I need some help creating a special Match Expression within the logmon probe (I am very new in regular expressions):
I'm trying to parse a reg file (Windows registry export) for a string. If the the string is NOT in the file, an alarm should appear.
For example: The content of the reg file could be like
This is just a registry file example--------------------------------------
"MyKey" = "22222222"
I created the following regular expression (with help of http://regexr.com/): /^((?!MyKey)[\s\S])*.$/
On the mentioned website the regular expression works fine - Removing one character from MyKey => match
But if I enter the expression in the "Match Expression" field and restart the probe, no alarm shows up.
Do anyone has an idea, why no alarm comes up?
Hope, someone has an idea/hint ...
Logmon works on individual "lines" and not a whole file. As such, I would have expected that you would have gotten four hits on your sample file (it's 5 lines long and only one has the string).
Your first step is to set up the format tab such that the registry file looks like a single line. Essentially you need a marker that's at the beginning and end of the file. It's not clear how you are generating your registry file but you could change that process such that it copies some text to the beginning and end of hte file that you could use.
As an alternative, since you have to be generating this registry file some way, why not use that process to pare the file down some more or to actually include the logic you are looking for and have that process just leave a simple file behind containing FOUND or NOTFOUND for instance.
Regardless I think that your regex is good but that the rest of the logmon setup might be in question.
And for regex, I like regexpal.com - the old site.
Sorry for the late response. I was ill and not in the office.
One attempt was creating the registry file by a simple export via the command regedit /E.
Problem: The multiple lines in the file, that have to checked for the search string - it works fine in regexr.com, but
not (as you figured out) in the logmon probe.
Another attempt was using a REG QUERY and parse the result for the search string - same problem.
Finally I chose your idea/alternative: I exported the needed registry key via the regedit /E command to file and used
a simple batch to search for the needed string. Depending on the found/not found the string, the batch file generates
a "result" file with only one entry: FOUND or NOTFOUND.
Now logmon is able to parse the new generated file in cat mode for NOTFOUND and generate an alarm.
Not a nice solution, but it works.
Thanks a lot for hint.
Glad to hear you were successful.
And in your shoes, I'd reconsider the solution something other than not nice. There are plenty of monitoring products out there that rigidly define what can and can't be done. UIM via the logmon probe gives you the facility to essentially do anything so long as you can script it. And the ability to create your own packages makes the extra work of distributing the script irrelevant.
It's a powerful combination.