Regex 要匹配NGinx日志文件的正则表达式
我正在尝试编写一个正则表达式来检测NGinx中的日志条目 以下是应与表达式匹配的条目列表:Regex 要匹配NGinx日志文件的正则表达式,regex,linux,Regex,Linux,我正在尝试编写一个正则表达式来检测NGinx中的日志条目 以下是应与表达式匹配的条目列表: 7.7.7.7 - - [28/Mar/2019:03:30:06 +0000] "GET /pro/p/001565a2aaa3 HTTP/1.1" "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 404 - 34489 5 0.073 7.7.7.7 - - [28/Mar/2019
7.7.7.7 - - [28/Mar/2019:03:30:06 +0000] "GET /pro/p/001565a2aaa3 HTTP/1.1" "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 404 - 34489 5 0.073
7.7.7.7 - - [28/Mar/2019:03:30:06 +0000] "GET /pro/p/001565a2aaa1 HTTP/1.1" "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 404 - 33339 5 0.091
7.7.7.7 - - [28/Mar/2019:03:30:06 +0000] "GET /pro/p/001565a2aaa4 HTTP/1.1" "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 404 - 21907 5 0.076
7.7.7.7 - - [28/Mar/2019:03:30:06 +0000] "GET /pro/p/001565a2aaab HTTP/1.1" "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 404 - 19671 5 0.159
7.7.7.7 - - [28/Mar/2019:03:30:06 +0000] "GET /pro/p/001565a2aaa2 HTTP/1.1" "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 404 - 15359 5 0.104
7.7.7.7 - - [28/Mar/2019:03:30:06 +0000] "GET /pro/p/001565a2aaa5 HTTP/1.1" "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 404 - 35095 5 0.084
1.1.1.1 - - [28/Mar/2019:13:58:55 +0000] "GET /pro/p/id/63aaaaaaaaa8/4.4.4.4/YL0000000000.rom HTTP/1.1" "-" "Yealink W52P 25.81.0.10 00:15:aa:aa:aa:f9" 404 - 1 5 0.137
2.2.2.2 - - [28/Mar/2019:13:58:56 +0000] "GET /pro/p/id/67aaaaaaaaa0/4.4.4.4/T46G.rom HTTP/1.1" "-" "Yealink SIP-T46G 28.81.0.20 00:15:aa:aa:aa:eb" 404 - 1 5 0.128
3.3.3.3 - - [28/Mar/2019:13:59:00 +0000] "GET /pro/p/id/67aaaaaaa750/4.4.4.4/T46G.rom HTTP/1.1" "-" "Yealink SIP-T46G 28.81.0.20 00:15:aa:aa:aa:eb" 404 - 1 5 0.131
以下是不应与表达式匹配的条目列表:
7.7.7.7 - - [28/Mar/2019:03:30:06 +0000] "GET /pro/p/001565a2aaa3 HTTP/1.1" "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 404 - 34489 5 0.073
7.7.7.7 - - [28/Mar/2019:03:30:06 +0000] "GET /pro/p/001565a2aaa1 HTTP/1.1" "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 404 - 33339 5 0.091
7.7.7.7 - - [28/Mar/2019:03:30:06 +0000] "GET /pro/p/001565a2aaa4 HTTP/1.1" "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 404 - 21907 5 0.076
7.7.7.7 - - [28/Mar/2019:03:30:06 +0000] "GET /pro/p/001565a2aaab HTTP/1.1" "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 404 - 19671 5 0.159
7.7.7.7 - - [28/Mar/2019:03:30:06 +0000] "GET /pro/p/001565a2aaa2 HTTP/1.1" "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 404 - 15359 5 0.104
7.7.7.7 - - [28/Mar/2019:03:30:06 +0000] "GET /pro/p/001565a2aaa5 HTTP/1.1" "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 404 - 35095 5 0.084
1.1.1.1 - - [28/Mar/2019:13:58:55 +0000] "GET /pro/p/id/63aaaaaaaaa8/4.4.4.4/YL0000000000.rom HTTP/1.1" "-" "Yealink W52P 25.81.0.10 00:15:aa:aa:aa:f9" 404 - 1 5 0.137
2.2.2.2 - - [28/Mar/2019:13:58:56 +0000] "GET /pro/p/id/67aaaaaaaaa0/4.4.4.4/T46G.rom HTTP/1.1" "-" "Yealink SIP-T46G 28.81.0.20 00:15:aa:aa:aa:eb" 404 - 1 5 0.128
3.3.3.3 - - [28/Mar/2019:13:59:00 +0000] "GET /pro/p/id/67aaaaaaa750/4.4.4.4/T46G.rom HTTP/1.1" "-" "Yealink SIP-T46G 28.81.0.20 00:15:aa:aa:aa:eb" 404 - 1 5 0.131
我试图排除包含以下字符串之一的行:Polycom、Yealink、Snom
我目前的正则表达式如下:
