topic Re: sedcmd with Eventlog in Getting Data In

sedcmd with Eventlog

akuzma_2 — Tue, 31 Jul 2018 10:40:18 GMT

I want to remove lot of rows in windows eventlog.

I tested it on EventCode=4624 - successful login

02/01/2018 09:56:03 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=COMPUTER1
TaskCategory=Logon
OpCode=Info
RecordNumber=1072237543
Keywords=Audit Success ...

but I cannot get it working. I want to use SEDCMD, but before that I tried in search with rex command in sed mode, but something like that:

rex mode=sed "s/(?!Type=\w+).+//g"

got me only one letter "T" as below:

What I am doing wrong?

Maybe I should use transforms instead?

Re: sedcmd with Eventlog

FrankVl — Tue, 31 Jul 2018 11:34:51 GMT

What exactly is your goal? Which part of the message do you want to remove?

Looking at regex101 with your data and regex, it indeed matches everything except that single T: https://regex101.com/r/BoyXLF/1

Looks like your way of using that negative lookahead is incorrect for what you want to accomplish.

Re: sedcmd with Eventlog

akuzma_2 — Tue, 31 Jul 2018 11:44:00 GMT

I found that it's incorrect, but I does not know how to make it right.

My goal is to remove almost all fields and leave only 3-4 I need.

Re: sedcmd with Eventlog

FrankVl — Tue, 31 Jul 2018 12:12:58 GMT

If you tell us which fields you want to remove and which you want to keep, we can help you, but if we don't know what exactly you want to remove, it is impossible to suggest another regex.