tags:

views:

362

answers:

2
+1  Q: 

Analyse Windows event log entries using PowerShell and regular expressions

I'm currently working on a PowerShell script to analyse VPN traffic by reading the event log of our VPN server.

I'm using WMI to retrieve the relevant event entries and a regular expression to extract information like user name, traffic etc. The event message obviously does contain line breaks which I don't seem to be able to match via my expression.

Example:

The user MYDOMAIN\CHARLY connected on port VPN3-18 on 04.07.2009 at 23:19 and disconnected on
05.07.2009 at 00:03.  The user was active for 43 minutes 55 seconds.  886949 bytes
were sent and 195113 bytes were received. The
reason for disconnecting was user request.

This is my expression:

The user (?<user>\w*\\\w*) connected on port (?<port>\w*-\w*) on (?<connectdate>\w*.\w*.\w*) at (?<connecttime>\w*:\w*) and disconnected on'n(?<disconnectdate>\w*.\w*.\w*) at (?<disconnecttime>\w*:\w*).  The user was active for (?<activeminutes>\w*) minutes (?<activeseconds>\w*) seconds.  (?<bytessent>\w*) bytes'nwere sent and (?<bytesreceived>\w*) bytes were received. The'nreason for disconnecting was user request.

Right now I don't know what else to try so any help is highly appreciated.

+3  A: 

Line-breaks match against \s (white-space). Try testing bits of your regex and building it up.

For help with regular expressions, try

get-help about_regular_expression
Benjamin Titmus  2009-07-06 09:01:23
+1  A: 

Note, to get maximum control of regular expressions instantiate a [regex] (PSH shortcut for System.Text.RegularExpressions.Regex). This allows you access to RegexOptions enumeration to provide more control that -match does.

E.g.

$r1 = [regex]"Foo\s*bar"
$r2 = New-Object "System.Text.RegularExpressions.Regex" "Foo\s*bar",[System.Text.RegularExpressions.RegexOptions]::IgnorePatternWhitespace

(In the last case, that option allows literal whitespace to be ignored (including newlines), useful when building complex expressions.)

This page gives details of the supported character classes: \s matches:

Matches any white-space character. Equivalent to the escape sequences and Unicode general categories [\f\n\r\t\v\x85\p{Z}].

Richard  2009-07-06 09:49:39
SOLVED!! :-)\s* did the trick.Thanks so much to Benjamin and Richard
jarod1701  2009-07-17 16:45:36

related questions

Passing a commented, multi-line (freespace) regex to preg_match
My regex is matching too much. How do I make it stop?
Using Regex to generate Strings rather than match them
Complexity of Regex substitution
What is the most brilliant regex you've ever used?
RFC calculation in Java need help with algorithm
What did I do wrong here? [Javascript Regex]
How do you use back-references to PCREs in PHP?
Need help writing a regex statement. [PHP]
Regex and unicode
Python Regular Expressions
Question about specific regular expression
Pre-built regular expression patterns or Regex Libraries?
Parsing attributes with regex in Perl
Regex Rejecting matches because of Instr
How do I bind a regular expression to a key combination in emacs?
How do you retrieve selected text using Regex in C#?
Remove Quotes and Commas from a String in MySQL
Regular expression for parsing links from a webpage?
What are good regular expressions?
Why is this regular expression faster?
Learning Regular Expressions
How far should one take e-mail address validation?
How can I get at the matches when using preg_replace in PHP?
Regex: To pull out a sub-string between two tags in a string