I made one watcher for try to find specific sentence from my logs:
"Message": "Remote Desktop Services: User authentication succeeded"
Now, I want to parse rest of this log message and send to email like:
User successfully connected via RDP on from <remote_host>
I have a plan to make a one new watcher for unsuccessfully connection. It is necessary, or maybe I can write it inside this watcher?
How can I get username, hostname and remote_host in my BODY?