import java.util.regex.Matcher;
import java.util.regex.Pattern;
public class Example {
public static void main(String[] args) {
final String regex = "Subject:.+?Security ID:\\t{1,}(?<mswin_security_id>.+?)\\n";
final String string = "{ [-]\n"
+ " @timestamp: 2021-01-13T14:30:13.835Z\n"
+ " @version: 1\n"
+ " cloud_service_name: MOS-WIN\n"
+ " id: fd5c4ce8-b5cb-4cb4-a1e5-82c7e531673d\n"
+ " log_entry: An account was successfully logged on.\n\n"
+ "Subject:\n"
+ " Security ID: S-1-5-18\n"
+ " Account Name: PT1-X-CHRDB-1$\n"
+ " Account Domain: DRACO910\n"
+ " Logon ID: 0x3E7\n\n"
+ "Logon Information:\n"
+ " Logon Type: 44\n"
+ " Restricted Admin Mode: -\n"
+ " Virtual Account: No\n"
+ " Elevated Token: Yes\n\n"
+ "Impersonation Level: Impersonation\n\n"
+ "New Logon:\n"
+ " Security ID: S-1-5-21-3515936613-886961063-2664560780-6781\n"
+ " Account Name: ABB-ESC-9e8ec\n"
+ " Account Domain: DRACO910\n"
+ " Logon ID: 0xF0D94929\n"
+ " Linked Logon ID: 0x0\n"
+ " Network Account Name: -\n"
+ " Network Account Domain: -\n"
+ " Logon GUID: {6D3F87DE-7E78-7F6F-EF45-BFC1FC1C1BFE}\n\n"
+ "Process Information:\n"
+ " Process ID: 0x1b0\n"
+ " Process Name: C:\\Program Files\\EMC NetWorker\\nsr\\bin\\nsrexecd.exe\n\n"
+ "Network Information:\n"
+ " Workstation Name: PT1-X-CHRDB-1\n"
+ " Source Network Address: -\n"
+ " Source Port: -\n\n"
+ "Detailed Authentication Information:\n"
+ " Logon Process: Advapi \n"
+ " Authentication Package: Negotiate\n"
+ " Transited Services: -\n"
+ " Package Name (NTLM only): -\n"
+ " Key Length: 0\n\n"
+ "This event is generated when a logon session is created. It is generated on the computer that was accessed.\n\n"
+ "The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\n"
+ "The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\n"
+ "The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\n"
+ "The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\n"
+ "The impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\n"
+ "The authentication information fields provide detailed information about this specific logon request.\n"
+ " - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n"
+ " - Transited services indicate which intermediate services have participated in this logon request.\n"
+ " - Package name indicates which sub-protocol was used among the NTLM protocols.\n"
+ " - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\n"
+ " log_type: SECURITY\n"
+ " tenant_name: draco-910\n"
+ " timestamp: 2021-01-13T14:30:08.442Z\n"
+ " version: 1.0\n"
+ "}";
final Pattern pattern = Pattern.compile(regex, Pattern.DOTALL);
final Matcher matcher = pattern.matcher(string);
if (matcher.find()) {
System.out.println("Full match: " + matcher.group(0));
for (int i = 1; i <= matcher.groupCount(); i++) {
System.out.println("Group " + i + ": " + matcher.group(i));
}
}
}
}
Please keep in mind that these code samples are automatically generated and are not guaranteed to work. If you find any syntax errors, feel free to submit a bug report. For a full regex reference for Java, please visit: https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html