Hi
How to extract the Ips from the below windows event both Client IP-1 and Client Ip-2
02/22/2017 09:05:24 AM
LogName=Security
SourceName=AD FS Auditing
EventCode=411
EventType=0
Type=Information
ComputerName=ADSFS.ab.com
User=add
Sid=1244
SidType=1
TaskCategory=None
OpCode=Info
RecordNumber=4033770
Keywords=Audit Failure, Classic
Message=Token validation failed. See inner exception for more details.
Additional Data
Activity ID: 00000000-0000-0000-0000-000000000000
Token Type:
http://schemas.microsoft.com/ws/2006/05/identitymodel/tokens/UserName
Client IP:
133.44.55.20.81,122.333.44.55.
Error message:
kiran@ab.com
Exception details:
System.IdentityModel.Tokens.SecurityTokenValidationException: kiran@ab.com
at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token)
Like this (for IPV4):
... | rex max_match=0 "Client\s+IP:[\r\n\s\d\.\,]*(?<!\d)(?<Client_IP>\d+\.\d+\.\d+\.\d+)"
I do note that you have an IPV5 IP in your example???
If IPV5 is in play, then you probably want
... | rex max_match=0 "Client\s+IP:[\r\n\s\d\.\,]*(?<!\d)(?<Client_IP>\d+\.\d+\.\d+\.\d+(\.\d+)?)"
or
... | rex max_match=0 "Client\s+IP:[\r\n\s\d\.\,]*(?<!\d)(?<Client_IP>\d+(\.\d+){3,4})"
Yes, I could have accommodated it but I figured it was a mistake/typo.
Is this what you're looking for?
| rex field=_raw "(IP\:\s+|\d+\,)(?P<ClientIP>.*)."
| makemv delim="," ClientIP
This should extract the IPs and separate them into their own values.