using System;
using System.Text.RegularExpressions;
public class Example
{
public static void Main()
{
string pattern = @"Audit (?P<audit_outcome>Success|Failure),(?P<log_date>.*)\s+(?P<log_time>.*),Microsoft-Windows-Security-Auditing,(?P<event_id>\d+),(?P<category>.*),(?P<event_message>.*)\s+Subject:\s+Security ID:\s+(?P<subject_security_id>.*)\s+Account Name:\s+(?P<subject_account_name>.*)\s+Account Domain:\s+(?P<subject_account_domain>.*)\s+Logon ID:\s+(?P<subject_logon_id>.*)\s+Process Information:\s+Process ID:\s+(?P<PI_process_id>.*)\s+Name:\s+(?P<PI_name>.*)\s+Previous Time:\s+(?P<previous_time>.*)\s+New Time:\s+(?P<new_time>.*)\s+(?P<audit_message>.*)";
string input = @"Audit Success,29/08/2017 09:42:50,Microsoft-Windows-Security-Auditing,4616,Security State Change,""The system time was changed.
Subject:
Security ID: LOCAL SERVICE
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Process Information:
Process ID: 0x3e8
Name: C:\Windows\System32\svchost.exe
Previous Time: 2017-08-29T01:42:49.858143700Z
New Time: 2017-08-29T01:42:49.520000000Z
This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.""";
foreach (Match m in Regex.Matches(input, pattern))
{
Console.WriteLine("'{0}' found at index {1}.", m.Value, m.Index);
}
}
}
Please keep in mind that these code samples are automatically generated and are not guaranteed to work. If you find any syntax errors, feel free to submit a bug report. For a full regex reference for C#, please visit: https://msdn.microsoft.com/en-us/library/system.text.regularexpressions.regex(v=vs.110).aspx