Parsing Account Name field

noexistin · July 5, 2022, 9:56am

Hello everyone,

I want to parse Account Name field in Windows Security Logs. So i was try to parse with Grok patterns and also regular expression but i failed. If anyone can help me about it, i will be so appreciative.

Log Example:
test…local WIN-NXLOG 2022-06-02 12:01:38;“AUDIT_FAILURE”;“ERROR”;“Security”;“test…local”;4625;“Microsoft-Windows-Security-Auditing”;“-”;“-”;“-”;"An account failed to log on. Subject: Security ID: S-1-5-18 Account Name: test$ Account Domain: test Logon ID: 0x3E7 Logon Type: 3 Account For Which Logon Failed: Security ID: S-1-0-0 Account Name: parse_account Account Domain: test

Graylog version:
Graylog 4.2.4

tmacgbay · July 5, 2022, 3:38pm

It would help if you could post some examples of what you have tried. It’s also not clear if you are doing it in an extractor or in the pipeline. Looks like you are using NXLOG, I am not sure if that can be set to pre-extract fields (beats inputs do) I f you want to play with regex or GROK with your statement, there are some online debuggers out there - here is one for regex, here is another for GROK. You can plug in your example an play around until you get the results you want.

system · July 19, 2022, 3:38pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Extracting message using GROK Patern Graylog Central (peer support)	2	564	August 31, 2022
How to use Regex Graylog Central (peer support) sidecar , nxlog , winlogbeat , nodatanx , multi-linenx	11	12145	February 16, 2018
Extractor catch next occurence Graylog Central (peer support)	3	477	July 13, 2018
GROK Extractor: how to match exact text and assign it to a field at the same time? Graylog Central (peer support) pipeline-rules , route-to-streampl	3	899	September 24, 2019
Sshd field username Graylog Central (peer support)	3	2269	June 26, 2017

Parsing Account Name field

Related topics