Page 1 of 1
check_http regex
Posted: Tue Oct 08, 2019 3:25 pm
by igeoigeo
Hello,
I am looking of how to embed the regular expression that will match a pattern which is multiple times addressed. In other words, this should find only when this pattern is found more than once. Below is an example of a web page (xml), which shows twice the "c start", so I would like to know what is the regex in order to find it?
Code: Select all
<c start="11111" end="1111111" />
<c start="11111" end="222222222" />
</action>
<action
src="abc"
system="2222">
<param
name="trackID"
value="1"
valueType="data">
I know how to find it by using the following regex:
Code: Select all
<c\s+start=\"(?<start>[^\"]+)\"\s+end=\"(?<end>[^\"]+)\"\s+\/>
do you know how to embed it to the check_http plugin?
thank you.
Re: check_http regex
Posted: Tue Oct 08, 2019 3:46 pm
by scottwilkerson
This would do it. You need to
-l to span multiple lines
Re: check_http regex
Posted: Wed Oct 09, 2019 1:17 am
by igeoigeo
scottwilkerson wrote:This would do it. You need to
-l to span multiple lines
how can I set up the check to alarm when it find multiple lines, i.e. more than once (.*c start.*c start.*)?
thank you.
Re: check_http regex
Posted: Wed Oct 09, 2019 10:06 am
by scottwilkerson
Add
--invert-regex to the command
Code: Select all
--invert-regex
Return CRITICAL if found, OK if not
Re: check_http regex
Posted: Thu Oct 10, 2019 5:53 am
by igeoigeo
scottwilkerson wrote:Add
--invert-regex to the command
Code: Select all
--invert-regex
Return CRITICAL if found, OK if not
I should rephraise it. The following pattern should be the OK pattern, which contains several regex ".*c start.*c start.*":
Code: Select all
<action
src="abc"
system="2222">
<param
name="trackID"
value="1"
valueType="data">
<c start="11111" end="1111111" />
</action>
<action
src="abc"
system="2222">
<param
name="trackID"
value="1"
valueType="data">
<c start="11111" end="1111111" />
</action>
The alert should be triggered when it finds more that once in the <action> the regex pattern ".*c start.*c start.*
Code: Select all
<action
src="abc"
system="2222">
<param
name="trackID"
value="1"
valueType="data">
<c start="11111" end="1111111" />
<c start="11111" end="222222222" />
</action>
<action
src="abc"
system="2222">
<param
name="trackID"
value="1"
valueType="data">
<c start="11111" end="1111111" />
<c start="11111" end="222222222" />
</action>
Re: check_http regex
Posted: Thu Oct 10, 2019 6:34 am
by scottwilkerson
I'm not a master regex builder but something like this?
Code: Select all
--invert-regex -l -r '.*action.*c start.*c start.*/action.*'
Re: check_http regex
Posted: Thu Oct 10, 2019 8:42 am
by igeoigeo
scottwilkerson wrote:I'm not a master regex builder but something like this?
Code: Select all
--invert-regex -l -r '.*action.*c start.*c start.*/action.*'
Unfortunatelly, this regex doesn't get the right pattern, I mean that having more than once the pattern this cannot get the critical.
Re: check_http regex
Posted: Thu Oct 10, 2019 9:25 am
by scottwilkerson
I guess a first step would be to have you create a regex that can do the match you want, then we can work to apply it to check_http
https://www.freeformatter.com/regex-tester.html