Hi guys,

My question maybe not only a Linux specific question but I hope you can help me.
I would like to catch two patterns in a text with AND logical operator if it is possible.
For example here it is a windows security event log which I want to store on Linux:

"User: Security Microsoft Windows security auditing.: [Success Audit] A network share object was checked to see whether client can be granted desired access.
(EventID 5145)"

Unfortunately windows EventID 5145 arrives with [Success Audit] and [Failure Audit] result but only what I need the [Failure Audit] with 5145 event id. So I have to do it with AND logical operator somehow but I can't so far. I have searched a lot on the internet and unfortunately I haven't found any good solution for it.

Can someone help me in it? Thanks in advance

Yes.
Show us what you have attempted (and the results) and we will then have something to work with.

Honestly I am not familiar with regex so I dont have any attempt. I tried to surf on the internet and check e.g http://regexr.com/ this or similar sites but I didnt find solution. Sry for my inexperienced attitude

Maybe we should step back one step and ask what tool are you going to be using to perform the task of extracting the data? Also, will it be coming from a file or a stream of data?

Ultimately this will not alter the regex all that much and you will need to show that you have made an attempt to solve this.

You might be interested to look at :- http://www.rubular.com/

Here you can paste in your test string and then build up the regex required to match it. It also lists many of the familiar options that can be used.
So have a few tries and come back and show us what has got you close and we will help you over the line with a solution

grep is usually the CLI tool of choice for simple text searching. If that text is over 2 records, it doesn't qualify as "simple" in this context. There are multi-line grep variants that may be useful.
Personally I might be inclined to use sed, but any language that support logic test will suffice (awk, perl, python, lua ...)

@grail
Thank you for your response
It is an syslog agent which work as a service on windows device and transfers data to a remote syslog server. Therefore it is a stream of data.
I have checked your link and I have tried to do something. Firstly I tried it with | operator but it didn't work. Then I tried this: (^Success|5145) but it didn't work either. Honestly I don't know how to use regex with AND operator, I mean two different patterns at two different locations in the same message and I would like to match it only these two patterns.

@syg00
I have to create this regex in syslog-ng-agent (balabit) on windows side. So I cant use grep or any other useful tool. The only thing that I can use regex, and I dont know how to do it :- / Sry

So, I was unaware that the data was actually on 2 lines, my wrong assumption was that the example had just run off the end of the line and was continuing on the next.

As you have advised that you are unable to use known tools, you will need to investigate syg00 information on whether or not the tool you are able to use is able to read multiple lines, I would think using '\n'
to navigate to the next line, or is able to store found data until the following line can be searched.

Try going back to the link I provided and using '\n' to see how it would join together 2 lines of data and then see if that can be used in your application?

Your regex will be along the lines:

1. Find first part of string
2. Get Everything up until the end of the line
3. Include the end of the line
4. Get everything up until the next part you need to find

See how you go?

There are some rather messy ways to do multi-line matches with grep, but other tools are more suitable. It's pretty simple with awk or perl, and is even fairly straightforward with sed:Explanation:

For lines that match the string "(Event ID 5145)",

1. Append the line to whatever is currently in the hold space,
2. Exchange the content of the hold space with the current line space,
3. Look for the string '[Failure Audit]', replace it with itself, and print the current space if the substitution occurred,
4. Jump to the end of the script.

Otherwise, save the current line in the hold space.

First thing you need to determine is if that data you showed is two (separate) lines or is just word-wrap. Being in double-quotes, maybe it is one line. You (we) have to be sure.

A quick look at the doco shows filter should work if all on one line (at the Windows source) - maybe something like No need for regex at all.
If it truly is over 2 lines, I can't help - I didn't see any indication of how to delay a message while the next is tested.
I did see mention of PCRE support, but the doco is appalling.