If it's a sed and awk solution something like this might solve it:
Code:
sajko@hanna:~> awk -F']' 'NR>1&&$0=$1' RS='(id|uri) ' a.txt
"970903"
"/PROD/scanjour/index.php"
"bXAmd38AAAEAAGZgcdAAAAAB"
The last entry is just because the it contains id in UNIQUE_ID tag.
Code:
sajko@hanna:~> cat a.txt
[Tue Feb 16 09:21:58 2010] [error] [client 93.160.58.5] ModSecurity: Warning. Match of "rx (?:\\\\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\\\\b|r(?:iff\\\\b|ar!B)|gif)|B(?:%pdf|\\\\.ra)\\\\b)" against "RESPONSE_BODY" required. [file "/etc/httpd/modsecurity.d/modsecurity_crs_50_outbound.conf"] [line "59"] [id "970903"] [msg "ASP/JSP source code leakage"] [severity "WARNING"] [tag "LEAKAGE/SOURCE_CODE"] [hostname "app.appinux.com"] [uri "/PROD/scanjour/index.php"] [unique_id "bXAmd38AAAEAAGZgcdAAAAAB"]
sajko@hanna:~> cat a.txt | cut -d'[' -f7 | cut -d ']' -f1
id "970903"
sajko@hanna:~> cat a.txt | cut -d'[' -f12 | cut -d ']' -f1
uri "/PROD/scanjour/index.php"
Here you have another solution without using sed/awk.
If you wish to clean the lines up abit using sed you can do this:
Code:
sajko@hanna:~> echo "uri \"/PROD/scanjour/index.php\"" | sed -e "s/^[^\"]\+\"\([^\"]\+\)\"/\1/"
/PROD/scanjour/index.php
Breaking down s/^[^\"]\+\"\([^\"]\+\)\"/\1/:
^[^\"]\+ This means to jump ahead to the first quotation mark ", this does not include it so the next sign needs to be ".
\([\"]\+\) Again, this means to jump ahead, but we also buffer it for the search-replace part.
\1 after a unescaped / means to use buffer 1 meaning the first () item in the previous search pattern (aka Grouping).
Best regards
Fredrik Eriksson
