Ad Widget

Collapse

Regex help with preprocessing?

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • servant-frost
    Junior Member
    • Apr 2021
    • 19
    #1

    Regex help with preprocessing?

    I have Windows event logs that I am parsing. Here is an example:

    Code:
    An account was successfully logged on.
Subject:
    Security ID: NULL SID
    Account Name: -
    Account Domain: -
Logon ID: 0x0
Logon Type: 3
Impersonation Level: Impersonation
New Logon:
   Security ID: NT AUTHORITY\SYSTEM
   Account Name: SERVER1$
   Account Domain: COMPANY
   Logon ID: 0x197E15406
   Logon GUID: {D9DF285C-B46D-0987-8FEB-96A1AB955525}
Process Information:
   Process ID: 0x0
   Process Name: -
Network Information:
   Workstation Name: -
   Source Network Address: 127.0.0.1
   Source Port: 5747
Detailed Authentication Information:
   Logon Process: Kerberos
   Authentication Package: Kerberos
   Transited Services: - 
   Package Name (NTLM only): -
   Key Length: 0
    I have lots of preprocessing to help me filter out the events that I don't want but this last one is giving me issues.

    Here is my regex:
    Code:
    Account Name:(.*\$)$
    At regex101, this works and locates the second Account Name, if its ends in a dollar sign ($), it will match. However, using this exact same event log and regex in preprocessing, I get string doesn't match.

    I must be doing something wrong. Can anyone make a suggestion?
    Thank you.
    Attached Files
    Tags: preprocessing, regex
    • cyber
      Senior Member
      Zabbix Certified SpecialistZabbix Certified Professional
      • Dec 2006
      • 4807
      #2
      It works, if you remove $ from the end... tested on 4.4 and 6.0

      Click image for larger version Name: server.png Views: 367 Size: 27.1 KB ID: 446402

        Comment

        • servant-frost
          Junior Member
          • Apr 2021
          • 19
          #3
          Unfortunately, it doesn't. In the example 4624 I posted, the first occurrence of Account Name: is -. But sometimes, it may have something else like SERVERNAME$. The goal was to have the regex only pick up the second occurrence of Account Name because that will always be what is needed. The trailing $ s supposed to say match second occurrence.

          I am guessing this doesn't work in preprocessing?

            Comment

            • Markku
              Senior Member
              Zabbix Certified SpecialistZabbix Certified ProfessionalZabbix Certified Expert
              • Sep 2018
              • 1781
              #4
              Have you tried with (?m) modifier? https://www.pcre.org/original/doc/ht...tax.html#SEC16, the multiline option

              (?m)Account Name: (.*\$)$

              Markku

                Comment

                • servant-frost
                  Junior Member
                  • Apr 2021
                  • 19
                  #5
                  I think I will have to work around this another way. It seems that even doing that, it will match whichever has a $ at the end. So if the first one does and the second one doesn't, it will still match. I appreciate everyone's help on this.

                    Comment

                    • cyber
                      Senior Member
                      Zabbix Certified SpecialistZabbix Certified Professional
                      • Dec 2006
                      • 4807
                      #6
                      Originally posted by servant-frost
                      Unfortunately, it doesn't. In the example 4624 I posted, the first occurrence of Account Name: is -. But sometimes, it may have something else like SERVERNAME$. The goal was to have the regex only pick up the second occurrence of Account Name because that will always be what is needed. The trailing $ s supposed to say match second occurrence.

                      I am guessing this doesn't work in preprocessing?
                      You never said you want to have "always a second match".. you said, regex found the second Account Name, the one with $ in the end.. That's not exactly same..
                      And "trailing $ s supposed to say match second occurrence" ? Where that comes from? $ is end of string, not "last match"..


                      Originally posted by servant-frost
                      I think I will have to work around this another way. It seems that even doing that, it will match whichever has a $ at the end. So if the first one does and the second one doesn't, it will still match. I appreciate everyone's help on this.
                      Regex preprocessing goes until finding a match, it will not return second one (or third, or n-th...) like regex101 does...

                      in regex101 "New Logon:\s+Security ID: (.*)\s+Account Name.*\$)$" also works and returns just one match, the second "Account Name", but not in zabbix...

                      Maybe you can try with JS preprocessing...

                        Comment

                        Previous template Next
                        Working...