:

1) My syslog log

Mar 25 16:45:21 serverA Oracle Audit[9378]: LENGTH: "293" SESSIONID:[9] "331479633" ENTRYID:[1] "1" STATEMENT:[1] "1" USERID:[7] "PRUEBA" USERHOST:[26] "serverA" TERMINAL:[5] "pts/1" ACTION:[3] "100" RETURNCODE:[1] "0" COMMENT$TEXT:[26] "Authenticated by: DATABASE" OS$USERID:[6] "oracle" DBID:[10] "3463351456" PRIV$USED:[1] "5"

2) I need a regex expression that match if the string PRIV$USED is missing  from the previous log

I tried with the following but it does not work:

<regex>\.^!PRIV$USED$\.</regex>

Thank you very much!

[Javier Bejar]

Hi Lucio,

By Default regex uses PCRE2, so your regex as it is would match:

• \. matches the character . literally (case sensitive)
• ^ asserts position at start of a line
• !PRIV matches the characters !PRIV literally (case sensitive)
• $ asserts position at the end of a line
• USED matches the characters USED literally (case sensitive)
• $ asserts position at the end of a line
• \. matches the character . literally (case sensitive)

In order to match PRIV$USED we use 

• PRIV\$USED

In order to negate the expression we use the option negate, resulting in:

• <regex negate="yes">PRIV\$USED</regex>

I hope this solves your problem, don't hesitate to reply back if you need anything else.

Have a nice day, Javier.

[Javier Bejar]

Sorry, by default regex use osregex, so ignore my response, this would work:

•  <regex negate="yes" type="PCRE2">PRIV\$USED</regex>

I hope this solves your problem, don't hesitate to reply back if you need anything else.

Have a nice day, Javier.