0

I am using Zabbix to parse Windows event logs. Here is an example:

4624    
An account was successfully logged on.
Subject:
    Security ID:        NT AUTHORITY\SYSTEM
    Account Name:       SERVER$
    Account Domain:     COMPANY
    Logon ID:       0x3E7

Logon Information:
    Logon Type:     7
    Restricted Admin Mode:  -
    Virtual Account:        No
    Elevated Token:     No

New Logon:
    Security ID:        COMPANY\Susan
    Account Name:       SUSAN
    Account Domain:     COMPANY
    Logon ID:       0x3ED0915C
    Linked Logon ID:        0x0
    Network Account Name:   -
    Network Account Domain: -
    Logon GUID:     {7bac704d-8521-0b5e-4548-5c61a3614dc0

And here is the javascript I am using to pull the data I want:

var lines = value.split("\n");
var accountName = "";
var loginType = "";
var sourceIp = "";
lines.forEach(function(line) {
  if (line.trim().substring(0, 11) === "Logon Type:") {
    loginType = line.substring(12).trim();
  } 
  if (line.trim().substring(0, 13) === "Account Name:") {
    accountName = line.substring(14).trim();
  } 
  if (line.trim().substring(0, 23) === "Source Network Address:") {
    sourceIp = line.substring(24).trim();
  }
});
return  loginType + " " + accountName + " " + sourceIp;

When this is ran against the log data, it will grab the first occurrence of Account Name. I need it to grab the second one as that is where the user's name is.

How can I modify what I am doing to grab this second one rather than the first one?

Thank you.

Carter
  • 1
  • 3
  • Does this answer your question? [How to get the nth occurrence in a string?](https://stackoverflow.com/questions/14480345/how-to-get-the-nth-occurrence-in-a-string) – imvain2 Jun 15 '22 at 20:29
  • Partially except that would force me to know what the data in the string is right? The Account Name will be different for each log event so I can't specify the exact match. Or maybe because I am new to javascript I am misunderstanding. Very possible! – Carter Jun 15 '22 at 21:17
  • Based on that code, it should find that last Account Name since each time it finds a line starting with "Account Name:" it will overwrite the value of the accountName variable. You may have some other issue going on there. – mcgraphix Jun 15 '22 at 21:25

1 Answers1

0

If you only need to solve that specific problem, just track whether you have already found an Account Name and skip the first one:

var lines = value.split("\n");
var accountName = "";
var loginType = "";
var sourceIp = "";
// store the count of how many you have found while iterating
let accountsFound = 0;
lines.forEach(function(line) {
  if (line.trim().substring(0, 11) === "Logon Type:") {
    loginType = line.substring(12).trim();
  } 
  if (line.trim().substring(0, 13) === "Account Name:") {
   if (accountsFound === 1) {
    accountName = line.substring(14).trim();
   }
   // keep track of how many you have found so far
   accountsFound++;
  } 
  if (line.trim().substring(0, 23) === "Source Network Address:") {
    sourceIp = line.substring(24).trim();
  }
});
return  loginType + " " + accountName + " " + sourceIp;

A better approach though would be to avoid substringing things and just split the strings into the key and value once as shown here:

const content = `4624    
An account was successfully logged on.
Subject:
    Security ID:        NT AUTHORITY\SYSTEM
    Account Name:       SERVER$
    Account Domain:     COMPANY
    Logon ID:       0x3E7

Logon Information:
    Logon Type:     7
    Restricted Admin Mode:  -
    Virtual Account:        No
    Elevated Token:     No

New Logon:
    Security ID:        COMPANY\Susan
    Account Name:       SUSAN
    Account Domain:     COMPANY
    Logon ID:       0x3ED0915C
    Linked Logon ID:        0x0
    Network Account Name:   -
    Network Account Domain: -
    Logon GUID:     {7bac704d-8521-0b5e-4548-5c61a3614dc0`;
function getDetails(value) {
  var lines = value.split("\n");
  var accountName = "- not found -";
  var loginType = "- not found -";
  var sourceIp = "- not found -";
  // store the count of how many you have found while iterating
  let accountsFound = 0;
  lines.forEach(function(line) {
    // just split each line on the : and trim each part to avoid all the substrings
    let key, value;
    [key, value] = line.trim().split(':');
    if (key !== undefined) {
        key = key.trim();
    }
    
    if (value !== undefined) {
      value = value.trim();
    }
    // console.log(key, value);
    if (key === "Logon Type") {
      loginType = value;
    } 
    if (key === "Account Name") {
     if (accountsFound === 1) {
      accountName = value;
     }
     // keep track of how many you have found so far
     accountsFound++;
    } 
    if (key === "Source Network Address") {
      sourceIp = value;
    }
  });
  return  loginType + " " + accountName + " " + sourceIp;
}

console.log(getDetails(content));

See here: https://jsfiddle.net/mcgraphix/nrwau8ex/13/

mcgraphix
  • 2,723
  • 1
  • 11
  • 15
  • That is getting closer however upon testing, it generates the following error: SyntaxError: unterminated statement (line 6) – Carter Jun 16 '22 at 12:10
  • My guess is you have some other issue. You can see the code above working here: https://jsfiddle.net/mcgraphix/nrwau8ex/3/ Note... the way you are extracting the text from each line could be improved. I know it wasn't part of your question, but I updated my answer to remove all the substringing you were doing. Improvements are here: https://jsfiddle.net/mcgraphix/nrwau8ex/13/ – mcgraphix Jun 16 '22 at 12:37
  • That's really awesome. I appreciate what you entered in. Zabbix includes some basic javascript for doing this with windows event logs. I have been modifying their basic code to extract the pieces of the logs I need. So far, its been good. But this is causing an issue. I tried what you provided above and I still get an error in Zabbix. It says SyntaxError: unterminated statement (line 7) now. I wish I could post screenshots but I can't it seems. Perhaps Zabbix has a more limited version of javascript to be able to handle this. – Carter Jun 16 '22 at 13:51