Solved

Extracting a username from logs files using Regex

Posted on 2012-04-04
10
373 Views
Last Modified: 2012-06-27
Hi im trying to extract domain usernames from my juniper log files using regex however depending on the log message the fully qualified domain name isnt always displayed

See example below:

line 1:      juniper -ive -] domain/user1(realm) etc. etc.
Line2:      juniper -ive -] user2(realm) etc. etc.

i would like to extract just the username into a group so i'm trying to exclude the word "DOMAIN/" so far i have this:

\]\s(?!DOMAIN\/\b)([a-z_0-9]+)

however it only seems to capture user2

Thanks,
0
Comment
Question by:kchall
  • 5
  • 4
10 Comments
 
LVL 23

Expert Comment

by:wdosanjos
Comment Utility
Please try:

(?<=]\s(\w+/)?)\w+(?=\(realm\))
0
 
LVL 73

Expert Comment

by:sdstuber
Comment Utility
'\] (domain//)?([a-z_0-9]+)'

with a back reference of 2,  exact syntax for the back reference will depend on the language/library of the regexp
0
 
LVL 1

Author Comment

by:kchall
Comment Utility
Wdosanjos that returned no matches,

I should add im using Rad software Expression Designer to test my regex's

Sdstuber im not sure what you mean, i'm using regex so i can pull out fields in my splunk log analyzer

Thanks,
0
 
LVL 23

Expert Comment

by:wdosanjos
Comment Utility
Here is my test code (C#):
var rx = new Regex(@"(?<=]\s(\w+/)?)\w+(?=\(realm\))");
var tests = new string[]
{
"juniper -ive -] domain/user1(realm)",
"juniper -ive -] user2(realm)"
};

foreach (var test in tests)
{
    rx.Match(test).Value.Dump();
}

Open in new window

Output
user1
user2

Open in new window

0
 
LVL 1

Author Comment

by:kchall
Comment Utility
screenshotHi Wdosanjos

when i run that it does in fact match user1 and user2 however i need to group the matches as well.

Also the word "realm" cannot be referenced as this can change as users logon to multiple realms
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 23

Expert Comment

by:wdosanjos
Comment Utility
The expression to address multiple realms is:

(?<=]\s(\w+/)?)\w+(?=\(\w+\))

What do you mean by "group the matches"?  Please give an example.
0
 
LVL 1

Author Comment

by:kchall
Comment Utility
Grouping Constructs using the ( and ) symbols
IE. if i wanted to just capture domain/user1 and user2 i would use \]\s([a-z0-9\/]+)
0
 
LVL 23

Assisted Solution

by:wdosanjos
wdosanjos earned 200 total points
Comment Utility
Checking the ExplicitCapture option should resolve the grouping issue.
0
 
LVL 1

Accepted Solution

by:
kchall earned 0 total points
Comment Utility
Sorry Wdosanjos i couldnt get your string to work. In the end i used the following

\]\s(?:DOMAIN\\*)?(.\w+)

Thanks anyways
0
 
LVL 1

Author Closing Comment

by:kchall
Comment Utility
huh!
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Article by: Nadia
Linear search (searching each index in an array one by one) works almost everywhere but it is not optimal in many cases. Let's assume, we have a book which has 42949672960 pages. We also have a table of contents. Now we want to read the content on p…
A short article about problems I had with the new location API and permissions in Marshmallow
Viewers will learn how to properly install Eclipse with the necessary JDK, and will take a look at an introductory Java program. Download Eclipse installation zip file: Extract files from zip file: Download and install JDK 8: Open Eclipse and …
In this fifth video of the Xpdf series, we discuss and demonstrate the PDFdetach utility, which is able to list and, more importantly, extract attachments that are embedded in PDF files. It does this via a command line interface, making it suitable …

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now