Need assistance with Regex to parse the user from the event below. I'm looking to get the value of a string between =/com
and src_host
.
user=JOHN TEST SMITH. would this be possible?
Apr 11 11:03:55 servername <159>Apr 11 11:03:09 10.19.10.83 vendor=Websense product=Security product_version=8.0.1 action=permitted severity=1 category=9 user=LDAP://ldap.test.com OU=TEST,OU=HOME,DC=test,DC=test,DC=com/JOHN TEST SMITH src_host=10.10.40.24 src_port=0 dst_host=ocsp.msocsp.com dst_ip=10.100.100.184 dst_port=80 bytes_out=347 bytes_in=2555 http_response=0 http_method=GET http_content_type=- http_user_agent=Microsoft-CryptoAPI/6.1 http_proxy_status_code=0 reason=- disposition=1026 policy=TEST11**Default role=8 duration=0 url=http://TEST.TEST.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQmECJms4f7i5EbxtN7NbzQCBwAdAQUUa8kJpz0aCJXgCYrO0Z...
Try this:
your search
| rex "(?msi)/(?<myuser>[\w\s]+)\s+src_host"
same idea, but for people with hyphens or other special characters in the name you could try:
[^=]+
in place of [\w\s]+