Hi All,
I'm trying to filter our logs, however I would like for it to filter on 3 criteria - the event code, the Object name and the Accesses fields....
I can't seem to get the below to work properly... If I take out the 'Object Name:\s*(?!.tmp).*' it will filter on the other two, however with all three it doesn't work...
I would like for it to check that the event code is either 4663,567 or 560, then make sure that the Object Name does not end with .tmp, and finally that the Accesses where DELETE or WRITE_DAC or WriteData...
There's something that I'm obviously missing that I really need some help with... any help would be greatly appreciated...
REGEX = (?msi)EventCode=(4663|567|560).*Object Name:\s*(?!\.tmp).*Accesses:\s*(DELETE|WRITE_DAC|WriteData)
For the record, I've also tried the below without success:
REGEX = (?msi)EventCode=(4663|567|560).Object Name:\s(?!\.tmp).Accesses:\s(DELETE|WRITE_DAC|WriteData)
REGEX = (?mi)^EventCode=(4663|567|560).*^Object Name:.*\.tmp$.*^Accesses:\s(DELETE|WRITE_DAC|WriteData)
An example log is:
20110309155132.000000
Category=3
CategoryString=Object Access
ComputerName=ComputerName
EventCode=560
EventIdentifier=560
EventType=4
Logfile=Security
RecordNumber=2572431
SourceName=Security
TimeGenerated=20110309155132.000000+600
TimeWritten=20110309155132.000000+600
Type=Audit Success
User=Username
wmi_type=WinEventLog:Security
Message=Object Open:
Object Server: Security
Object Type: File
Object Name: G:\users\xxxxxx\Outlook .pst folders\~archive.pst.tmp
Handle ID: 7420
Operation ID: {0,239001151}
Process ID: 4
Image File Name:
Primary User Name: SERVER$
Primary Domain: XXX
Primary Logon ID: (0x0,0x3E7)
Client User Name: User
Client Domain: Domain
Client Logon ID: (0x0,0xBA49FA7)
Accesses: DELETE
ReadAttributes
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x10080
Any idea's as to where I'm going wrong would be appreciated....
Thanks,
DB
Hello DB,
Try this one:
REGEX = (?msi)^EventCode=(4663|567|560).*Object Name:.*\.tmp\s.*Accesses:\s(DELETE|WRITE_DAC|WriteData)
I understand you don't want select any .tmp files.
But I think it is difficult to exclude .tmp files.
The reason can not use "(?!.tmp)" and "(?<!.tmp)" because there are no clear boundaries.
...If you want to search, I think that you extract "Object Name" field and adding the searching conditions: | regex field!=ObjectName ".tmp$"
Yeah I know... it's driving me crazy... the problem is that I don't want it to select any of the .tmp files... So there really needs to be a Not in there.. So basically I want the below log:
EventCode=560
Object Name: G:\users\xxxxxx\Outlook .pst folders~archive.pst
Accesses: DELETE
But not:
EventCode=560
Object Name: G:\users\xxxxxx\Outlook .pst folders~archive.pst.tmp
Accesses: DELETE
Hmm, it's difficult... How about this one.
REGEX = (?msi)^EventCode=(4663|567|560).Object Name:\t+..tmp.*Accesses:\t+(DELETE|WRITE_DAC|WriteData)
Sorry, but that didn't work... any other idea's? it's driving me crazy!
Cheers,
David.