Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2581
Views
5
Helpful
1
Replies

eem syslog pattern regex

Joseph.F
Level 1
Level 1

‎05-14-2020 01:39 PM

Hello, 

 

I need a little assistance with a regex pattern search.  I would like to match a login syslog messages for all users except 1. The 1 user is an automated account for system monitoring.  I've been reading a number of forums and trying different regex combinations but I'm running out of ideas.

 

event syslog pattern “%SEC_LOGIN-5-LOGIN_SUCCESS: Login Success \[user: (?!butnotthisuser).*”

 

The applet isn't showing any matches from;

show event manager history events

 

It works if i shorten the search to;

event syslog pattern “%SEC_LOGIN-5-LOGIN_SUCCESS: Login Success.*"

but it generates too many alerts.

 

What am I missing?

Labels:
0 Helpful
1 Reply 1

Joseph.F
Level 1
Level 1

‎05-15-2020 05:48 AM

I'll answer my own question.  Eem doesn't support the full range of regex.  It doesn't seem like it it capable of using a negative lookahead.

 

I was able to solve the issue by using a more simplistic approach.

 

event syslog pattern “%SEC_LOGIN-5-LOGIN_SUCCESS: Login Success \[user: [^butnotthisuser].*”

 

not what i wanted but it works.

Customers Also Viewed These Support Documents