Regular Expressions Named Groups Problem

[Ben Dewey]

Hey,

I have only been playing with regular expressions for some time. I am
working on some code that parses and object 560 event log. I have created
two expressions the first one which works okay is for the actual csv of each
log. The second one parses out the description of the log. My problem is
with the accesses section of the description.

How do I parse multiple groups that have the same name. When I do a for
each through the groups I get the first value for each.

Snippet:
-----------------------------------------------
expression:
Accesses:\t(??<accesses>.+)\s+)+?^(?: \t)

log section:
Accesses: READ_CONTROL
SYNCHRONIZE
ReadData (or ListDirectory)
ReadEA
ReadAttributes

Privileges: -

I would like to do something like

Match m = Regex.Match(log, expression);
foreach(string access in m.Groups["accesses"])
{
//write that access
}


Is this possible?

PS. I am using "The Regulator" for testing and it is successfully parsing
the Accesses in to groups.

Also, I have tried:
Match m = Regex.Match(log, expression);
foreach(string access in m.Groups)
{
// write access
}

it successfully matches 5 groups but the all equal to READ_CONTROL

 

[Wes]

Hello Ben,

try:
foreach(Match m in Regex.Matches(log, expression)
{
string access = m.Groups["accesses"].Value;
//write that access
}

Note: I have compiled or tested this it is from the top of my head.

HTH
Wes Haggard
http://weblogs.asp.net/whaggard/

 

[Ben Dewey]

the problem with that is that is won't work for the entire log
description...

Object Open:
Object Server: Security
Object Type: File
Object Name: D:\folder1\folder2\line-end.gif
Handle ID: 1504
Operation ID: {0,573337772}
Process ID: 9532
Image File Name: C:\WINDOWS\system32\inetsrv\w3wp.exe
Primary User Name: NETWORK SERVICE
Primary Domain: NT AUTHORITY
Primary Logon ID: (0x0,0x3E4)
Client User Name: user1
Client Domain: DOMAIN1
Client Logon ID: (0x0,0x222C6B1A)
Accesses: READ_CONTROL
SYNCHRONIZE
ReadData (or ListDirectory)
ReadEA
ReadAttributes

Privileges: -
Restricted Sid Count: 0
Access Mask: 0x120089

This entire expression is suppose to return all the values plus an array of
values for Accesses.

[\w ]+:\s+Object\ Server:\t(?<server>\w+)\s+Object\
Type:\t(?<type>\w+)\s+Object\ Name:\t(?<name>.[^\r\n]+)\s+Handle\
ID:\t(?<handleId>\d+)\s+Operation\ ID:\t(?<operationId>[\d{},]+)\s+Process\
ID:\t(?<processId>\d+)\s+Image\ File\
Name:\t(?<imageFileName>\w+)?\s+Primary\ User\
Name:\t(?<primaryUserName>.[^\r\n]+)\s+Primary\
Domain:\t(?<primaryDomain>\w+)\s+Primary\ Logon\
ID:\t(?<primaryLogonID>[\d(),A-Fa-fx]+)\s+Client\ User\
Name:\t(?<clientUserName>[\w _-]+)\s+Client\ Domain:\t(?<clientDomain>[\w
_-]+)\s+Client\ Logon\
ID:\t(?<clientLogonId>[\d(),A-Fa-fx]+)\s+Accesses:\t(??<accesses>.+)\s+)+?^(?:
\t)\s+Privileges:\t(?<privileges>[\w -_]+)\s+Restricted\ Sid\
Count:\t(?<restrictedSidCount>\d+)\s+Access\ Mask:\t(?<accessMask>[\dx]+)

Hello Ben,

try:
foreach(Match m in Regex.Matches(log, expression)
{
string access = m.Groups["accesses"].Value;
//write that access
}

Note: I have compiled or tested this it is from the top of my head.

