Hi All,

I'm trying to filter our logs, however I would like for it to filter on 3 criteria - the event code, the Object name and the Accesses fields....

I can't seem to get the below to work properly... If I take out the 'Object Name:\s*(?!.tmp).*' it will filter on the other two, however with all three it doesn't work...

I would like for it to check that the event code is either 4663,567 or 560, then make sure that the Object Name does not end with .tmp, and finally that the Accesses where DELETE or WRITE_DAC or WriteData...

There's something that I'm obviously missing that I really need some help with... any help would be greatly appreciated...

REGEX = (?msi)EventCode=(4663|567|560).*Object Name:\s*(?!\.tmp).*Accesses:\s*(DELETE|WRITE_DAC|WriteData)

For the record, I've also tried the below without success:

REGEX = (?msi)EventCode=(4663|567|560).Object Name:\s(?!\.tmp).Accesses:\s(DELETE|WRITE_DAC|WriteData)  

REGEX = (?mi)^EventCode=(4663|567|560).*^Object Name:.*\.tmp$.*^Accesses:\s(DELETE|WRITE_DAC|WriteData)

An example log is:

20110309155132.000000
Category=3
CategoryString=Object Access
ComputerName=ComputerName
EventCode=560
EventIdentifier=560
EventType=4
Logfile=Security
RecordNumber=2572431
SourceName=Security
TimeGenerated=20110309155132.000000+600
TimeWritten=20110309155132.000000+600
Type=Audit Success
User=Username
wmi_type=WinEventLog:Security
Message=Object Open:
Object Server: Security Object Type: File Object Name: G:\users\xxxxxx\Outlook .pst folders\~archive.pst.tmp Handle ID: 7420 Operation ID: {0,239001151} Process ID: 4 Image File Name:
Primary User Name: SERVER$ Primary Domain: XXX Primary Logon ID: (0x0,0x3E7) Client User Name: User Client Domain: Domain Client Logon ID: (0x0,0xBA49FA7) Accesses: DELETE ReadAttributes Privileges: - Restricted Sid Count: 0 Access Mask: 0x10080

Any idea's as to where I'm going wrong would be appreciated....

Thanks,

DB