Til22 Posted May 22, 2014 Share Posted May 22, 2014 I am trying to identify the username from a series of windows logs. I have been using (?:User Name:|Account Name:)\s*([\S]+) and it works for examples 1-4, however I'm having problems with example 5. Because it has two occurrences of the pattern Account Name: in the string I can only get the regex to return the first match, i.e. USER-PC$. How can I tell regex, that if there are two Account Name: patterns in the string, or the string contains the pattern "New Logon:" then return the second Account Name: match, i.e. John.Doe? eg 1 - The screen saver was invoked. Subject: Security ID: S-X-X Account Name: John.Doe Account Domain: INTERNAL Logon ID: 0xa4091 Session ID: 1 eg 2 - User initiated logoff: Subject: Security ID: S-X-X Account Name: John.Doe Account Domain: INTERNAL Logon ID: 0x3d95c This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event. eg 3 - User Logoff: User Name: John.Doe Domain: INTERNAL Logon ID: (0x0,0x458E4AB4) Logon Type: 8 eg 4 - Successful Network Logon: User Name: John.Doe Domain: INTERNAL Logon ID: (0x0,0x43) Logon Type: 8 Logon Process: Advapi Authentication Package: Negotiate Workstation Name: USER-PC Logon GUID: {2e483a4f-} Caller User Name: USER-PC $ Caller Domain: INTERNAL Caller Logon ID: (0x0,0x7) Caller Process ID: 4816 Transited Services: - Source Network Address: xx.xxx.xx.x Source Port: 35029 eg 5 - An account was successfully logged on. Subject: Security ID: S-X-X Account Name: USER-PC$ Account Domain: INTERNAL Logon ID: 0x3e7 Logon Type: 2 New Logon: Security ID: S-X-X Account Name: John.Doe Account Domain: INTERNAL Logon ID: 0xa4062 Logon GUID: {23-xx-22} Process Information: Process ID: 0x2fc Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: USER-PC Source Network Address: xx.x.x.x Source Port: 0 Any help would be appreciated:) Link to comment https://forums.phpfreaks.com/topic/288664-conditional-regex-matching/ Share on other sites More sharing options...
requinix Posted May 22, 2014 Share Posted May 22, 2014 It'd be easier to just get all the matches in the entire string (ie, preg_match_all()) and only use the last one found But altering the regex to make sure it only matches the kind of data you want would be best. What about making sure it doesn't match a name ending with a $? Link to comment https://forums.phpfreaks.com/topic/288664-conditional-regex-matching/#findComment-1480382 Share on other sites More sharing options...
Til22 Posted May 22, 2014 Author Share Posted May 22, 2014 unfortunately excluding names ending in $ wouldn't work because sometimes the login/off events will include a machine$ logons, not only user logons. Link to comment https://forums.phpfreaks.com/topic/288664-conditional-regex-matching/#findComment-1480389 Share on other sites More sharing options...
requinix Posted May 22, 2014 Share Posted May 22, 2014 unfortunately excluding names ending in $ wouldn't work because sometimes the login/off events will include a machine$ logons, not only user logons.That'd be example #5, right? Regardless, isn't it the user logons you want anyways? Link to comment https://forums.phpfreaks.com/topic/288664-conditional-regex-matching/#findComment-1480400 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.