I am trying to create and add a regex stanza to Windows TA to parse out a username.
This is for event code 516 from a windows security event log.
The Windows TA does not parse out a username quite right.
The raw event writes the information on two separate lines.
...
User:
employeename@company.com
....
I started my stanza (with the help of regex101.com) but I am not having success writing a regex that matches [User: ] and then drops to the next line and copies the employee name out of the email address.
Here is my starting effort...
# Event Code 516
[User:_as_user]
SOURCE_KEY = User:
REGEX = ???
FORMAT = ???
Please advise how it might be written. Please let me know if you need more information.
Thank you
Hello packet_hunter
On regex101 this one works fine for me:
User:\n(?<User>.+)@
I just used your example
...
User:
employeename@company.com
....
and i get "employeename" as result. Have you tried this one?
Hello packet_hunter
On regex101 this one works fine for me:
User:\n(?<User>.+)@
I just used your example
...
User:
employeename@company.com
....
and i get "employeename" as result. Have you tried this one?
yes this one gives just the name which is what I need.
Strange part is that when I use your regex on the entire _raw event, it does not work.
It works in the regex101 editor though...
Thanks
See if this works for you
props.conf on your search head
[YourSourceTypeName]
EXTRACT-username = User\:([\r\n]*)(?<UserName>\S+)
Regex101 link
https://regex101.com/r/9THuiH/1
Thank you, I will give it a try.