topic Re: Regex for Windows username null values in Splunk Search

Regex for Windows username null values

tpowell12 — Wed, 19 Sep 2012 18:20:08 GMT

I have a Windows event below. This regex, (?ms)^\s+User Name:\s+(?\S+), is used to extract the value from the User Name field which works great when there's a username available. Otherwise, in the event below when the User Name is blank, the regex picks up "Domain:" as the username. I'm trying to figure out what to add in the regex to prevent a value from being extracted if the User Name field is null.

09/06/2012 08:54:52 AM
LogName=Security
SourceName=Security
EventCode=529
EventType=16
Type=Failure Audit
ComputerName=TESTSYSTEM
User=SYSTEM
Sid=S-1-5-18
SidType=1
Category=2
CategoryString=Logon/Logoff
RecordNumber=50947147
Message=Logon Failure:
Reason: Unknown user name or bad password
User Name:

Domain:

Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name:

Re: Regex for Windows username null values

bmacias84 — Wed, 19 Sep 2012 18:58:44 GMT

The following regex statement should work. I tested it with a few variation of your example.

(?ms)^\s+User\sName:\s+(?P<user_name>[^\s]+|)
 OR
(?ms)^\s+User\sName:\s+(?P<user_name>[^\s]+|)\r

Hope this helps.

Cheers

Re: Regex for Windows username null values

tpowell12 — Wed, 19 Sep 2012 20:57:50 GMT

It works with the \r at the end in an editor like gskinner.com/regexr. In Splunk, I have two extractions for one sourcetype. One for the username that you helped with and another for account names. The problem I have now is when I add the \r to regex in transforms.conf, the username is no longer extracted, only the account name. I must be missing something.

Re: Regex for Windows username null values

tpowell12 — Mon, 28 Sep 2020 12:28:47 GMT

props.conf
[tcp-raw]
REPORT-extract_names = extract_username, extract_accountname

transforms.conf
[extract_username]
- extracts the user name field in Windows security logs
REGEX = (?ms)^\s+User Name:\s+([^\s]+|)\r
FORMAT = user_name::$1

[extract_accountname]
- extracts the account name field in Windows security logs
REGEX = (?ms)Account For Which Logon Failed.+?Account Name:\s+(\V+)
FORMAT = account_name::$1

Re: Regex for Windows username null values

bmacias84 — Wed, 19 Sep 2012 21:13:51 GMT

Can you provide a sample of the event extract_accountname is used in?

Re: Regex for Windows username null values

cphair — Wed, 19 Sep 2012 21:28:04 GMT

@bmacias84, if you know the Message format is always the same, can you add "Domain:" to the end of your regex, after the parentheses? Do you really need to perform multi- and single-line matching for a username extraction?

Re: Regex for Windows username null values

bmacias84 — Mon, 28 Sep 2020 12:28:50 GMT

Ok, I think I understand what you are trying to do and the following regex statement should work or at the very least get you most of the way there.

(?m)^\s+(User\sName:\s+(?P[^\s]+|))|(?:Account\sFor\sWhich\sLogon\sFailed\s+Account\sName:\s+(?P[^\s]+))\r

(?m)^\s+((?:User\sName:\s+(?P[^\s]+|))|(?:Account\sFor\sWhich\sLogon\sFailed\s+Account\sName:\s+(?P[^\s]+|)))\r

Your Formate notation:
FORMAT = account_name::$1 account_name::$2

Re: Regex for Windows username null values

bmacias84 — Wed, 19 Sep 2012 22:14:52 GMT

@cphair, I think I understand your question, maybe. if you know username and domain will always appear together. If you wanted to preform multiple field extractions in the statment you might want to use the |(pipe) to make the match optional. Keep in mind that using the |(pipe) following alternative will be tried if the regex backtraces into the group.