Hello
I my case is a version of my windows server is in french and when i use this regex result are empty i use this for resolv my problem
host="" EventCode="4656" TaskCategory="Système de fichiers" "Nom du compte "!="$" source="WinEventLog:Security" | rex field=Message "Nom du compte(? .)" | rex field=Message "Nom de l’objet(? . )" | rex field=Message "Nom du processus(? .*)" |rex mode=sed field=user "s/://g" |rex mode=sed field=objet "s/://g" |rex mode=sed field=process "s/://g" |eval mytime=strftime(_time, "%H:%M") |dedup mytime user objet | eval DATE=strftime(_time, "%d/%m/%y%H:%M") |eval ACCES=case(Keywords="Échec de l’audit", "Accès refusé",Keywords="Succès de l’audit", "Accès autorisé") | table DATE user host objet process ACCES |rename host AS "SERVEUR" user AS "UTILISATEUR" objet AS "RESSOURCE" process AS "PROCESSUS"
Thanks for help
... View more