#include <StringConstants.au3> ; to declare the Constants of StringRegExp
#include <Array.au3> ; UDF needed for _ArrayDisplay and _ArrayConcatenate
Local $sRegex = "(?m)(EventCode=(4624|4634|4625)\X*Account Name:(\s+.*\.adm.*))|(EventCode=(4659|4663|5145)\X*Object Name:(\s+.*Test_share.*))"
Local $sString = "05/03/2024 02:46:06 PM" & @CRLF & _
"LogName=Security" & @CRLF & _
"EventCode=4624" & @CRLF & _
"EventType=0" & @CRLF & _
"ComputerName=myhost" & @CRLF & _
"SourceName=Microsoft Windows security auditing." & @CRLF & _
"Type=Information" & @CRLF & _
"RecordNumber=0" & @CRLF & _
"Keywords=Audit Success" & @CRLF & _
"TaskCategory=Logon" & @CRLF & _
"OpCode=Info" & @CRLF & _
"Message=An account was successfully logged on." & @CRLF & _
"" & @CRLF & _
"Subject:" & @CRLF & _
" Security ID: NULL SID" & @CRLF & _
" Account Name: -" & @CRLF & _
" Account Domain: -" & @CRLF & _
" Logon ID: 0x0" & @CRLF & _
"" & @CRLF & _
"Logon Information:" & @CRLF & _
" Logon Type: 3" & @CRLF & _
" Restricted Admin Mode: -" & @CRLF & _
" Virtual Account: No" & @CRLF & _
" Elevated Token: Yes" & @CRLF & _
"" & @CRLF & _
"Impersonation Level: Delegation" & @CRLF & _
"" & @CRLF & _
"New Logon:" & @CRLF & _
" Security ID: DOMAIN\user.adm" & @CRLF & _
" Account Name: user.adm" & @CRLF & _
" Account Domain: DOMAIN.LOCAL" & @CRLF & _
" Logon ID: 0" & @CRLF & _
" Linked Logon ID: 0x0" & @CRLF & _
" Network Account Name: -" & @CRLF & _
" Network Account Domain: -" & @CRLF & _
" Logon GUID: {}" & @CRLF & _
"" & @CRLF & _
"Process Information:" & @CRLF & _
" Process ID: 0x0" & @CRLF & _
" Process Name: -" & @CRLF & _
"" & @CRLF & _
"Network Information:" & @CRLF & _
" Workstation Name: -" & @CRLF & _
" Source Network Address: " & @CRLF & _
" Source Port: 63095" & @CRLF & _
"" & @CRLF & _
"Detailed Authentication Information:" & @CRLF & _
" Logon Process: Kerberos" & @CRLF & _
" Authentication Package: Kerberos" & @CRLF & _
" Transited Services: -" & @CRLF & _
" Package Name (NTLM only): -" & @CRLF & _
" Key Length: 0" & @CRLF & _
"" & @CRLF & _
"" & @CRLF & _
"" & @CRLF & _
"04/30/2024 04:49:05 PM" & @CRLF & _
"LogName=Security" & @CRLF & _
"EventCode=4659" & @CRLF & _
"EventType=0" & @CRLF & _
"ComputerName=MyHost" & @CRLF & _
"SourceName=Microsoft Windows security auditing." & @CRLF & _
"Type=Information" & @CRLF & _
"RecordNumber=0" & @CRLF & _
"Keywords=Audit Success" & @CRLF & _
"TaskCategory=File System" & @CRLF & _
"OpCode=Info" & @CRLF & _
"Message=A handle to an object was requested with intent to delete." & @CRLF & _
"" & @CRLF & _
"Subject:" & @CRLF & _
" Security ID: myuser" & @CRLF & _
" Account Name: myuser" & @CRLF & _
" Account Domain: Domain" & @CRLF & _
" Logon ID: 0x580B3D59" & @CRLF & _
"" & @CRLF & _
"Object:" & @CRLF & _
" Object Server: Security" & @CRLF & _
" Object Type: File" & @CRLF & _
" Object Name: D:\Test_share\prova.txt" & @CRLF & _
" Handle ID: 0x0" & @CRLF & _
"" & @CRLF & _
"Process Information:" & @CRLF & _
" Process ID: 0x4" & @CRLF & _
"" & @CRLF & _
"Access Request Information:" & @CRLF & _
" Transaction ID: {00000000-0000-0000-0000-000000000000}" & @CRLF & _
" Accesses: DELETE" & @CRLF & _
" ReadAttributes" & @CRLF & _
" " & @CRLF & _
" Access Mask: 0x10080" & @CRLF & _
" Privileges Used for Access Check: -"
Local $aArray = StringRegExp($sString, $sRegex, $STR_REGEXPARRAYGLOBALFULLMATCH)
Local $aFullArray[0]
For $i = 0 To UBound($aArray) -1
_ArrayConcatenate($aFullArray, $aArray[$i])
Next
$aArray = $aFullArray
; Present the entire match result
_ArrayDisplay($aArray, "Result")
Please keep in mind that these code samples are automatically generated and are not guaranteed to work. If you find any syntax errors, feel free to submit a bug report. For a full regex reference for AutoIt, please visit: https://www.autoitscript.com/autoit3/docs/functions/StringRegExp.htm