用kodos写事件日志的正则表达式

最新推荐文章于 2025-08-06 23:34:35 发布

转载最新推荐文章于 2025-08-06 23:34:35 发布 · 248 阅读

0 ·

CC 4.0 BY-SA版权

原文链接：http://blog.51cto.com/richie/383300

文章标签：

#网络 #php

本文介绍了一个使用Kodos进行日志解析的例子，通过编写正则表达式匹配特定的日志格式，并成功提取了关键信息，如时间戳、源IP地址等。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

今天用kodos写了一段代码

Aug 2 11:06:20 id=tos time="2010-08-02 11:03:49" fw=TopsecSH pri=6 type=ac recorder=FW-NAT src=192.167.10.112 dst=192.168.10.26 sport=123 dport=3000    smac=00:0d:60:80:e5:18 dmac=00:13:32:02:6d:0c proto=tcp indev=eth0 outdev=eth2 user= rule=accept        connid=248943876 parentid=0 dpiid=0 natid=0 policyid=9957 msg="null"
Aug 2 11:06:23 id=tos time="2010-08-02 11:03:49" fw=TopsecSH pri=6 type=ac recorder=FW-NAT src=192.167.10.112 dst=192.168.10.26 sport=1795 dport=3000    smac=00:0d:60:80:e5:18 dmac=00:13:32:02:6d:0c proto=tcp indev=eth0 outdev=eth2 user= rule=accept        connid=249157892 parentid=0 dpiid=0 natid=0 policyid=9957 msg="null"
Aug 2 11:06:23 id=tos time="2010-08-02 11:03:49" fw=TopsecSH pri=6 type=ac recorder=FW-NAT src=192.167.10.112 dst=192.168.10.26 sport=1799 dport=3000    smac=00:0d:60:80:e5:18 dmac=00:13:32:02:6d:0c proto=tcp indev=eth0 outdev=eth2 user= rule=accept        connid=249069828 parentid=0 dpiid=0 natid=0 policyid=9957 msg="null"

以上是3条事件日志，用代码写出来为(?P<time>\D+\d{1,2}\s+\d\d\:\d\d\:\d\d)\s+id=(?P<id>[^\s]+)\s+time=(?P<access_time>\"\d\d\d\d-\d\d-\d\d\s+\d\d\:\d\d\:\d\d\")\s+(?P<device_name>[^\s]+)\s+\S+\s+\S+\s+\S+\s+src=(?P<src_ip>\S+)\s+dst=(?P<dst_ip>\S+)\s+sport=(?P<src_port>\d+)\s+dport=(?P<dst_port>\d+)\s+.*

测试通过。

从中可以学到，匹配的话只会匹配（）内的内容，?P=<> 表示匹配出来的内容注释，用\S+ 来表示不想匹配的内容。

(?P<Date>\w\w\w\s+\d+\s+\d\d:\d\d:\d\d)\s+(?P<Name>[^\s]+)\s+(?P<data1>[^\s]+)\s+\d+\s+(?P<IPV4>\d+\.\d+\.\d+\.\d+)\s+\-\s+\-\s+(?P<Access_Time>.*])\s+\"(?P<Info>.*)\"\s+(?P<Status>\d+)\s+(?P<Length>.*)

Jul 1 09:11:19 xyqh-kbwvg2ut3n ApacheLog       0       220.181.125.45 - - [01/Jul/2011:09:11:18 +0800] "GET /list.php?catid=56&page=49 HTTP/1.1" 200 3779
Jul 1 09:11:19 xyqh-kbwvg2ut3n ApacheLog       0       112.111.147.158 - - [01/Jul/2011:09:10:56 +0800] "GET /uploadfile//soft//Setup_Midas.exe HTTP/1.1" 206 235462
Jul 1 09:11:22 xyqh-kbwvg2ut3n ApacheLog       0       124.115.0.141 - - [01/Jul/2011:09:11:21 +0800] "GET /list.php?catid=138&typeid=9 HTTP/1.1" 200 3933
Jul 1 09:11:22 xyqh-kbwvg2ut3n ApacheLog       0       112.111.147.158 - - [01/Jul/2011:09:10:56 +0800] "GET /uploadfile//soft//Setup_Midas.exe HTTP/1.1" 206 306215
Jul 1 09:11:22 xyqh-kbwvg2ut3n ApacheLog       0       124.115.0.141 - - [01/Jul/2011:09:11:21 +0800] "GET /data/config.js HTTP/1.1" 200 105
Jul 1 09:11:22 xyqh-kbwvg2ut3n ApacheLog       0       124.115.0.141 - - [01/Jul/2011:09:11:21 +0800] "GET /p_w_picpaths/js/login.js HTTP/1.1" 200 1061
Jul 1 09:11:22 xyqh-kbwvg2ut3n ApacheLog       0       124.115.0.141 - - [01/Jul/2011:09:11:21 +0800] "GET /p_w_picpaths/js/pageset.js HTTP/1.1" 200 52179
Jul 1 09:11:22 xyqh-kbwvg2ut3n ApacheLog       0       112.111.147.158 - - [01/Jul/2011:09:11:14 +0800] "GET /uploadfile//soft//Setup_Midas.exe HTTP/1.1" 206 174374

转载于:https://blog.51cto.com/richie/383300