In the following log I want to extract the second instance of the "Security ID" field. I have tried a few different regex statements that I thought would work but have failed.
...
Message=A user account was locked out.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: ComputerAccount$
Account Domain: MyDomain
Logon ID: 0x3e7
Account That Was Locked Out:
Security ID: MyDomain\MyUser
Account Name: MyUser
Additional Information:
Caller Computer Name: SOMECOMPUTERNAME
...
I want to extact the Security ID that follows "Account That Was Locked Out:". Here is the regex I tried.
(?im)Account That Was Locked Out:\r\n\tSecurity ID:\t\t(?P-FIELDNAME-\w+\\\\w+)
Does anyone know how I might be able to achieve this?
... View more