Given is a logfile called sample_log.txt which contains sample data of the windows security eventlog. I want to search with a regex pattern for locked out user accounts which is Event ID 4740.
Such a sample looks like this:
Information 22.12.2020 21:28:46 Microsoft-Windows-Security-Auditing 4740 User Account Management "A user account was locked out. Subject: Security ID: SYSTEM Account Name: SERVER23$ Account Domain: DOMAIN Logon ID: 0x3E7 Account That Was Locked Out: Security ID: domain\firstname.lastname Account Name: firstname.lastname
I've the following powershell script:
#grab our data $file = get-content "$PSScriptRoot\sample_log.txt" #make our pattern $regex = "Account Name:\s*(\w+).(\w+)" #loop through each lin foreach ($line in $file) { #if our line contains our pattern, write the matched data to the screen if($line -match $regex) { $matches[0] } }
Actually the output would look like this:
Account Name: SERVER23 Account Name: firstname.lastname
How can I expand/modify the regex pattern if I want only match events with ID 4740 that contains the date and time stamp together with the account name from the sample above?
Thanks in advance for every help and suggestion
https://stackoverflow.com/questions/65417293/regex-pattern-for-eventlog-4740-with-powershell December 23, 2020 at 07:44AM
没有评论:
发表评论