import re
regex = re.compile(r"Audit (?P<audit_outcome>Success|Failure),(?P<log_date>.*)\s+(?P<log_time>.*),Microsoft-Windows-Security-Auditing,(?P<event_id>\d+),(?P<category>.*),(?P<event_message>.*)\s+Subject:\s+Security ID:\s+(?P<subject_security_id>.*)\s+Account Name:\s+(?P<subject_account_name>.*)\s+Account Domain:\s+(?P<subject_account_domain>.*)\s+Logon ID:\s+(?P<subject_logon_id>.*)\s+Process Information:\s+Process ID:\s+(?P<PI_process_id>.*)\s+Name:\s+(?P<PI_name>.*)\s+Previous Time:\s+(?P<previous_time>.*)\s+New Time:\s+(?P<new_time>.*)\s+(?P<audit_message>.*)")
test_str = ("Audit Success,29/08/2017 09:42:50,Microsoft-Windows-Security-Auditing,4616,Security State Change,\"The system time was changed.\n\n"
"Subject:\n"
" Security ID: LOCAL SERVICE\n"
" Account Name: LOCAL SERVICE\n"
" Account Domain: NT AUTHORITY\n"
" Logon ID: 0x3E5\n\n"
"Process Information:\n"
" Process ID: 0x3e8\n"
" Name: C:\\Windows\\System32\\svchost.exe\n\n"
"Previous Time: 2017-08-29T01:42:49.858143700Z\n"
"New Time: 2017-08-29T01:42:49.520000000Z\n\n"
"This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.\"")
matches = regex.finditer(test_str)
for match_num, match in enumerate(matches, start=1):
print(f"Match {match_num} was found at {match.start()}-{match.end()}: {match.group()}")
for group_num, group in enumerate(match.groups(), start=1):
print(f"Group {group_num} found at {match.start(group_num)}-{match.end(group_num)}: {group}")
Please keep in mind that these code samples are automatically generated and are not guaranteed to work. If you find any syntax errors, feel free to submit a bug report. For a full regex reference for Python, please visit: https://docs.python.org/3/library/re.html