Parsing Event Log Descriptions

(imported topic written by jeko1791)

I am new to Bigfix but picking up the Relevance fairly quickly. I’ve created an Analysis that will find all security log events of specific IDs (Logon Failure ID = 528, for example). That Event Log entry looks like this:

Logon Failure:

Reason: Unknown user name or bad password

User Name: jblack

Domain: AQRS104

Logon Type: 10

Logon Process: User32

Authentication Package: Negotiate

Workstation Name: AQRS104

Caller User Name: AQRS104$

Caller Domain: OURDOMAIN

Caller Logon ID: (0x0,0x3E7)

Caller Process ID: 10252

Transited Services: -

Source Network Address: 192.168.40.25

Source Port: 1443

My current problem is that all the native event log inspectors will pull the information from the header of the log entry, but not the Description area. I’m trying to return the offending that’s failing logon on this system, so in this case “jblack”, even better would be <User Name>.

How could I extract that information from the Description text without pulling back the entire Description?

(imported comment written by kevin_tang91)

try this:

q:if(exists records of security event log) then ((preceding text of first “%0d%0a %09Domain:” of following text of first “User Name:%09” of descriptions of it) of records whose (source of it = “Security” and event id of it = 529) of Security event log as string) else ("")

A: Administrator

A: Administrator

A: demo

A: test

A: demo123