C# SysLog RFC5424的正则表达式
我正在编写一个SysLog服务器,我的程序在其中接收RFC5424格式的消息 我的程序必须解析消息并存储值 我有一个正则表达式,它无法解析消息 正则表达式有问题。我对正则表达式不熟悉 谢谢你的帮助C# SysLog RFC5424的正则表达式,c#,syslog,rfc,C#,Syslog,Rfc,我正在编写一个SysLog服务器,我的程序在其中接收RFC5424格式的消息 我的程序必须解析消息并存储值 我有一个正则表达式,它无法解析消息 正则表达式有问题。我对正则表达式不熟悉 谢谢你的帮助 public static void Main() { string RFC5424Format = @"(\<(?<PRI>\d+)\>(?<VERSION>\d+)?)? \ * (?<TIMESTAMP> ( (?<Y
public static void Main()
{
string RFC5424Format = @"(\<(?<PRI>\d+)\>(?<VERSION>\d+)?)? \ * (?<TIMESTAMP> ( (?<YEAR>\d+) - (?<MONTH>\d+) - (?<DAY>\d+) ) T+ (?<HOUR>\d+): (?<MINUTE>\d+): (?<SECOND>\d+) (\.(?<MILLISECONDS>\d+))? (?<OFFSET>Z|(\+|\-)\d+:\d+)? ) \ (?<HOSTNAME>[\w!-~]+) \ (?<APPNAME>[\w!-~]+) \ (?<PROCID>[\w!-~]+) \ (?<MSGID>[\w!-~]+) \ (?<SD>-|(\[.*\])) \ ?(?<MESSAGE>.*)?";
Regex rfc5424 = new Regex("^" + RFC5424Format + "$", RegexOptions.IgnoreCase | RegexOptions.CultureInvariant | RegexOptions.IgnorePatternWhitespace);
string input = "< 38 > 1 2018 - 03 - 01T16: 05:51.799465 + 05:30 AAEINBLR07229L Source_UDP - -\n ??? MessageContent_Via_UDP - 5424";
Match m = rfc5424.Match(input);
if (m.Success)
{
Console.WriteLine("Regex is fine");
}
else
{
Console.WriteLine("Problem in Regex");
}
}
publicstaticvoidmain()
{
字符串RFC5424Format=@“(\(?\d+)?*(?(?\d+)-(?\d+)(?\d+):(?\d+)(?\d+)(?\d+)(?\d+)(?\Z+(\+)\d+:\d+)\(?[\w!-~+)\(?[\w!-~++)\(?[\w!-~+)\(?[\w!-~+)\)\(?[\w!-~+)\)\(?[\w!--+])+)\(?)+)\((?[\w!--)+)+)\(?);
Regex rfc5424=新的Regex(“^”+rfc5424格式+“$”,RegexOptions.IgnoreCase | RegexOptions.CultureInvariant | RegexOptions.IgnorePatternWhitespace);
字符串输入=“<38>1 2018-03-01T16:05:51.799465+05:30 AAEINBLR07229L源\u UDP---\n???消息内容\u通过\u UDP-5424”;
匹配m=rfc5424.匹配(输入);
如果(m.成功)
{
Console.WriteLine(“正则表达式很好”);
}
其他的
{
Console.WriteLine(“Regex中的问题”);
}
}
\< *(?<PRI>\d+) *\> *(?<VERSION>\d+)? *(?<YEAR>\d+) - (?<MONTH>\d+) - (?<DAY>\d+)T(?<HOUR>\d+): *(?<MINUTE>\d+):(?<SECOND>\d+)\.(?<MILLISECONDS>\d+) *\+ *(?<OFFSET>\d+:\d+) *(?<HOSTNAME>\b\w+\b) *(?<SOURCE>\b\w+\b)
\<*(?\d+)*\>*(?\d+)*(?\d+)-(?\d+)-(?\d+)T(?\d+):(?\d+):(?\d+*\++*(?\d+:\d+)*(?\b\w++\b)*(?\b\w++\b)
我总是发现在调试正则表达式问题时很有帮助。慢慢来,一步一步来。让我知道结果如何 正则表达式总是需要大量的思考和测试才能正确使用。我没有时间把它全部修好,但我可以告诉你,你几乎走上了正确的轨道。我已经重写并测试了部分正则表达式(没有锚定),并将其包含在此处以供参考:
\< *(?<PRI>\d+) *\> *(?<VERSION>\d+)? *(?<YEAR>\d+) - (?<MONTH>\d+) - (?<DAY>\d+)T(?<HOUR>\d+): *(?<MINUTE>\d+):(?<SECOND>\d+)\.(?<MILLISECONDS>\d+) *\+ *(?<OFFSET>\d+:\d+) *(?<HOSTNAME>\b\w+\b) *(?<SOURCE>\b\w+\b)
\<*(?\d+)*\>*(?\d+)*(?\d+)-(?\d+)-(?\d+)T(?\d+):(?\d+):(?\d+*\++*(?\d+:\d+)*(?\b\w++\b)*(?\b\w++\b)
我总是发现在调试正则表达式问题时很有帮助。慢慢来,一步一步来。让我知道结果如何 我最近才遇到这个问题。根据,Syslog消息应采用以下格式:标头SP STRUCTURED-DATA[SP MSG],其中SP是一个空格字符,括号表示数据是可选的。话虽如此,我发现将消息分解为三个独立的正则表达式模式,然后在实例化对象进行比较时将它们组合起来更容易 这是我的示例类。我希望有帮助
public class SyslogMessage
{
private static readonly string _SyslogMsgHeaderPattern = @"\<(?<PRIVAL>\d{1,3})\>(?<VERSION>[1-9]{0,2}) (?<TIMESTAMP>(\S|\w)+) (?<HOSTNAME>-|(\S|\w){1,255}) (?<APPNAME>-|(\S|\w){1,48}) (?<PROCID>-|(\S|\w){1,128}) (?<MSGID>-|(\S|\w){1,32})";
private static readonly string _SyslogMsgStructuredDataPattern = @"(?<STRUCTUREDDATA>-|\[[^\[\=\x22\]\x20]{1,32}( ([^\[\=\x22\]\x20]{1,32}=\x22.+\x22))?\])";
private static readonly string _SyslogMsgMessagePattern = @"( (?<MESSAGE>.+))?";