^([0-9]+\.[0-9]+\.[0-9]+.[0-9]+-\[\d{2}/\w{3}/\d{4}:\d{2}:\d{2}:\d{2}:\d{2}\+\d{4}\][GET\/pro p((?!Polycom | Snom | yearlink)。+)(?:403 404 404
编辑:在这个正则表达式中增加了一个额外的要求-还需要匹配这些行的403/404状态
但是,这不能正常工作,并且会产生误报。请尝试正则表达式:(?!*(Polycom | Snom | yeallink))^([0-9]+\.[0-9]+\.[0-9]+.[0-9]+-\[(\d{2}\/\w{3}/\d{4}:\d{2}:\d{2}:\d{d{2}:\d{d{4}>
试试这个Perl解决方案
perl -ne ' /^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - - \[(\d{2})\/\w{3}\/\d{4}:\d{2}:\d{2}:\d{2} \+\d{4}\] \"GET \/pro\/p(?!.*(Polycom|Snom|Yealink))/ms and print ' file
使用以下输入
$ cat btong.log
7.7.7.7 - - [28/Mar/2019:03:30:06 +0000] "GET /pro/p/001565a2aaa3 HTTP/1.1" "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 404 - 34489 5 0.073
7.7.7.7 - - [28/Mar/2019:03:30:06 +0000] "GET /pro/p/001565a2aaa1 HTTP/1.1" "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 404 - 33339 5 0.091
7.7.7.7 - - [28/Mar/2019:03:30:06 +0000] "GET /pro/p/001565a2aaa4 HTTP/1.1" "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 404 - 21907 5 0.076
7.7.7.7 - - [28/Mar/2019:03:30:06 +0000] "GET /pro/p/001565a2aaab HTTP/1.1" "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 404 - 19671 5 0.159
7.7.7.7 - - [28/Mar/2019:03:30:06 +0000] "GET /pro/p/001565a2aaa2 HTTP/1.1" "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 404 - 15359 5 0.104
7.7.7.7 - - [28/Mar/2019:03:30:06 +0000] "GET /pro/p/001565a2aaa5 HTTP/1.1" "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 404 - 35095 5 0.084
1.1.1.1 - - [28/Mar/2019:13:58:55 +0000] "GET /pro/p/id/63aaaaaaaaa8/4.4.4.4/YL0000000000.rom HTTP/1.1" "-" "Yealink W52P 25.81.0.10 00:15:aa:aa:aa:f9" 404 - 1 5 0.137
2.2.2.2 - - [28/Mar/2019:13:58:56 +0000] "GET /pro/p/id/67aaaaaaaaa0/4.4.4.4/T46G.rom HTTP/1.1" "-" "Yealink SIP-T46G 28.81.0.20 00:15:aa:aa:aa:eb" 404 - 1 5 0.128
3.3.3.3 - - [28/Mar/2019:13:59:00 +0000] "GET /pro/p/id/67aaaaaaa750/4.4.4.4/T46G.rom HTTP/1.1" "-" "Yealink SIP-T46G 28.81.0.20 00:15:aa:aa:aa:eb" 404 - 1 5 0.131
$ perl -ne ' /^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - - \[(\d{2})\/\w{3}\/\d{4}:\d{2}:\d{2}:\d{2} \+\d{4}\] \"GET \/pro\/p(?!.*(Polycom|Snom|Yealink))/ms and print ' btong.log
7.7.7.7 - - [28/Mar/2019:03:30:06 +0000] "GET /pro/p/001565a2aaa3 HTTP/1.1" "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 404 - 34489 5 0.073
7.7.7.7 - - [28/Mar/2019:03:30:06 +0000] "GET /pro/p/001565a2aaa1 HTTP/1.1" "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 404 - 33339 5 0.091
7.7.7.7 - - [28/Mar/2019:03:30:06 +0000] "GET /pro/p/001565a2aaa4 HTTP/1.1" "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 404 - 21907 5 0.076
7.7.7.7 - - [28/Mar/2019:03:30:06 +0000] "GET /pro/p/001565a2aaab HTTP/1.1" "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 404 - 19671 5 0.159
7.7.7.7 - - [28/Mar/2019:03:30:06 +0000] "GET /pro/p/001565a2aaa2 HTTP/1.1" "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 404 - 15359 5 0.104
7.7.7.7 - - [28/Mar/2019:03:30:06 +0000] "GET /pro/p/001565a2aaa5 HTTP/1.1" "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 404 - 35095 5 0.084
$
在我的原始帖子中我应该更清楚-我也需要匹配我的正则表达式中的其他位,因为它将阻止误报。我还需要捕获IPEx。不幸的是,我必须使用正则表达式,因为这将用于failregex
指令中的fail2ban。不过,我大概可以传输正则表达式逻辑?我只是注意到我忽略了原始请求中的一些内容-我需要匹配日志中的403/404状态-我如何添加此内容?看起来您现在正在更改问题。。你能更新一下吗