I want to extract the client ip and user "DELTA\Kelly" from the windows event messages
Message=The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a cleartext (non-SSL/TLS-encrypted) LDAP connection.
Client IP address:
172.4.5.6:57157
Identity the client attempted to authenticate as:
DELTA\Kelly
Binding Type:
Fixed..... Please close
| makeresults
| eval Message="The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a cleartext (non-SSL/TLS-encrypted) LDAP connection.
Client IP address:
172.4.5.6:57157
Identity the client attempted to authenticate as:
DELTA\Kelly
Binding Type:
Fixed..... Please close"
| rex field=Message "(?ms).*Client IP address:[^\d]+(?<ip>\d+\.\d+\.\d+.\d+).*authenticate as:[\r\n\s]+(?<domain>\w+)\\\(?<user>[\w ]+)"
This should work and will extract the fields ip, domain and user. If you want to include the user and domain as a single value, then get rid of the (?<domain>\w+) \\\ and add change the user extraction to
(?<user>[\w\\\ ]+)
| makeresults
| eval Message="The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a cleartext (non-SSL/TLS-encrypted) LDAP connection.
Client IP address:
172.4.5.6:57157
Identity the client attempted to authenticate as:
DELTA\Kelly
Binding Type:
Fixed..... Please close"
| rex field=Message "(?ms).*Client IP address:[^\d]+(?<ip>\d+\.\d+\.\d+.\d+).*authenticate as:[\r\n\s]+(?<domain>\w+)\\\(?<user>[\w ]+)"
This should work and will extract the fields ip, domain and user. If you want to include the user and domain as a single value, then get rid of the (?<domain>\w+) \\\ and add change the user extraction to
(?<user>[\w\\\ ]+)