Experts,
I have a Event Log output using the search string
sourcetype="WinEventLog:Security" "eventcode=4767" OR "eventcode=4777" OR "eventcode=4741" OR "eventcode=4742" OR "eventcode=4742" OR "eventcode=4743" OR "eventcode=4744" OR "eventcode=4745" OR "eventcode=4746" OR "eventcode=4739"
The output would be, after truncating it,
10/22/2014 11:49:09 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4742
EventType=0
Type=Information
ComputerName=HostName
TaskCategory=Computer Account Management
OpCode=Info
RecordNumber=3344821
Keywords=Audit Success
etc. for each event code ID.
I would like the lines 1, 4 and 7 from the output for example.
I used regex and was able to get to one line but do not know how to match the other 4th and 7th line only. See my expression below,
(?<EveID>EventCode\S+)
That would match Event Code=4742 but how do you expand the expression to include line 4 and line 7.
Thank you.
Something like this might do the job:
sourcetype="WinEventLog:Security" "eventcode=4767" OR "eventcode=4777" OR "eventcode=4741" OR "eventcode=4742" OR "eventcode=4742" OR "eventcode=4743" OR "eventcode=4744" OR "eventcode=4745" OR "eventcode=4746" OR "eventcode=4739" | rex "(?m)(?<EveID>EventCode=\S*)[\s\S]*ComputerName=(?<ComputerName>\S+)\s+TaskCategory=(?<TaskCategory>[\s\S]+?)\n" | table _time EveID ComputerName TaskCategory
Something like this might do the job:
sourcetype="WinEventLog:Security" "eventcode=4767" OR "eventcode=4777" OR "eventcode=4741" OR "eventcode=4742" OR "eventcode=4742" OR "eventcode=4743" OR "eventcode=4744" OR "eventcode=4745" OR "eventcode=4746" OR "eventcode=4739" | rex "(?m)(?<EveID>EventCode=\S*)[\s\S]*ComputerName=(?<ComputerName>\S+)\s+TaskCategory=(?<TaskCategory>[\s\S]+?)\n" | table _time EveID ComputerName TaskCategory
Thank richgalloway. How do we also add
TaskCategory=Computer Account Management
to this. Since this has a white space, I'm unable to figure out how to include the sentence "Computer Account Management"
I've updated my answer to include TaskCategory.
You can probably work out how to add it to @MuS's solution.
or to answer the question how to get the nth line...try this:
sourcetype="WinEventLog:Security" "eventcode=4767" OR "eventcode=4777" OR "eventcode=4741" OR "eventcode=4742" OR "eventcode=4742" OR "eventcode=4743" OR "eventcode=4744" OR "eventcode=4745" OR "eventcode=4746" OR "eventcode=4739"
| rex field=_raw "([^\n]*\n){3}([^\n]\w+\=(?<EveID>.*))"
| rex field=_raw "([^\n]*\n){6}([^\n]\w+\=(?<ComputerName>.*))"
| table EveID,ComputerName
cheers, MuS
Thanks MuS. I'll use your output too on a different problem.
What is the expected result of line 4 and line 7? Should line 4 be ComputerName
and line 7 RecordNumber
? I'm asking because EventCode
is not line 1....
Sorry about that. Expected result should be,
Time EveID ComputerName
_time Event Code=4742 MyHost.com
_time Event Code=4772 MyHost2.com
etc..