Tips on String Matching
As a general rule, where possible, it is most accurate (along with being easier to write and troubleshoot) to confine the matching to a single line of the message. Single quotes and double quotes are interchangeable when surrounding audit fields, except in the following cases:
In Windows compliance checks where special fields such as CRLF must be interpreted literally, use single quotes. Any embedded fields that are to be interpreted as strings must be escaped out. For example:
expect: 'First line\r\nSecond line\r\nJohn\'s Line'
Double quotes are required when using the FileContent "include_paths" and "exclude_paths"
If using strings in any field type (description, value_data, regex, etc.) that contain single or double quotes, there are two ways to handle them"
Use the opposite quote type for the outermost enclosing quotes. For example:
expect: "This is John's Line"
expect: 'We are looking for a double-quote-".*'
Escape out any embedded quotes with a backslash (double quotes only). For example:
expect: "\"Text to be searched\""
Escaping a single character can be done so it matches the literal character rather than the normal regex interpretation of any single character. For example:
expect: "Find this line\. Even if it has periods\."