Parsing Windows Event Logs
I've seen info in this community relative to parsing windows event log given that they are multi-line messages, and needing to parse using the following syntax:
(?s).*Type\s+=\s+\"Information\".*(?s).*
This was very useful, and helped me to figure this out.
I was also able to figure out how to parse fields that do not have an EOL character by using [\r] in the query.
For example... to extract the caller process ID from:
Caller Process ID: 0x0
I can use:
extract "Caller Process ID:(?<caller\_process\_id>.*?)[\r]"
After all of this learning, where I am having an issue now is searching through a Windows Event Log where the same message appears in the log multiple lines. This appears to be the case with the security logs where some information (Security ID, Account Name, and Account Domain) appear in two sections in the event log, there is a SUBJECT section, and a ACCOUNT FOR WHICH LOGON FAILED section.
See specific example below:
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name: MDCBCP012062$
Account Domain: DOMAINNAME1
How can I grab "Account Name" out of the second section?
My search below is grabbing from the first section, which results in the parsing pulling out just the 'dash' character.
extract "Account Name:(?<acct\_name>.*?)[\r]"
-
Hi Kevin,
Here's the parse statement you can use to extract both usernames:
parse regex "Subject:[\s\S]+?Account Name:[\s&&[^\r]]+(?<src_user>[^\r]+?)\r[\s\S]+?Account Name:[\s&&[^\r]]+(?<dest_user>[^\r\"]+?)(?:\r|\";)"
The [\s\S] expression indicates all whitespace and non-whitespace (including newlines) characters. The [\s&&[^\r]] expression indicates whitespace characters that are not carriage return characters.. The [^\r\"] expression indicates any character that is not a carriage return on double quotes.
Hope that helps,
Thanks,
Rishi.
Please sign in to leave a comment.
Comments
3 comments