Jump to content

conditional regex matching


Til22

Recommended Posts

I am trying to identify the username from a series of windows logs.  I have been using (?:User Name:|Account Name:)\s*([\S]+) and it works for examples 1-4, however I'm having problems with example 5.  Because it has two occurrences of the pattern Account Name: in the string I can only get the regex to return the first match, i.e. USER-PC$.  How can I tell regex, that if there are two Account Name: patterns in the string, or the string contains the pattern "New Logon:" then return the second Account Name: match, i.e. John.Doe?
 
eg 1 - The screen saver was invoked. Subject: Security ID: S-X-X Account Name: John.Doe Account Domain: INTERNAL Logon ID: 0xa4091 Session ID: 1
 
eg 2 - User initiated logoff: Subject: Security ID: S-X-X Account Name: John.Doe Account Domain: INTERNAL Logon ID: 0x3d95c This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
 
eg 3 - User Logoff: User Name: John.Doe Domain: INTERNAL Logon ID: (0x0,0x458E4AB4) Logon Type: 8
 
eg 4 - Successful Network Logon: User Name: John.Doe Domain: INTERNAL Logon ID: (0x0,0x43) Logon Type: 8 Logon Process: Advapi Authentication Package: Negotiate Workstation Name: USER-PC Logon GUID: {2e483a4f-} Caller User Name: USER-PC $ Caller Domain: INTERNAL Caller Logon ID: (0x0,0x7) Caller Process ID: 4816 Transited Services: - Source Network Address: xx.xxx.xx.x Source Port: 35029
 
eg 5 - An account was successfully logged on. Subject: Security ID: S-X-X Account Name: USER-PC$ Account Domain: INTERNAL Logon ID: 0x3e7 Logon Type: 2 New Logon: Security ID: S-X-X Account Name: John.Doe Account Domain: INTERNAL Logon ID: 0xa4062 Logon GUID: {23-xx-22} Process Information: Process ID: 0x2fc Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: USER-PC Source Network Address: xx.x.x.x Source Port: 0

 

 

Any help would be appreciated:)

Link to comment
Share on other sites

It'd be easier to just get all the matches in the entire string (ie, preg_match_all()) and only use the last one found

 

But altering the regex to make sure it only matches the kind of data you want would be best. What about making sure it doesn't match a name ending with a $?

Edited by requinix
Link to comment
Share on other sites

unfortunately excluding names ending in $ wouldn't work because sometimes the login/off events will include a machine$ logons, not only user logons.

That'd be example #5, right? Regardless, isn't it the user logons you want anyways?
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.