I am collecting window security logs to audit file accesses.
This works..
I am collecting from security Log, eventid 4663 and post processing to extract the values of interest (User, filename, access)
However I am getting lot of 'noise' of directory attribute reads etc so I want to filter the log extraction to only collect log entries that include a filename.
As I understand it - I SHOULD be able to add a regex parameter to the eventlog item that should only collect log entries that match the regex.
I cannot get this to work...
I want to match a filename - therefore I want to match a '.' followed by at least one non-space character (there is a single '.' ending a sentence elsewhere in the file but this is at the end of a line)
Yes I know I will miss files without an extension but this is acceptable.
I have tried many regex which either match everything (so no filtering) or match nothing (so no logs collected).
eventlog[Security,"\..{3}",,,4663,,] - Matches everything even without a full filename
I have even created a global regex and tested it against the log text and confirmed it works but still no luck - matches nothing
I have tried \R \n for the line terminator, . \S for the character matches, +, {3} for the quantifier....
In theory I should be able to match against \.. as . doesn't match a newline but that doesn't work...
Any suggestions - should the regex be in "" or not - it accepts it either way...
thanks
David
Example of desired log entry - undesired ones only have directory path with no file name - this shows as multiple lines in the history window...
This works..
I am collecting from security Log, eventid 4663 and post processing to extract the values of interest (User, filename, access)
However I am getting lot of 'noise' of directory attribute reads etc so I want to filter the log extraction to only collect log entries that include a filename.
As I understand it - I SHOULD be able to add a regex parameter to the eventlog item that should only collect log entries that match the regex.
I cannot get this to work...
I want to match a filename - therefore I want to match a '.' followed by at least one non-space character (there is a single '.' ending a sentence elsewhere in the file but this is at the end of a line)
Yes I know I will miss files without an extension but this is acceptable.
I have tried many regex which either match everything (so no filtering) or match nothing (so no logs collected).
eventlog[Security,"\..{3}",,,4663,,] - Matches everything even without a full filename
I have even created a global regex and tested it against the log text and confirmed it works but still no luck - matches nothing
eventlog[Security,@filename,,,4663,,]
|
In theory I should be able to match against \.. as . doesn't match a newline but that doesn't work...
Any suggestions - should the regex be in "" or not - it accepts it either way...
thanks
David
Example of desired log entry - undesired ones only have directory path with no file name - this shows as multiple lines in the history window...
Code:
An attempt was made to access an object. Subject: Security ID: S-1-5-21-xxxxxxxxxxxxxx Account Name: xxx Account Domain: xxxx Logon ID: xxxx Object: Object Server: Security Object Type: File Object Name: E:\ServerFolders\Company\Documents\directory\GENERAL INFO\plot.log Handle ID: 0x2ac Resource Attributes: S:AI Process Information: Process ID: 0x5408 Process Name: C:\Windows\System32\notepad.exe Access Request Information: Accesses: ReadData (or ListDirectory) Access Mask: 0x1
Comment