Nov 16 12:50:51 172.23.0.29 Nov 16 12:50:51 dc01 Microsoft_Windows_security_auditing.: Domain\user1: Security Microsoft Windows security auditing.: [Success Audit] A user account was changed.
Security ID: domain\value
Account Name: value
Account Domain: Domain
Logon ID: 0xA058EB26
Security ID: domain\user1
Account Name: user1
Account Domain: domain
SAM Account Name: -
Display Name: -
User Principal Name: -
Home Directory: -
Home Drive: -
Script Path: -
Profile Path: -
User Workstations: -
Password Last Set: 11/16/2017 12:50:50 PM
Account Expires: -
Primary Group ID: -
Old UAC Value: -
New UAC Value: -
User Account Control: -
User Parameters: -
SID History: -
Logon Hours: -
Privileges: - (EventID 4738)
Target Account:\n.+\n Account Name: (?<target_user>.+)
When I run this regular expression using the rex command it only matches. "user1"
When use this regex in a field extraction it matches everything from user1 to the end of the log. Why does this expression return different results depending on how it is used?
@wenthold is correct - the field extraction engine is adding the ?ms flags to the start of the regex in your props.conf file. This means that your regex is matching on the whole event as though it's a single line. This can be seen in the documentation too:
If your aim is to only extract the target account, I'd recommend using something like the following regex, which will work in field extractions or in the rex command:
This will also block capture of the rest of the event if the field is empty or all on one line, which is what's happening for you at the moment.
I don't know if it is a typo, but your REGEX has an extra space before
Account. It should be:
Target Account:\n.+\nAccount Name: (?<target_user>.+)
Like I say, it may be just a typo, but it would not match as you have supplied it.
Formatting the submission removed the leading spaces. There is actually a space before Account Name in the real logs.
I just checked again. With a field extraction, I am getting a match, but the match includes from user1 to the end of the log. If I take the same expression and use the rex command in search, I get exactly what I want.
It's likely because there's line ending characters that you can't see (printed by MS) on some events, and then sometimes not on others. regex is VERY specific about things, even the ones you can't see.
If you use a '.+' it's a lazy match, so just try to be more specific with your anchor characters. MS is not known for it's ease of matching in it's events. They are quite verbose.
It appears that your question needs some tweaking. Can you edit your question, or add a comment, and use the
101010 button on the highlighted "code" to make sure that there are not going to be characters that are removed due to having the code be interpreted before being displayed. Right now the
Regex expression doesn't seem to be complete, so it is hard to give you help.