-1

Does anyone know reqex syntax to filter only second Account Name from Windows Event Log ? I don't want first Account Name, that I got but second Account name mentioned is Account that was deleted , that's what I'm interested in finding out.

I'm able to pull both but I would really like to have only second account

Example:

<13>May 23 15:11:00 14.5.15.1 AgentDevice=WindowsLog AgentLogFile=Security Source=Microsoft-Windows-Security-Auditing Computer=john.doe User= Domain= EventID=4726 EventIDCode=4726 EventType=8 EventCategory=13824 RecordNumber=4156926121 TimeGenerated=1472042299838 TimeWritten=1472048832838 Message=A user account was deleted. Subject: Security ID: S-1-5-21-37618230-746332178-285459281-20341 Account Name: AdminGuy Account Domain: Some Logon ID: 0x2q45w29b1 Target Account: Security ID: S-1-5-21-37438650-746321018-288529281-12311 Account Name: JohnDoe Account Domain: Some Additional Information: Privileges -

\sAccount\sName\:\s(.*?)\

This is just one example that would pull both Account Names. But does anyone know how to extract only second Account name?

In above example second account name would be Account Name: 

JohnDoe
Cristik
  • 30,989
  • 25
  • 91
  • 127
John
  • 1
  • 2
  • 1
    Easy - [`(?s)^.*?Account Name: \S+.*Account Name: (\S+)`](https://regex101.com/r/yK9sU8/2) – Wiktor Stribiżew Aug 30 '16 at 11:46
  • thank you Wiktor, I'm not sure what I'm doing wrong as I'm still getting no match when I check that on http://www.regextester.com/ or http://www.regexpal.com/ – John Aug 30 '16 at 13:09
  • Kindly read the http://stackoverflow.com/editing-help before asking your next question. Also see http://stackoverflow.com/help/how-to-ask (all together for a better network) – J. Chomel Aug 30 '16 at 13:11
  • Why use any online testers? Test in the *target* environment. Actually, the second `.*` must be lazy `.*?` too. – Wiktor Stribiżew Aug 30 '16 at 13:45
  • Sorry J.Chomel :) It was actually rhetorical question :) I'll be more careful in future. – John Aug 30 '16 at 14:55

3 Answers3

0

Maybe using something like this one :

\sAccount\sName:\s.*\sAccount\sName:\s([^\s]*)\
baddger964
  • 1,199
  • 9
  • 18
  • thanks .. .. when I run it in regex tester it produces no matches (using http://www.regexpal.com/ for testing) – John Aug 30 '16 at 11:47
0

This is the pattern:

(?ms)Account\s+Name.*?(Account\s+Name:\s+)(\w+)

But you need to collect the capturing parenthesis. In this regex the account name is in group no. 2. The language/library you use gives you a way to access the capturing parenthesis captured text.

Israel Unterman
  • 13,158
  • 4
  • 28
  • 35
0

For Graylog this was the proper regex:

Account Name:.*?Account Name:(\s*(\S*))
brakertech
  • 1,467
  • 1
  • 13
  • 20