Regex to get word before and after given word

Question

Can someone please help with regex pattern for below string in Python? I have .log file and I want to find below line from string I have to get user and ip.

I want regex that can get me one word before from and one after from.

Failed password for root from 123.183.209.132 port 39706 ssh2

I want root and 123.183.209.132 from above string

Failed password for invalid user packer from 13.82.211.217 port 45832 ssh2

I want packer and 13.82.211.217 from above string

reverse mapping checking getaddrinfo for undefined.datagroup.ua
[93.183.207.5] failed - POSSIBLE BREAK-IN ATTEMPT!

reverse mapping checking getaddrinfo for nsg-static-226.127.71.182.airtel.in [182.71.127.226] failed - POSSIBLE BREAK-IN ATTEMPT!

reverse mapping checking getaddrinfo for 179.185.44.168.static.gvt.net.br [179.185.44.168] failed - POSSIBLE BREAK-IN ATTEMPT!

I want undefined.datagroup.ua and 93.183.207.5 from(new regex).

My working code.

def parse(filename, date=None):
    try:
        # string = 'Failed password for ([a-z]*|[a-z]* [a-z]* [a-z]*) from '
        string = 'Failed password for ([a-z]*|[a-z]* [a-z]* [a-z]*) from [0-9]+(?:\.[0-9]+){3}'
        # string_sub = 'for (?<user>[a-zA-Z\.]+).*?(?<ip>(?:\d{1,3}\.){3}\d{1,3})'
        # string_re = re.compile(r"^[^ ]+ - (C[^ ]*) \[([^ ]+)").match
        match_list =[]
        with open(filename, 'r') as file:
            for line in file:
                for match in re.finditer(string, line, re.S):
                    match_text = match.group()
                    user_ip = re.search(r'Failed password for .*?(\w+) from (\d+(?:\.\d+){3})', match_text)
                    user = user_ip.groups()[0]
        print(user)
    except KeyError as e:
        msg="key %s is missing" % str(e)
        return msg
    except Exception as e:
        return str(e)

I'm stuck with regex.

Does this answer your question? [Learning Regular Expressions](https://stackoverflow.com/questions/4736/learning-regular-expressions) — jonrsharpe, Dec 07 '19 at 08:36
I have edited my question I'm stuck with getting user and ip both form string. — aakanksha khandelwal, Dec 07 '19 at 09:10
I'm done with regex for 1st part I only need regex for 2nd string part. Can anyone help with only one? — aakanksha khandelwal, Dec 07 '19 at 12:09

score 0 · Answer 1 · answered Dec 07 '19 at 10:43

Regex may be overkill for your use case... Did you try simpler things, like this, for instance:

s1 = "Failed password for root from 123.183.209.132 port 39706 ssh2"
s2 = "Failed password for invalid user packer from 13.82.211.217 port 45832 ssh2"

parsed = s1.split('from',1)
user = parsed[0].split()[-1]
ip = parsed[1].split()[0]

print(f'User is {user} and IP is {ip}')

score -1 · Answer 2 · answered Dec 07 '19 at 09:20

-1

If I understand correctly you basically want the word (username) after for and the ip of that line? If that's the case, how about:

for (?<user>[a-zA-Z\.]+).*?(?<ip>(?:\d{1,3}\.){3}\d{1,3})

https://regex101.com/r/aojbyS/1. Granted, this is a short-hand form for an IP, but to make it more correct you should use a proper ipv4 regex.

Additionally, in your question, you don't say what should be captured from the following, which might modify the above regex.

Failed password for invalid user packer from 13.82.211.217 port 45832 ssh2.

answered Dec 07 '19 at 09:20

David542

104,438
178
489
842

it would be easy if I get one word before and after word `from`. – aakanksha khandelwal Dec 07 '19 at 09:26
@aakankshakhandelwal but your last example doesn't contain the word from at all? – David542 Dec 07 '19 at 09:42
There are two different string so I will need two different regex. 1. to `regex.sub()` to get user and ip from string. 2. to get object and ip from 2nd string. – aakanksha khandelwal Dec 07 '19 at 09:45

Toto · Accepted Answer · 2019-12-09T10:14:12.330

import re

inp = [
    'Failed password for root from 123.183.209.132 port 39706 ssh2',
    'Failed password for invalid user packer from 13.82.211.217 port 45832 ssh2',
    '''reverse mapping checking getaddrinfo for undefined.datagroup.ua
[93.183.207.5] failed - POSSIBLE BREAK-IN ATTEMPT!''',
]
for s in inp:
    result = re.search(r'(?:Failed password|reverse mapping.+?) for .*?([\w.]+)\s+(?:from |\[)(\d+(?:\.\d+){3})', s)
    print result.groups()

Output:

('root', '123.183.209.132')
('packer', '13.82.211.217')
('undefined.datagroup.ua', '93.183.207.5')

Explanation:

(?:                     # non capture group
    Failed password     # literally
  |                   # OR
    reverse mapping     # literally
    .+?                 # 1 or more any character, not greedy
)                       # end group
 for                    # literally
 .*?                    # 0 or more any character
 ([\w.]+)               # group 1, 1 or more word character or dot
 \s+                    # 1 or more spaces
 (?:from |\[)           # non capture group, from OR opening square bracket
(\d+(?:\.\d+){3})       # group 2, IP

Worked perfectly for above string. I need the same for below given string also `reverse mapping checking getaddrinfo for undefined.datagroup.ua [93.183.207.5] failed - POSSIBLE BREAK-IN ATTEMPT!`. — aakanksha khandelwal, Dec 09 '19 at 08:13

Regex to get word before and after given word

3 Answers3