Eventlog and regex: match but no match...
Ok, I need to solve a common problem.
Acquire the logon info from a windows machine.
Then active check, and key =
eventlog[Security,@EventLogUserLogon,,,^(4624|4625|4648|463 4|4647)$,,skip]
and the regular expression is:
Tipo di accesso
\s|\t)*(2|7|9|10)\n
("Tipo di accesso" = "Logon type" in english)
with expression type=Result is TRUE.
When I test the expression with a copy and paste from the event viewer the result is TRUE. PERFECT!
"Accesso di un account riuscito.
Soggetto:
ID sicurezza: NULL SID
Nome account: -
Dominio account: -
ID accesso: 0x0
Tipo di accesso: 2
Nuovo accesso:
ID sicurezza: domain\username
...."
but in reality, the item is not populated with data of logon/logoff. what am I doing wrong?
(clearly if imposed result is = FALSE is populated ... so it's a regular expression problem)
Acquire the logon info from a windows machine.
Then active check, and key =
eventlog[Security,@EventLogUserLogon,,,^(4624|4625|4648|463 4|4647)$,,skip]
and the regular expression is:
Tipo di accesso
\s|\t)*(2|7|9|10)\n("Tipo di accesso" = "Logon type" in english)
with expression type=Result is TRUE.
When I test the expression with a copy and paste from the event viewer the result is TRUE. PERFECT!
"Accesso di un account riuscito.
Soggetto:
ID sicurezza: NULL SID
Nome account: -
Dominio account: -
ID accesso: 0x0
Tipo di accesso: 2
Nuovo accesso:
ID sicurezza: domain\username
...."
but in reality, the item is not populated with data of logon/logoff. what am I doing wrong?
(clearly if imposed result is = FALSE is populated ... so it's a regular expression problem)
Comment