I'm trying to perform a seemingly simple task, which is to search for failed logins in my AD environment. Here's the search I used found in another Answer;

source="WinEventLog:Security" EventCode="4625" OR EventCode="539" OR
(EventCode>="529" AND EventCode<="537") OR (EventCode>="547" AND EventCode<="549") hoursago="4"

Great! I found some failed logins. Now I want specific information out of this event which is the "Account Name" of the user who's having a problem. Ewwww, but with Microsoft's lovely log format, they so graciously supply TWO "Account Name" fields with the same name;

11/15/10 03:41:00 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4625
EventType=0
Type=Information
ComputerName=SERVERNAME.DOMAIN.NAME
TaskCategory=Logon
OpCode=Info
RecordNumber=30965331
Keywords=Audit Failure
Message=An account failed to log on.

Subject:
    Security ID:        S-1-5-18
    Account Name:       SERVERNAME$  <-- 1st occurrence
    Account Domain:     DOMAIN
    Logon ID:       0x3e7

Logon Type:         8

Account For Which Logon Failed:
    Security ID:        S-1-0-0
    Account Name:       username    <-- 2nd occurrence
    Account Domain:     domain.name

Failure Information:
    Failure Reason:     Unknown user name or bad password.
    Status:         0xc000006d
    Sub Status:     0xc000006a

Process Information:
    Caller Process ID:  0x1a40
    Caller Process Name:    C:\Windows\System32\inetsrv\w3wp.exe

Network Information:
    Workstation Name:   SERVERNAME
    Source Network Address: 11.22.33.44
    Source Port:        2453

Detailed Authentication Information:
    Logon Process:      Advapi  
    Authentication Package: Negotiate
    Transited Services: -
    Package Name (NTLM only):   -
    Key Length:     0
<snip>

I want that second occurrence of "Account Name" (which holds username). Now you may already be thinking, hey buddy this question has been asked before -- go search because the answers out there (one, two) are to use "| eval newVar=mvindex(Account_Name,1)"...

...but hear me out. It's not behaving as expected.

So I adjust my search to store the 2nd occurrence of "Account Name" in a new variable and dump them into a table;

source="WinEventLog:Security" EventCode="4625" OR EventCode="539" OR
(EventCode>="529" AND EventCode<="537") OR (EventCode>="547" AND EventCode<="549") hoursago="4"
| eval newVar=mvindex(Account_Name,1)
| table Account_Name newVar

Here's the problem, this results in;

SERVERNAME$    <blank>    

I can't get the value of the 2nd occurrence. Reading the documentation on Parse Fields With Multiple Values doesn't shed any light on my problem.

So I tried grabbing the last value; "newVar=mvindex(Account_Name,-1)" but that outputs blank as well. So I start to question if mvindex is doing anything... ...but the strange thing is that this "newVar=mvindex(Account_Name,0)" seems to store/retrieve just fine despite it not being the data I want.

Can someone point me in the right direction? Thanks in advance.

Running 4.1.5 Linux x86_64

ziegfried Solution

source="WinEventLog:Security" EventCode="4625" OR EventCode="539" OR 
(EventCode>="529" AND EventCode<="537") OR (EventCode>="547" AND EventCode<="549") hoursago="4"
| rex "(?ms)Account For Which Logon Failed.+?Account Name:\s+(?<Wanted_Account>\V+)"
| table _time Account_Name Wanted_Account ComputerName Failure_Reason src_ip Workstation_Name