How to use Regex

Hey Guys,

how can I filter the Account Name: srvmeldedmz out of the full message in graylog.

please take a look at the picture.

image.png1027×771 26 KB

Thanks for your help.

You can try something like this:

Account Name:[\s]*([^\s]*)

Hey thank you very much but, the result is the first Account Name: SBG-MELDET$ and not the Account Name: srvmeldedmz

What type of message is that and is that information available in a structured manner?
How are you ingesting these messages into Graylog?

Indeed. If you import the log lines in Gelf, the SubjectUserName, TargetUserName field etc. are automatically extracted.

If that is not possible, there are many, many, many ways to achieve what you want.

For example: first extract the whole “Account For Which Logon Filed” section to the target field (or variable in a processing pipeline) with something like

Account For Which Logon Failed:(>?(.*))Failure Information

, and then use replace with regex extractor or match with the regex I gave earlier in a pipeline.

I strongly recommend to use a tool like nxlog to get your windows logs shipped in GELF to graylog. It makes life so much easier than writing regexes

Hey this is a Windows Event Log. I use NXLog to send it to my graylog Server.

Hey I do use NXLog to ship my windows logs to my graylog server.
This is my nxlog.conf

I also tried to send Log-Messages from “meldewesen.log” via GELF put this doesn´t work because
the Log File includes multiline Messages. There is definitly a way but I couldn´t find a solution yet.

## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/docs/

## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.

#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension gelf>
    #Module      xm_syslog
	Module		 xm_gelf			
</Extension>

<Input in1>
   Module      im_mseventlog
</Input>

#<Input in2>
#	Module		im_file
#	File		"C:\Meldewesen\log\meldewesen\meldewesen.log"
#	SavePos FALSE
#</Input>

<Output out>
    Module      om_tcp
    Host        172.20.42.15
    Port        12210
    #Exec       to_syslog_snare();
	OutputType	GELF_TCP
</Output>

<Route 1>
    Path       in1 => out
</Route>

Which version of Windows are you running?

Also make sure to read NXLog Community Edition Reference Manual | NXLog Docs and NXLog Community Edition Reference Manual | NXLog Docs

FWIW, personally I like Winlogbeat better than NXLOG for fetching Windows Event Logs.

• NXLog Community Edition Reference Manual | NXLog Docs
• Managing Multiline Messages | Filebeat Reference [5.6] | Elastic

I am running a Windwos Microsoft Windows Server 2008 R2 VM.

in_mseventlog is for Windows 2003/XP. For Windows 2008 change it to im_msvistalog

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.