When you start searching logs for problems the more skills you have with regular expressions the easier and faster it will be. One of those tools that you can use is the use of “.” to represent any one character. The dot is a character class that matches any character.
So if you were searching logs for an event that happened on 5:38 on a day you have several options on how to search for that time period. The first option uses the brackets so that you can include in those brackets any options that might separate the hour from minute. So [-../:] will allow for:
5-38
5.38
5/38
5:38
egrep 05[-../:]38 log
Notice that the dot is not a metacharacter when it is inside a class like the brackets.
egrep 05[-../:]38 log
[Fri Jun 05 05:38:05 2009] [error] [client ::1] ModSecurity: Access denied with code 403 (phase 2). Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/httpd/conf.d/modsecurity/modsecurity_crs_21_protocol_anomalies.conf"] [line "35"] [id "960008"] [msg "Request Missing a Host Header"] [severity "WARNING"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"] [hostname "web.example.com"] [uri "*"] [unique_id "U24gnn8AAAEAACRICM8AAAAB"]
[Fri Jun 05 05:38:07 2009] [error] [client ::1] ModSecurity: Access denied with code 403 (phase 2). Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/httpd/conf.d/modsecurity/modsecurity_crs_21_protocol_anomalies.conf"] [line "35"] [id "960008"] [msg "Request Missing a Host Header"] [severity "WARNING"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"] [hostname "web.example.com"] [uri "*"] [unique_id "U4ylBX8AAAEAAEUVuJwAAAAC"]
[Fri Jun 05 05:38:09 2009] [error] [client ::1] ModSecurity: Access denied with code 403 (phase 2). Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/httpd/conf.d/modsecurity/modsecurity_crs_21_protocol_anomalies.conf"] [line "35"] [id "960008"] [msg "Request Missing a Host Header"] [severity "WARNING"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"] [hostname "web.example.com"] [uri "*"] [unique_id "U6spjX8AAAEAAFTVKY0AAAAN"]
[Fri Jun 05 05:38:10 2009] [error] [client ::1] ModSecurity: Access denied with code 403 (phase 2). Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/httpd/conf.d/modsecurity/modsecurity_crs_21_protocol_anomalies.conf"] [line "35"] [id "960008"] [msg "Request Missing a Host Header"] [severity "WARNING"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"] [hostname "web.example.com"] [uri "*"] [unique_id "U7pr1H8AAAEAAEJUpGEAAAAL"]
Using the dot as a metacharacter
You can make your search easier with the dot as a metacharacter and not use the brackets. This means that the “.” will now match any character, so it will match “-” or “/” or “3″ or “9″. Now this makes you expression easier to construct but it also brings that element of a possible mistake. However, if you are reasonably sure that the expression will work without the use of the brackets it may be faster to just use the dot.
egrep 05.38 log
[Fri Jun 05 05:38:05 2009] [error] [client ::1] ModSecurity: Access denied with code 403 (phase 2). Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/httpd/conf.d/modsecurity/modsecurity_crs_21_protocol_anomalies.conf"] [line "35"] [id "960008"] [msg "Request Missing a Host Header"] [severity "WARNING"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"] [hostname "web.example.com"] [uri "*"] [unique_id "U24gnn8AAAEAACRICM8AAAAB"]
[Fri Jun 05 05:38:07 2009] [error] [client ::1] ModSecurity: Access denied with code 403 (phase 2). Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/httpd/conf.d/modsecurity/modsecurity_crs_21_protocol_anomalies.conf"] [line "35"] [id "960008"] [msg "Request Missing a Host Header"] [severity "WARNING"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"] [hostname "web.example.com"] [uri "*"] [unique_id "U4ylBX8AAAEAAEUVuJwAAAAC"]
[Fri Jun 05 05:38:09 2009] [error] [client ::1] ModSecurity: Access denied with code 403 (phase 2). Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/httpd/conf.d/modsecurity/modsecurity_crs_21_protocol_anomalies.conf"] [line "35"] [id "960008"] [msg "Request Missing a Host Header"] [severity "WARNING"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"] [hostname "web.example.com"] [uri "*"] [unique_id "U6spjX8AAAEAAFTVKY0AAAAN"]
[Fri Jun 05 05:38:10 2009] [error] [client ::1] ModSecurity: Access denied with code 403 (phase 2). Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/httpd/conf.d/modsecurity/modsecurity_crs_21_protocol_anomalies.conf"] [line "35"] [id "960008"] [msg "Request Missing a Host Header"] [severity "WARNING"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"] [hostname "web.example.com"] [uri "*"] [unique_id "U7pr1H8AAAEAAEJUpGEAAAAL"]
