I don't have knowledge of regex but need to extract the string Account Name: W2XA2$ and only W2XA2$. Now Account Name: CAN_BE_A_WORD_ENDING_WITH$.
Aug 01 08:13:55 10.0.1.8 AgentDevice=WindowsLog AgentLogFile=Security PluginVersion=7.3.0.41 Source=Microsoft-Windows-Security-Auditing Computer=abc1.hello.local OriginatingComputer=10.0.1.8 User= Domain= EventID=4688 EventIDCode=4688 EventType=8 EventCategory=13312 RecordNumber=36207926 TimeGenerated=1662012833 TimeWritten=1662012833 Level=Log Always Keywords=Audit Success Task=SE_ADT_DETAILEDTRACKING_PROCESSCREATION Opcode=Info Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: W2XA2$ Account Domain: TEST Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xf26c New Process Name: C:\Windows\SysWOW64\wbem\WMIC.exe Token Elevation Type: TokenElevationTypeDefault (1) Creator Process ID: 0xc554 Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
CodePudding user response:
If we suppose that the account name consists of "word characters" (lower case letter, upper case letters, numbers and underscore) and always ends in $
, you could use this:
Account Name:\s (\w \$)\s
And use group(1) to get the actual account name, not the full match!
If you more special characters could be part of the account name, you can add them to the list of possible characters. E.g. for a !
replace the \w
with [\w!]
. If you want to add a -
always put it as last special character inside the []
: [\w!-]
.
Would come out in total as
Account Name:\s ([\w!-] \$)\s