Regex - Match username inside Brackets and prepend string

Question

I've a syslog message like this:

03-25-2022  18:02:51    Local1.Notice   192.168.1.1 Mar 25 18:02:51 2022 192.168.1.1 stm[6358]: <501199> <NOTI> AP:AP01 <192.168.1.1 aa:bb:cc:dd:ee>  User authenticated, mac-aa:bb:cc:dd:ee, username-my.username, IP-192.168.250.100, method-802.1x, role-blahblah

My first goal is: everytime that the line contains "User authenticated", extract the string that comes after username- (in this case: my.username) and prepend a string.

Wanted Result:

MYPREPENDSTRING\my.username

Second goal: After that I would need another REGEX that can extract the ip address in this line that starts with IP- (IP-192.168.250.100). Final result:

Wanted result:

192.168.250.100

These two goals have to be done only with regex... don't know if it's possible.

NOTE: This is to be used on a Firewall that allows us, via Syslog, to map usernames and IP's. It uses 1 regex to match the username and another regex to match the ip

Much appreciated!!

is the username always limited with a `,` and what programming language are you using ? — medilies, Mar 25 '22 at 18:29
the username is always limited with a ".". I'm not using any programming language. This is to be used on a Firewall that allows us via Syslog to map usernames and passwords. It uses 1 regex to match the username and another regex to match the ip. — FM86, Mar 25 '22 at 23:23
@FM86 Are you by any chance using `fail2ban`? If not would you mind to disclose which firewall you are using? — mashuptwice, Mar 26 '22 at 00:37
@FM86 are we talking about [pan OS syslog filters](https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/user-identification/device-user-identification-user-mapping/user-id-agent-setup/user-id-agent-setup-syslog-filters.html)? — mashuptwice, Mar 26 '22 at 00:45
@FM86 according to the linked documentation you can set a "Event Regex" for identifying a successful authentication additionally to the user and ip regex. Also: `the regex User:([a-zA-Z0-9\\\._]+) would match the string User:johndoe_4 and extract acme\johndoe1 as the username.` it seems that 1. the prefix gets added automatically and 2. they are using capture groups, meaning that they only use text between brackets `()` for further processing. That is critical information and should be included in your question. — mashuptwice, Mar 26 '22 at 01:05
You're correct. So I've this working like this: Event Regex: User authenticated | Username Regex: (?<=username-)\w*[-._]?\w+ | Address Regex: (?<=IP-)\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} — FM86, Mar 26 '22 at 01:15
Please edit your question with the additional information, as comments could get deleted. — mashuptwice, Mar 26 '22 at 09:38

medilies · Answer 1 · 2022-03-25T18:56:08.310

1

username-(?<username>[a-zA-Z0-9\.-_]*),.*IP-(?<ip>(?:[0-9]{1,3}\.){3}[0-9]{1,3}),

Test

Assuming that username can be alphanumeric and contain dots, dashes and underscores.

Also assuming that the ip is always after the username in the log lines.

IP-(?<ip>(?:[0-9]{1,3}\.){3}[0-9]{1,3}), will match the IPv4 address in a group named ip (note that this will accept 999.999.999.999 as a valid IP4v address)
username-(?<username>[a-zA-Z0-9\.-_]*), will match the username in a group named username.

edited Mar 25 '22 at 18:56

answered Mar 25 '22 at 18:40

medilies

1,811
1
8
32

1

Your answer accounts for way more edgecases in the username than mine, also naming the capture groups is of course way more convenient! Thanks for sharing! – mashuptwice Mar 25 '22 at 19:46
you can adjust `[a-zA-Z0-9\.-_]` to match less possibilities according to your usernames – medilies Mar 25 '22 at 19:47
Hi! In fact I need two seperate REGEX. One for username and another for IP address. To the username it must be added a prefix so the match ends up like this: MYPREFIX\my.username – FM86 Mar 25 '22 at 23:26
So you want to extract the IP and replace the username. What programming language are you using ? – medilies Mar 25 '22 at 23:40
This is to be used on a Firewall that allows us, via Syslog, to map usernames and IP's. It uses 1 regex to match the username and another regex to match the ip. Only regex... no programing language ;) – FM86 Mar 25 '22 at 23:46

mashuptwice · Answer 2 · 2022-03-25T23:42:02.857

0

That should do the trick:

(?<=username-)(\w+\.\w+).*?IP-((\d{1,3}\.){3}(\d{1,3}))

The username is in your first capturing group and the IP in the second. Note that this will only work with IPv4 addresses.

Example

Explanation:

(?<=username-)(\w+\.\w+).*?IP-((\d{1,3}\.){3}(\d{1,3}))
(?<=         )                                          #positive lookbehind
    username-                                           #matches text "username-"
              (        )                                #capturing group 1
               \w+\.\w+                                 #matches any word character between 1 and infinity, followed by a dot "." followed by any word character
                        .*?                             #matches any character between 0 and infinity, non greedy
                           IP-                          #matches the string "IP-"
                              (                       ) #second canturing group
                               (\d{1,3}\.)              # matches any digit between 1 to 3 times, followed by a dot "."
                                          {3}           #quantifies previous match 3 times
                                             (\d{1,3})  #matches any digit between 1 to 3 times

Edit: After clarification, it seems that it was asked for two separate regular expressions. This is possible with very minor modification of the existing regular expression:

username:

(?<=username-)(\w+\.\w+)

IP address:

(?<=IP-)((\d{1,3}\.){3}(\d{1,3}))

edited Mar 25 '22 at 23:42

answered Mar 25 '22 at 18:46

mashuptwice

640
3
18

1

I like the indented format of your explanation. I've not seen that before. – Cary Swoveland Mar 25 '22 at 19:41
@CarySwoveland nice to hear that a SO veteran likes it! I think it makes it much easier for newbies to understand the regular expression. – mashuptwice Mar 25 '22 at 20:16
Thank you! In fact I need two seperate REGEX. One for username and another for IP address. To the username it must be added a prefix so the match ends up like this: MYPREFIX\my.username – FM86 Mar 25 '22 at 23:27
I wasn't clear :). This is to be used on a Firewall that allows us, via Syslog, to map usernames and IP's. It uses 1 regex to match the username and another regex to match the ip. – FM86 Mar 25 '22 at 23:30
@mashuptwice, almost there. In fact your regex match the username and the IP but there are two things that should be done as I originally described. The regext should validate if the word "User authenticated" exists. And only if it exists it should match the username. The same for the IP regex. Still, regarding the username, we should prepend a string to the username so we end with a username like MYSTRING\my.username – FM86 Mar 26 '22 at 00:02

score -3 · Answer 3 · answered Mar 26 '22 at 01:18

-3

As described, this was to be used with a Palo Alto Firewall.

Final Solution:

Event Regex: User authenticated

Username Regex: (?<=username-)\w*[-._]?\w+

IP Regex: (?<=IP-)\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}

Thanks everybody!

answered Mar 26 '22 at 01:18

FM86

1
5

Please use the appropriate code tags to avoid special symbols being interpreted by the browser. Also, the next time you are asking a question on SE please add enough detailed information, including information about the circumstances surrounding your question, to ensure that others can provide an adequate answer right from the beginning. – mashuptwice Mar 26 '22 at 21:02

Regex - Match username inside Brackets and prepend string

3 Answers3