Data:
Nov 16 12:50:51 172.23.0.29 Nov 16 12:50:51 dc01 Microsoft_Windows_security_auditing.[1688]: Domain\user1: Security Microsoft Windows security auditing.: [Success Audit] A user account was changed.
Subject:
Security ID: domain\value
Account Name: value
Account Domain: Domain
Logon ID: 0xA058EB26
Target Account:
Security ID: domain\user1
Account Name: user1
Account Domain: domain
Changed Attributes:
SAM Account Name: -
Display Name: -
User Principal Name: -
Home Directory: -
Home Drive: -
Script Path: -
Profile Path: -
User Workstations: -
Password Last Set: 11/16/2017 12:50:50 PM
Account Expires: -
Primary Group ID: -
AllowedToDelegateTo: -
Old UAC Value: -
New UAC Value: -
User Account Control: -
User Parameters: -
SID History: -
Logon Hours: -
Additional Information:
Privileges: - (EventID 4738)
Regex Expression:
Target Account:\n.+\n Account Name: (?.+)
Question:
When I run this regular expression using the rex command it only matches. "user1"
When use this regex in a field extraction it matches everything from user1 to the end of the log. Why does this expression return different results depending on how it is used?
↧