HTH
Wes Haggard
http://weblogs.asp.net/whaggard/

Hey,

I have only been playing with regular expressions for some time. I am
working on some code that parses and object 560 event log. I have
created two expressions the first one which works okay is for the
actual csv of each log. The second one parses out the description of
the log. My problem is with the accesses section of the description.

How do I parse multiple groups that have the same name. When I do a
for each through the groups I get the first value for each.

Snippet:
-----------------------------------------------
expression:
Accesses:\t(??<accesses>.+)\s+)+?^(?: \t)
log section:
Accesses: READ_CONTROL
SYNCHRONIZE
ReadData (or ListDirectory)
ReadEA
ReadAttributes
Privileges: -

I would like to do something like

Match m = Regex.Match(log, expression);
foreach(string access in m.Groups["accesses"])
{
//write that access
}
Is this possible?

PS. I am using "The Regulator" for testing and it is successfully
parsing the Accesses in to groups.

Also, I have tried:
Match m = Regex.Match(log, expression);
foreach(string access in m.Groups)
{
// write access
}
it successfully matches 5 groups but the all equal to READ_CONTROL

 

[Ben Dewey]

For anyone trying to parse the event log for an object of type 560 here is
the entire expression. I am using this expression to parse an event log
entry in order to track a users access to files and folders. The expression
works, I am still trying figure out the best way to get the values using
..NET (ie. get the array for the accesses section)


log
(?<date>[\d/]+),(?<time>[\d:
APM]+),(?<type>\w+),(?<auditType>[\w ]+),(?<accessType>[\w ]+),(?<eventId>\d+),(?<user>[\w
\\]+),(?<machine>[\w- ]+,"(?<description>.[^"]+)"


description
[\w ]+:\s+Object\ Server:\t(?<server>\w+)\s+Object\
Type:\t(?<type>\w+)\s+Object\ Name:\t(?<name>.[^\r\n]+)\s+Handle\
ID:\t(?<handleId>\d+)\s+Operation\ ID:\t(?<operationId>[\d{},]+)\s+Process\
ID:\t(?<processId>\d+)\s+Image\ File\
Name:\t(?<imageFileName>\w+)?\s+Primary\ User\
Name:\t(?<primaryUserName>.[^\r\n]+)\s+Primary\
Domain:\t(?<primaryDomain>\w+)\s+Primary\ Logon\
ID:\t(?<primaryLogonID>[\d(),A-Fa-fx]+)\s+Client\ User\
Name:\t(?<clientUserName>[\w _-]+)\s+Client\ Domain:\t(?<clientDomain>[\w
_-]+)\s+Client\ Logon\
ID:\t(?<clientLogonId>[\d(),A-Fa-fx]+)\s+Accesses:\t(??<accesses>.+)\s+)+?^(?:
\t)\s+Privileges:\t(?<privileges>[\w -_]+)\s+Restricted\ Sid\
Count:\t(?<restrictedSidCount>\d+)\s+Access\ Mask:\t(?<accessMask>[\dx]+)

Hello Ben,

try:
foreach(Match m in Regex.Matches(log, expression)
{
string access = m.Groups["accesses"].Value;
//write that access
}

Note: I have compiled or tested this it is from the top of my head.

HTH
Wes Haggard
http://weblogs.asp.net/whaggard/

Hey,

I have only been playing with regular expressions for some time. I am
working on some code that parses and object 560 event log. I have
created two expressions the first one which works okay is for the
actual csv of each log. The second one parses out the description of
the log. My problem is with the accesses section of the description.

How do I parse multiple groups that have the same name. When I do a
for each through the groups I get the first value for each.

Snippet:
-----------------------------------------------
expression:
Accesses:\t(??<accesses>.+)\s+)+?^(?: \t)
log section:
Accesses: READ_CONTROL
SYNCHRONIZE
ReadData (or ListDirectory)
ReadEA
ReadAttributes
Privileges: -

I would like to do something like

Match m = Regex.Match(log, expression);
foreach(string access in m.Groups["accesses"])
{
//write that access
}
Is this possible?

