i have an event that looks like this
03/01/2012 03:05:43 PM
LogName=Security
SourceName=Security
EventCode=562
EventType=8
Type=Success Audit
ComputerName=GLSSQLINT
User=SYSTEM
Sid=S-1-5-18
SidType=1
Category=3
CategoryString=Object Access
RecordNumber=250015
Message=Handle Closed:
Object Server: Security
Handle ID: 940
Process ID: 1288
Image File Name: C:\Program Files\ISS\Proventia Server\phService.exe
I want these messages to be dropped if both type=success audit AND CategoryString=Object Access, however when i create the regex to do this which i think is supposed to be
(?m)(?=.*Type=Success Audit)(?=.*CategoryString=Object Access)
it doesn't seem to work. What am I doing wrong?
ultimately this worked.
(?ms)(?=Success\sAudit)(?=.*CategoryString=Object\sAccess)
Good catch. You definitely needed the (?ms) not just the (?m)
I think that the following would do it. Not sure why you are using lookahead - it isn't needed here.
(?m)Type=Success Audit.*CategoryString=Object Access
I tried this and it did not work.