private static Regex _Expression = new Regex($@"^{_SyslogMsgHeaderPattern} {_SyslogMsgStructuredDataPattern}{_SyslogMsgMessagePattern}$", RegexOptions.None, new TimeSpan(0, 0, 5));
public int Prival { get; private set; }
public int Version { get; private set; }
public DateTime TimeStamp { get; private set; }
public string HostName { get; private set; }
public string AppName { get; private set; }
public string ProcId { get; private set; }
public string MessageId { get; private set; }
public string StructuredData { get; private set; }
public string Message { get; private set; }
public string RawMessage { get; private set; }
/// <summary>
/// Parses a Syslog message in RFC 5424 format.
/// </summary>
/// <exception cref="FormatException"></exception>
/// <exception cref="OverflowException"></exception>
/// <exception cref="ArgumentNullException"></exception>
/// <exception cref="InvalidOperationException"></exception>
public static SyslogMessage Parse(string rawMessage)
{
if (string.IsNullOrWhiteSpace(rawMessage)) { throw new ArgumentNullException("message"); }
var match = _Expression.Match(rawMessage);
if (match.Success)
{
return new SyslogMessage
{
Prival = Convert.ToInt32(match.Groups["PRIVAL"].Value),
Version = Convert.ToInt32(match.Groups["VERSION"].Value),
TimeStamp = Convert.ToDateTime(match.Groups["TIMESTAMP"].Value),
HostName = match.Groups["HOSTNAME"].Value,
AppName = match.Groups["APPNAME"].Value,
ProcId = match.Groups["PROCID"].Value,
MessageId = match.Groups["MSGID"].Value,
StructuredData = match.Groups["STRUCTUREDDATA"].Value,
Message = match.Groups["MESSAGE"].Value,
RawMessage = rawMessage
};
}
else { throw new InvalidOperationException("Invalid message."); }
}
public override string ToString()
{
var message = new StringBuilder($@"<{Prival:###}>{Version:##} {TimeStamp.ToString("yyyy-MM-ddTHH:mm:ss.fffK")} {HostName} {AppName} {ProcId} {MessageId} {StructuredData}");
if (!string.IsNullOrWhiteSpace(Message))
{
message.Append($" {Message}");
}
return message.ToString();
}
}
公共类SyslogMessage
{
私有静态只读字符串(u SyslogMsgHeaderPattern=@“\(?[1-9]{0,2})(?(\S|\w)+)(?-|(\S|\w){1255})(?-|(\S|\w){1,48})(?-|(\S|\w){1128})(?-|(\S|\w){1,32})”;
私有静态只读字符串(syslogmsgsstructuredatapattern=@“(?-| \[^\[\[\=\x22\]\x20]{1,32}([^\[\=\x22\]\x20]{1,32}=\x22.+\x22])?\];
私有静态只读字符串_SyslogMsgMessagePattern=@“((?。+))?”;
私有静态正则表达式=新正则表达式($@“{{u SyslogMsgHeaderPattern}{u syslogmsgsstructuredatapattern}{{u SyslogMsgMessagePattern}$”,RegexOptions.None,新时间跨度(0,0,5));
public int privatal{get;private set;}
公共int版本{get;private set;}
公共日期时间时间戳{get;private set;}
公共字符串主机名{get;private set;}
公共字符串AppName{get;private set;}
公共字符串ProcId{get;private set;}
公共字符串MessageId{get;private set;}
公共字符串结构数据{get;private set;}
公共字符串消息{get;private set;}
公共字符串消息{get;private set;}
///
///解析RFC 5424格式的系统日志消息。
///
///
///
///
///
公共静态SyslogMessage解析(字符串rawMessage)
{
if(string.IsNullOrWhiteSpace(rawMessage)){抛出新的ArgumentNullException(“message”);}
var match=_Expression.match(rawMessage);
如果(匹配成功)
{
返回新的SyslogMessage
{
Prival=Convert.ToInt32(匹配.Groups[“Prival”].Value),
Version=Convert.ToInt32(匹配.Groups[“Version”].Value),
TimeStamp=Convert.ToDateTime(匹配.Groups[“TimeStamp”].Value),
主机名=匹配。组[“主机名”]。值,
