Parsing Account Name field

Hello everyone,

I want to parse Account Name field in Windows Security Logs. So i was try to parse with Grok patterns and also regular expression but i failed. If anyone can help me about it, i will be so appreciative.

Log Example:
test…local WIN-NXLOG 2022-06-02 12:01:38;“AUDIT_FAILURE”;“ERROR”;“Security”;“test…local”;4625;“Microsoft-Windows-Security-Auditing”;“-”;“-”;“-”;"An account failed to log on. Subject: Security ID: S-1-5-18 Account Name: test$ Account Domain: test Logon ID: 0x3E7 Logon Type: 3 Account For Which Logon Failed: Security ID: S-1-0-0 Account Name: parse_account Account Domain: test

Graylog version:
Graylog 4.2.4

It would help if you could post some examples of what you have tried. It’s also not clear if you are doing it in an extractor or in the pipeline. Looks like you are using NXLOG, I am not sure if that can be set to pre-extract fields (beats inputs do) I f you want to play with regex or GROK with your statement, there are some online debuggers out there - here is one for regex, here is another for GROK. You can plug in your example an play around until you get the results you want.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.