Hi,

I have similar authentication logs as below:

LOG 1:

03362 auth: ST1-CMDR: User 'my-global\admin' logged in from IP1 to WEB_UI session

LOG2:

%%10WEB/4/WEBOPT_LOGIN_SUC(l): admin logged in from IP2

The regex below works only for event LOG2:

(?<user>\w+)\slogged\sin\sfrom\s(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

Probably it doesn't match special characters, any idea to solve that?

Thank you in advance!