Extractor catch next occurence

A3TH3RIUS · June 29, 2018, 8:37am

I want to use regex to catch the account name on this log file

Jun 28 15:48:17 <ServerName> Microsoft-Windows-Security-Auditing [476] Failed to log in to an account. Topic: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account for which logon was unsuccessful: Security ID: S-1-0-0 Account Name: **<AccountName I want>** Account Domain: XXXXXXXX Failure Information: Reason for Failure: Unknown username or incorrect password. State: 0xC000006D Sub state: 0xC0000064

I tried this :

`(?: Account Name.:..)"?([a-zA-Z0-9.-.@._.-]{1,})...... Account Area .... ([a- zA-Z0-9 .-. @ ._.-] {1,}) ... Login ID "?`

but I can’t catch the second occurence, i get only : - from the first occurence…

If someone can help me…

jan · June 29, 2018, 9:42am

extractors catch only the FIRST group, that is one of their limitations.

That is written by the way at the UI.

First matcher group is used

You might want to switch to the processing pipelines to work around this limitation.

A3TH3RIUS · June 29, 2018, 12:32pm

Thanks for your answer.
I made an exctrator substring and I managed to catch the account name.

Thanks again for your help .

system · July 13, 2018, 12:32pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Extractor: RegEx Return the first occurrence (including dots and dashes) after the second match Graylog Central (peer support)	12	844	April 28, 2023
Parsing Account Name field Graylog Central (peer support) grok-patternspl	2	529	July 19, 2022
How to use Regex Graylog Central (peer support) sidecar , nxlog , winlogbeat , nodatanx , multi-linenx	11	12145	February 16, 2018
AD failed log on stream Graylog Central (peer support)	5	2418	January 3, 2018
Extracting string from a mesage Graylog Central (peer support)	2	897	February 15, 2022

Extractor catch next occurence

Related topics