#include <StringConstants.au3> ; to declare the Constants of StringRegExp
#include <Array.au3> ; UDF needed for _ArrayDisplay and _ArrayConcatenate
Local $sRegex = "(?m)(?P<FechayHora>(?:20[0-9]{2}-[0-1]\d-[0-2]\d)\s(?:(?:[0-1]\d|2[0-3]):){2}(?:[0-1]\d|2[0-3]))(?:,|\s)(?P<LogLevel>(?:\w*\.?\w*))(?:,|\s)(?P<Hostname>(?:\d{1,3}\.){3}\d{1,3}|(?:\w*\.cerrey\.com\.mx))(?:,|\s)(?P<mensaje>\"?[\w\s:,\[\]()/-]*\"?)"
Local $sString = "2023-05-21 00:00:00,Daemon.Info,172.16.1.247,May 21 00:40:01 flex3 systemd: Created slice User Slice of root." & @CRLF & _
"2023-05-21 00:00:00,Daemon.Info,MTYDC02.cerrey.com.mx,May 21 00:40:01 flex3 systemd: Starting User Slice of root." & @CRLF & _
"2023-05-21 00:00:00,Daemon.Info,172.16.1.247,May 21 00:40:01 flex3 systemd: Started Session 2782 of user root." & @CRLF & _
"2023-05-21 00:00:00,Daemon.Info,172.16.1.247,May 21 00:40:01 flex3 systemd: Starting Session 2782 of user root." & @CRLF & _
"2023-05-21 00:00:00,Cron.Info,172.16.1.247,May 21 00:40:01 flex3 CROND[23978]: (root) CMD (/usr/lib64/sa/sa1 1 1)" & @CRLF & _
"2023-05-21 00:00:00,Daemon.Info,172.16.1.247,May 21 00:40:01 flex3 systemd: Removed slice User Slice of root." & @CRLF & _
"2023-05-21 00:00:00,Daemon.Info,172.16.1.247,May 21 00:40:01 flex3 systemd: Stopping User Slice of root." & @CRLF & _
"2023-05-21 00:00:01,System3.Critical,MTYSYSLOG.cerrey.com.mx,may 21 00:00:01 MTYSYSLOG.cerrey.com.mx MSWinEventLog 2 Security 10337 dom may 21 00:00:00 2023 4673 Microsoft-Windows-Security-Auditing N/A Audit Failure MTYSYSLOG.cerrey.com.mx 13056 A privileged service was called." & @CRLF & _
"" & @CRLF & _
"Subject:" & @CRLF & _
" Security ID: S-1-5-19" & @CRLF & _
" Account Name: LOCAL SERVICE" & @CRLF & _
" Account Domain: NT AUTHORITY" & @CRLF & _
" Logon ID: 0x3E5" & @CRLF & _
"" & @CRLF & _
"Service:" & @CRLF & _
" Server: Security" & @CRLF & _
" Service Name: -" & @CRLF & _
"" & @CRLF & _
"Process:" & @CRLF & _
" Process ID: 0x1f1c" & @CRLF & _
" Process Name: C:\Windows\System32\svchost.exe" & @CRLF & _
"" & @CRLF & _
"Service Request Information:" & @CRLF & _
" Privileges: SeProfileSingleProcessPrivilege" & @CRLF & _
"2023-05-21 00:00:01,System3.Critical,MTYSYSLOG.cerrey.com.mx,may 21 00:00:01 MTYSYSLOG.cerrey.com.mx MSWinEventLog 2 Security 10338 dom may 21 00:00:00 2023 4673 Microsoft-Windows-Security-Auditing N/A Audit Failure MTYSYSLOG.cerrey.com.mx 13056 A privileged service was called." & @CRLF & _
"" & @CRLF & _
"Subject:" & @CRLF & _
" Security ID: S-1-5-19" & @CRLF & _
" Account Name: LOCAL SERVICE" & @CRLF & _
" Account Domain: NT AUTHORITY" & @CRLF & _
" Logon ID: 0x3E5" & @CRLF & _
"" & @CRLF & _
"Service:" & @CRLF & _
" Server: Security" & @CRLF & _
" Service Name: -" & @CRLF & _
"" & @CRLF & _
"Process:" & @CRLF & _
" Process ID: 0x1f1c" & @CRLF & _
" Process Name: C:\Windows\System32\svchost.exe" & @CRLF & _
"" & @CRLF & _
"Service Request Information:" & @CRLF & _
" Privileges: SeProfileSingleProcessPrivilege" & @CRLF & _
"2023-05-21 00:00:01,System4.Notice,MTYSPDB2.cerrey.com.mx,may 21 00:00:01 MTYSPDB2.cerrey.com.mx MSWinEventLog 5 Security 105034 dom may 21 00:00:00 2023 4672 Microsoft-Windows-Security-Auditing N/A Audit Success MTYSPDB2.cerrey.com.mx 12548 Special privileges assigned to new logon." & @CRLF & _
"" & @CRLF & _
"Subject:" & @CRLF & _
" Security ID: S-1-5-21-1430283757-1547701557-1542849698-18847" & @CRLF & _
" Account Name: SP_Farm" & @CRLF & _
" Account Domain: CERREY" & @CRLF & _
" Logon ID: 0x592C221" & @CRLF & _
"" & @CRLF & _
"Privileges: SeSecurityPrivilege" & @CRLF & _
" SeBackupPrivilege" & @CRLF & _
