Does anyone know reqex syntax to filter only second Account Name from Windows Event Log ? I don't want first Account Name, that I got but second Account name mentioned is Account that was deleted , that's what I'm interested in finding out.
I'm able to pull both but I would really like to have only second account
Example:
<13>May 23 15:11:00 14.5.15.1 AgentDevice=WindowsLog AgentLogFile=Security Source=Microsoft-Windows-Security-Auditing Computer=john.doe User= Domain= EventID=4726 EventIDCode=4726 EventType=8 EventCategory=13824 RecordNumber=4156926121 TimeGenerated=1472042299838 TimeWritten=1472048832838 Message=A user account was deleted. Subject: Security ID: S-1-5-21-37618230-746332178-285459281-20341 Account Name: AdminGuy Account Domain: Some Logon ID: 0x2q45w29b1 Target Account: Security ID: S-1-5-21-37438650-746321018-288529281-12311 Account Name: JohnDoe Account Domain: Some Additional Information: Privileges -
\sAccount\sName\:\s(.*?)\
This is just one example that would pull both Account Names. But does anyone know how to extract only second Account name?
In above example second account name would be Account Name:
JohnDoe
This is the pattern:
(?ms)Account\s+Name.*?(Account\s+Name:\s+)(\w+)
But you need to collect the capturing parenthesis. In this regex the account name is in group no. 2. The language/library you use gives you a way to access the capturing parenthesis captured text.