AppName=match.Groups[“AppName”]。值,
ProcId=match.Groups[“ProcId”].Value,
MessageId=match.Groups[“MSGID”].Value,
StructuredData=match.Groups[“StructuredData”].Value,
消息=匹配。组[“消息”]。值,
RawMessage=RawMessage
};
}
else{抛出新的InvalidOperationException(“无效消息”);}
}
公共重写字符串ToString()
{
var message=newstringbuilder($@“{Version:##}{TimeStamp.ToString(“yyyy-MM-ddTHH:MM:ss.fffK”)}{HostName}{AppName}{ProcId}{MessageId}{StructuredData}”);
如果(!string.IsNullOrWhiteSpace(消息))
{
message.Append($“{message}”);
}
返回消息.ToString();
}
}
public class SyslogMessage
{
private static readonly string _SyslogMsgHeaderPattern = @"\<(?<PRIVAL>\d{1,3})\>(?<VERSION>[1-9]{0,2}) (?<TIMESTAMP>(\S|\w)+) (?<HOSTNAME>-|(\S|\w){1,255}) (?<APPNAME>-|(\S|\w){1,48}) (?<PROCID>-|(\S|\w){1,128}) (?<MSGID>-|(\S|\w){1,32})";
private static readonly string _SyslogMsgStructuredDataPattern = @"(?<STRUCTUREDDATA>-|\[[^\[\=\x22\]\x20]{1,32}( ([^\[\=\x22\]\x20]{1,32}=\x22.+\x22))?\])";
private static readonly string _SyslogMsgMessagePattern = @"( (?<MESSAGE>.+))?";
private static Regex _Expression = new Regex($@"^{_SyslogMsgHeaderPattern} {_SyslogMsgStructuredDataPattern}{_SyslogMsgMessagePattern}$", RegexOptions.None, new TimeSpan(0, 0, 5));
public int Prival { get; private set; }
public int Version { get; private set; }
public DateTime TimeStamp { get; private set; }
public string HostName { get; private set; }
public string AppName { get; private set; }
public string ProcId { get; private set; }
public string MessageId { get; private set; }
public string StructuredData { get; private set; }
public string Message { get; private set; }
public string RawMessage { get; private set; }
/// <summary>
/// Parses a Syslog message in RFC 5424 format.
/// </summary>
/// <exception cref="FormatException"></exception>
/// <exception cref="OverflowException"></exception>
/// <exception cref="ArgumentNullException"></exception>
/// <exception cref="InvalidOperationException"></exception>
public static SyslogMessage Parse(string rawMessage)
{
if (string.IsNullOrWhiteSpace(rawMessage)) { throw new ArgumentNullException("message"); }
var match = _Expression.Match(rawMessage);
if (match.Success)
{
return new SyslogMessage
{
Prival = Convert.ToInt32(match.Groups["PRIVAL"].Value),
Version = Convert.ToInt32(match.Groups["VERSION"].Value),
TimeStamp = Convert.ToDateTime(match.Groups["TIMESTAMP"].Value),
HostName = match.Groups["HOSTNAME"].Value,
AppName = match.Groups["APPNAME"].Value,
ProcId = match.Groups["PROCID"].Value,
MessageId = match.Groups["MSGID"].Value,
StructuredData = match.Groups["STRUCTUREDDATA"].Value,
Message = match.Groups["MESSAGE"].Value,
RawMessage = rawMessage
};
}
else { throw new InvalidOperationException("Invalid message."); }
}
public override string ToString()
{
var message = new StringBuilder($@"<{Prival:###}>{Version:##} {TimeStamp.ToString("yyyy-MM-ddTHH:mm:ss.fffK")} {HostName} {AppName} {ProcId} {MessageId} {StructuredData}");
if (!string.IsNullOrWhiteSpace(Message))
{
message.Append($" {Message}");
}
return message.ToString();
}
}
公共类SyslogMessage
{
私有静态只读字符串(u SyslogMsgHeaderPattern=@“\(?[1-9]{0,2})(?(\S|\w)+)(?-|(\S|\w){1255})(?-|(\S|\w){1,48})(?-|(\S|\w){1128})(?-|(\S|\w){1,32})”;
私有静态只读