Ok, I think I have definitively solved this!! I'll tag cvachovecj to make sure he knows!!
Which comes as a bit of a surprise to me because I was about to tell you that it can't be done in this iteration of NCM at least. I was going to explain how the problem is that you would have to write a regular expression that would match every valid logging host IP BUT the ones that are actually valid in order to do this, which would mean you effectively have to match everything BUT the IP's doing a negated condition. And I was going to say that while there is probably a regex that could do that, its probably overly complex.
However, I'm glad to say instead that this is not the case! In writing the above, I started exercising my regex memories (which are quite old and stale) and remembered something about negative lookbehinds in regex's and though we might be able to use those, coupled with groups, to accomplish just this. That knowledge, my regex cheat sheet, and some time on regextester.com brought me to a solution...
Let's say your two valid logging hosts are 10.11.12.13 and 10.11.13.14, this regex will match anything BUT those two.
^logging host (?:(?!10.11.12.13|10.11.13.14)).*
Broken down,
^ - Ties it to the beginning of a line, always good practice in using regex's.
"logging host " is a literal match, looks for explicitly this. That's one thing you need to be careful of, removing as much from the pattern match as possible!
(?:) - By enclosing the grouping in this, it should make it a non-capturing match, which might be default in the compliance engine, but good practice.
(?!10.11.12.13|10.11.13.14) - This tells it to not match any string that would otherwise be matched, if the preceding part of the match (ie: "logging host ") is followed by any one of these two strings. You can add more by putting in more "|" (which is a "or") and more IP's.
.* - match anything.
The trickiest part is to remember that the lookbehind buffer doesn't move the regular expression. So when I put the ".*", its as if it was right after the "logging host ". I was trying to figure out how to negate the first couple IP's that I listed, and have it not negate another part of the group that matched another IP, but you really have to have the "not matching" lookbehind on its own.
Now, you can mess around and figure out a rule that will look for the hosts you want, and then does this to look for all other hosts, but in doing that you will most likely lose the coolest part of all this. You can couple this with my last potential solution, which is kind of hacking the config block usage, and have it remediate all hosts that shouldn't be there for you!! The whole rule and remediation script is below, quite simple and easy to do. Now, you will note the regex is in there twice, once in the "Advanced Config Search" and once in the "Config Block Start". You could potentially just have it in the "Config Block Start" and have a pattern that matches anything in the "Advanced Config Search", but I think this is a better practice and easy to do. You could get unexpected results the other way around.
**NOTE** This can easily be adapted to other things, like SNMP communities, usernames, etc. etc... The possibilities are endless...
As always, TEST before you commit!! When you click on the violated rule in your Compliance report, it will ask you to "Execute Remediate Script on this node" or all nodes. No matter which you choose, at the next step there is a "Preview Script" choice, please use it to see what its going to be executing. If you're doing it to all hosts, check a good random selection of devices to see that the scripts its generating are good...
If you do go this route, simply create another rule to check for the hosts you want, which we should all know how to do...
I'm interested to see if it works as well for others as in my testing?
