Jump to content

Til22

New Members
  • Posts

    2
  • Joined

  • Last visited

Til22's Achievements

Newbie

Newbie (1/5)

0

Reputation

  1. unfortunately excluding names ending in $ wouldn't work because sometimes the login/off events will include a machine$ logons, not only user logons.
  2. I am trying to identify the username from a series of windows logs. I have been using (?:User Name:|Account Name:)\s*([\S]+) and it works for examples 1-4, however I'm having problems with example 5. Because it has two occurrences of the pattern Account Name: in the string I can only get the regex to return the first match, i.e. USER-PC$. How can I tell regex, that if there are two Account Name: patterns in the string, or the string contains the pattern "New Logon:" then return the second Account Name: match, i.e. John.Doe? eg 1 - The screen saver was invoked. Subject: Security ID: S-X-X Account Name: John.Doe Account Domain: INTERNAL Logon ID: 0xa4091 Session ID: 1 eg 2 - User initiated logoff: Subject: Security ID: S-X-X Account Name: John.Doe Account Domain: INTERNAL Logon ID: 0x3d95c This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event. eg 3 - User Logoff: User Name: John.Doe Domain: INTERNAL Logon ID: (0x0,0x458E4AB4) Logon Type: 8 eg 4 - Successful Network Logon: User Name: John.Doe Domain: INTERNAL Logon ID: (0x0,0x43) Logon Type: 8 Logon Process: Advapi Authentication Package: Negotiate Workstation Name: USER-PC Logon GUID: {2e483a4f-} Caller User Name: USER-PC $ Caller Domain: INTERNAL Caller Logon ID: (0x0,0x7) Caller Process ID: 4816 Transited Services: - Source Network Address: xx.xxx.xx.x Source Port: 35029 eg 5 - An account was successfully logged on. Subject: Security ID: S-X-X Account Name: USER-PC$ Account Domain: INTERNAL Logon ID: 0x3e7 Logon Type: 2 New Logon: Security ID: S-X-X Account Name: John.Doe Account Domain: INTERNAL Logon ID: 0xa4062 Logon GUID: {23-xx-22} Process Information: Process ID: 0x2fc Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: USER-PC Source Network Address: xx.x.x.x Source Port: 0 Any help would be appreciated:)
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.