I wrote a report that filters through Syslog and shows all Account Lockouts from Windows servers in the last 24 hours, and scheduled it to run daily. Works great. The problem is, the message payload looks like this (sanitized, obviously):
DCNAME Security: 644: NT AUTHORITY\SYSTEM: User Account Locked Out: Target Account Name: someusername Target Account ID: SERVERNAME Caller User Name: BLAH$ Caller Domain: BLAH Caller Logon ID: (0x0,0x3E7)
That makes for a cluttered report. Is there a way to just display only "someusername" in the report and filter out the rest? Using regex or SQL perhaps? That would be amazing.
Thanks.