" SeRestorePrivilege" & @CRLF & _
" SeTakeOwnershipPrivilege" & @CRLF & _
" SeDebugPrivilege" & @CRLF & _
" SeSystemEnvironmentPrivilege" & @CRLF & _
" SeLoadDriverPrivilege" & @CRLF & _
" SeImpersonatePrivilege" & @CRLF & _
" SeDelegateSessionUserImpersonatePrivilege" & @CRLF & _
"2023-05-21 00:00:01,System4.Notice,MTYSPDB2.cerrey.com.mx,"may 21 00:00:01 MTYSPDB2.cerrey.com.mx MSWinEventLog 5 Security 105035 dom may 21 00:00:00 2023 4624 Microsoft-Windows-Security-Auditing N/A Audit Success MTYSPDB2.cerrey.com.mx 12544 An account was successfully logged on." & @CRLF & _
"" & @CRLF & _
"Subject:" & @CRLF & _
" Security ID: S-1-0-0" & @CRLF & _
" Account Name: -" & @CRLF & _
" Account Domain: -" & @CRLF & _
" Logon ID: 0x0" & @CRLF & _
"" & @CRLF & _
"Logon Information:" & @CRLF & _
" Logon Type: 3" & @CRLF & _
" Restricted Admin Mode: -" & @CRLF & _
" Virtual Account: No" & @CRLF & _
" Elevated Token: Yes" & @CRLF & _
"" & @CRLF & _
"Impersonation Level: Impersonation" & @CRLF & _
"" & @CRLF & _
"New Logon:" & @CRLF & _
" Security ID: S-1-5-21-1430283757-1547701557-1542849698-18847" & @CRLF & _
" Account Name: SP_Farm" & @CRLF & _
" Account Domain: CERREY.COM.MX" & @CRLF & _
" Logon ID: 0x592C221" & @CRLF & _
" Linked Logon ID: 0x0" & @CRLF & _
" Network Account Name: -" & @CRLF & _
" Network Account Domain: -" & @CRLF & _
" Logon GUID: {fc043bcf-045d-fc8b-47dd-711370b096cf}" & @CRLF & _
"" & @CRLF & _
"Process Information:" & @CRLF & _
" Process ID: 0x0" & @CRLF & _
" Process Name: -" & @CRLF & _
"" & @CRLF & _
"Network Information:" & @CRLF & _
" Workstation Name: -" & @CRLF & _
" Source Network Address: -" & @CRLF & _
" Source Port: -" & @CRLF & _
"" & @CRLF & _
"Detailed Authentication Information:" & @CRLF & _
" Logon Process: Kerberos" & @CRLF & _
" Authentication Package: Kerberos" & @CRLF & _
" Transited Services: -" & @CRLF & _
" Package Name (NTLM only): -" & @CRLF & _
" Key Length: 0" & @CRLF & _
"" & @CRLF & _
"This event is generated when a logon session is created. It is generated on the computer that was accessed." & @CRLF & _
"" & @CRLF & _
"The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe." & @CRLF & _
"" & @CRLF & _
"The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network)." & @CRLF & _
"" & @CRLF & _
"The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on." & @CRLF & _
"" & @CRLF & _
"The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases." & @CRLF & _
"" & @CRLF & _
"The impersonation level field indicates the extent to which a process in the logon session can impersonate." & @CRLF & _
"" & @CRLF & _
"The authentication information fields provide detailed information about this specific logon request." & @CRLF & _
" - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event." & @CRLF & _
" - Transited services indicate which intermediate services have participated in this logon request." & @CRLF & _
" - Package name indicates which sub-protocol was used among the NTLM protocols." & @CRLF & _
" - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""
Local $aArray = StringRegExp($sString, $sRegex, $STR_REGEXPARRAYGLOBALFULLMATCH)
Local $aFullArray[0]
For $i = 0 To UBound($aArray) -1
_ArrayConcatenate($aFullArray, $aArray[$i])
Next
$aArray = $aFullArray
; Present the entire match result
_ArrayDisplay($aArray, "Result")
Please keep in mind that these code samples are automatically generated and are not guaranteed to work. If you find any syntax errors, feel free to submit a bug report. For a full regex reference for AutoIt, please visit: https://www.autoitscript.com/autoit3/docs/functions/StringRegExp.htm