Yes, I am Ok with the trade-offs. In case of Active Directory log records
can I parse it using non-regex custom parser ? I think we need one pattern
matching library right as it is plain text thing ? One of the dummy AD
record of my use case would be like this below.
12/02/2017 05:14:43 PM LogName=Security SourceName=Microsoft Windows
security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=
dc1.ad.ecorp.com TaskCategory=Logon OpCode=Info
RecordNumber=95055509895231650867 Keywords=Audit Success Message=An account
failed to log on. Subject: Security ID: NULL SID Account Name: - Account
Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed:
Security ID: NULL SID Account Name: K1560365938U$ Account Domain: ECORP
Failure Information: Failure Reason: Unknown user name or bad password.
Status: 0xC000006D Sub Status: 0xC000006A Network Information: Workstation
Name: K1560365938U Source Network Address: 192.168.151.95 Source Port:
53176 Detailed Authentification Information: Logon Process: NtLmSsp
Authentification Package: NTLM Transited Services: - Package Name (NTLM
ONLY): - Key Length: 0 This event is generated when a logon request fails.
It is generated on the computer where access was attempted. The Subject
fields indicate the account on the local system which requested the logon.
This is most commonly a service such as the Server service, or a local
process such as Winlogon.exe or Services.exe. The Logon Type field
indicates the kind of logon that was requested. The most common types are 2
(interactive) and 3 (network). The Process Information fields indicate
which account and process on the system requested the logon. The Network
Information fields indicate where a remote logon request originated.
Workstation name is not always available and may be left blank in some
cases. The authentication information fields provide detailed information
about this specific logon request. Transited services indicate which
intermediate services have participated in this logon request. Package name
indicates which sub-protocol was used among the NTLM protocols
On Wed, Jul 11, 2018 at 8:44 PM, Otto Fowler <[EMAIL PROTECTED]>
Muhammed Irshad K T
Senior Software Engineer
Skype : muhammed.irshad.k.t