Extractor: RegEx Return the first occurrence (including dots and dashes) after the second match

An account was successfully logged on.

Subject:
	Security ID:		[redacted]
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Logon Information:
	Logon Type:		3
	Restricted Admin Mode:	-
	Virtual Account:		No
	Elevated Token:		No

Impersonation Level:		Identification

New Logon:
	Security ID:		[redacted]
	Account Name:		some.user-too
	Account Domain:		foo.bar
	Logon ID:		[redacted]
	Linked Logon ID:		[redacted]
	Network Account Name:	-
	Network Account Domain:	-
	Logon GUID:		[redacted]

I want to return “some.user-too” which is the first string following the second occurrence of “Account Name:”.

What I’ve tried:

Account Name:.*(?<=Account Name?:)\s*([a-zA-Z0-9._-]+)

^This returns the first “-” after the first “Account Name:”.

Account Name:.*(?<=Account Name?:)\s*([a-zA-Z0-9._]+)

^Eliminating the “-” in the regex will return “some.user” and not “some.user-too” but, as I state below, I suspect this is only because it is purposely not returning the character following the first instance of “Account Name:”.

Account Name:.*(?<=Account Name?:)\s*(\w+)

^This will return “some” after the second “Account Name:” but I suspect this is because there is not a word character following the first “Account Name:”. Obviously it doesn’t return the full “some.user-foo.”

So, any suggestions?

Thank you!

Hey @accidentaladmin

I was going to say give this a try but you have "-" may not work.

^.*Account Name:(.+)$

This isn’t answering your question, but is there a reason you aren’t using an agent that is sending these messages in parsed already so you don’t need to do this?

@Joel_Duffield
So a bit of background, these are logs produced by multi-session Citrix VMs housed in Azure. I use winlogbeats to ingest the info but surprisingly, Beats does not parse the quote section, above (though it parse damn near everything else).

I need a way to accurately track when users are logging into the Citrix machine (which is further exacerbated by the fact we used Azure AD SSO, so while I do have log-in logs, they are not accurate to actual Citrix use)

Hey @gsmith

I was going to say give this a try but you have "-" may not work.

^.*Account Name:(.+)$

Your suggestion sent me on the correct path. It may be jenky, but this did the trick:
(?:.*?Account Name:){2,2}(.[^ ]+\R)

Once again, thank you to this great community!

@accidentaladmin

Dude jenky isn my middle name HAHAA

Just so you know I have the same log as you, been working on it for ya.

image1301×814 48.2 KB

I Think I got it working:

2023-04-13_21-531645×1047 135 KB

Its a work in progress but I’m extracting the info I need, now, to make something worth reporting haha

hey good job man,

BTW i like that regex.Hope you dont mind but going to use it

Absolutely, I would be honored! I’ve used plenty of your stuff, glad I can finally give back

BTW: My regex may give you multiple input due to the multiple-stage authentication process. I am using the regex extractor to give me another field to sort on to assist with that:

(?:.*?Authentication Package:){1,1}(.[^ ]+\R)

Just an FYI, i not sure i told ya this before but I found an awesome self-host wiki for documentation. I us it to save all my stuff, its called BookStack if your interested

I was going to fine tune it a bit but its a damn good start, thanks man

If you don’t mind sharing that would be awesome! I am coming to realize that correlating logons and logoffs to VM users may be difficult where Windows doesn’t necessarily attach a user to sessions that end for any reason other user action.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.