I'm searching on Windows Security Auditing logs and the Security_ID field but when I do, I'm realizing that there is a section for Subject and Target Account. I want to be able to extract each into its own unique field so I can search on one or the other. Here's a sample event log. Right now, both account_1 and account_2 would be in a field called Security_ID and I need to split the two. Thanks!
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4738
EventType=0
Type=Information
ComputerName=server.domain.com
TaskCategory=User Account Management
OpCode=Info
RecordNumber=00000000
Keywords=Audit Success
Message=A user account was changed.
Subject:
Security ID: DOMAIN\account_1
Account Name: account_1
Account Domain: DOMAIN
Logon ID: 0000000
Target Account:
Security ID: DOMAIN\account_2
Account Name: account_2
Account Domain: DOMAIN
Hi erictodor,
you have to use a multi line regex, something like this:
(?ms)Target Account:.*Security ID:\s+(?<Security_ID>[^ ]*)
you can test it at https://regex101.com/r/ZGJi2D/1
Bye.
Giuseppe
|eval name1=mvindex(Account_Name,0)
|eval name2=mvindex(Account_Name,1)
Hi erictodor,
you have to use a multi line regex, something like this:
(?ms)Target Account:.*Security ID:\s+(?<Security_ID>[^ ]*)
you can test it at https://regex101.com/r/ZGJi2D/1
Bye.
Giuseppe