^Eliminating the “-” in the regex will return “some.user” and not “some.user-too” but, as I state below, I suspect this is only because it is purposely not returning the character following the first instance of “Account Name:”.
Account Name:.*(?<=Account Name?:)\s*(\w+)
^This will return “some” after the second “Account Name:” but I suspect this is because there is not a word character following the first “Account Name:”. Obviously it doesn’t return the full “some.user-foo.”
This isn’t answering your question, but is there a reason you aren’t using an agent that is sending these messages in parsed already so you don’t need to do this?
@Joel_Duffield
So a bit of background, these are logs produced by multi-session Citrix VMs housed in Azure. I use winlogbeats to ingest the info but surprisingly, Beats does not parse the quote section, above (though it parse damn near everything else).
I need a way to accurately track when users are logging into the Citrix machine (which is further exacerbated by the fact we used Azure AD SSO, so while I do have log-in logs, they are not accurate to actual Citrix use)
BTW: My regex may give you multiple input due to the multiple-stage authentication process. I am using the regex extractor to give me another field to sort on to assist with that:
Just an FYI, i not sure i told ya this before but I found an awesome self-host wiki for documentation. I us it to save all my stuff, its called BookStack if your interested
If you don’t mind sharing that would be awesome! I am coming to realize that correlating logons and logoffs to VM users may be difficult where Windows doesn’t necessarily attach a user to sessions that end for any reason other user action.