I have a Windows event below. This regex, (?ms)^\s+User Name:\s+(? \S+), is used to extract the value from the User Name field which works great when there's a username available. Otherwise, in the event below when the User Name is blank, the regex picks up "Domain:" as the username. I'm trying to figure out what to add in the regex to prevent a value from being extracted if the User Name field is null.
09/06/2012 08:54:52 AM
LogName=Security
SourceName=Security
EventCode=529
EventType=16
Type=Failure Audit
ComputerName=TESTSYSTEM
User=SYSTEM
Sid=S-1-5-18
SidType=1
Category=2
CategoryString=Logon/Logoff
RecordNumber=50947147
Message=Logon Failure:
Reason: Unknown user name or bad password
User Name:
Domain:
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name:
... View more