PS. I am using "The Regulator" for testing and it is successfully
parsing the Accesses in to groups.

Also, I have tried:
Match m = Regex.Match(log, expression);
foreach(string access in m.Groups)
{
// write access
}
it successfully matches 5 groups but the all equal to READ_CONTROL

 

[Wes]

Hello Ben,

Isn't there someway to use the EventLog class in the .Net Framework to do what you are trying to do?

HTH
Wes Haggard
http://weblogs.asp.net/whaggard/

the problem with that is that is won't work for the entire log
description...

Object Open:
Object Server: Security
Object Type: File
Object Name: D:\folder1\folder2\line-end.gif
Handle ID: 1504
Operation ID: {0,573337772}
Process ID: 9532
Image File Name: C:\WINDOWS\system32\inetsrv\w3wp.exe
Primary User Name: NETWORK SERVICE
Primary Domain: NT AUTHORITY
Primary Logon ID: (0x0,0x3E4)
Client User Name: user1
Client Domain: DOMAIN1
Client Logon ID: (0x0,0x222C6B1A)
Accesses: READ_CONTROL
SYNCHRONIZE
ReadData (or ListDirectory)
ReadEA
ReadAttributes
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x120089
This entire expression is suppose to return all the values plus an
array of values for Accesses.

[\w ]+:\s+Object\ Server:\t(?<server>\w+)\s+Object\
Type:\t(?<type>\w+)\s+Object\ Name:\t(?<name>.[^\r\n]+)\s+Handle\
ID:\t(?<handleId>\d+)\s+Operation\
ID:\t(?<operationId>[\d{},]+)\s+Process\
ID:\t(?<processId>\d+)\s+Image\ File\
Name:\t(?<imageFileName>\w+)?\s+Primary\ User\
Name:\t(?<primaryUserName>.[^\r\n]+)\s+Primary\
Domain:\t(?<primaryDomain>\w+)\s+Primary\ Logon\
ID:\t(?<primaryLogonID>[\d(),A-Fa-fx]+)\s+Client\ User\
Name:\t(?<clientUserName>[\w _-]+)\s+Client\
Domain:\t(?<clientDomain>[\w
_-]+)\s+Client\ Logon\
ID:\t(?<clientLogonId>[\d(),A-Fa-fx]+)\s+Accesses:\t(??<accesses>.+)
\s+)+?^(?:
\t)\s+Privileges:\t(?<privileges>[\w -_]+)\s+Restricted\ Sid\
Count:\t(?<restrictedSidCount>\d+)\s+Access\
Mask:\t(?<accessMask>[\dx]+)

Hello Ben,

try:
foreach(Match m in Regex.Matches(log, expression)
{
string access = m.Groups["accesses"].Value;
//write that access
}
Note: I have compiled or tested this it is from the top of my head.

HTH
Wes Haggard
http://weblogs.asp.net/whaggard/

Hey,

I have only been playing with regular expressions for some time. I
am working on some code that parses and object 560 event log. I
have created two expressions the first one which works okay is for
the actual csv of each log. The second one parses out the
description of the log. My problem is with the accesses section of
the description.

How do I parse multiple groups that have the same name. When I do a
for each through the groups I get the first value for each.

Snippet:
-----------------------------------------------
expression:
Accesses:\t(??<accesses>.+)\s+)+?^(?: \t)
log section:
Accesses: READ_CONTROL
SYNCHRONIZE
ReadData (or ListDirectory)
ReadEA
ReadAttributes
Privileges: -
I would like to do something like

Match m = Regex.Match(log, expression);
foreach(string access in m.Groups["accesses"])
{
//write that access
}
Is this possible?
PS. I am using "The Regulator" for testing and it is successfully
parsing the Accesses in to groups.

Also, I have tried:
Match m = Regex.Match(log, expression);
foreach(string access in m.Groups)
{
// write access
}
it successfully matches 5 groups but the all equal to READ_CONTROL