Transform Action for two different Authentication ...

pjohnson1 · ‎10-22-2015

I have 2 events from 2 different systems which are displaying slightly different authentication sucessful messages (due to running differenent version firmware) but need to catch 'success' in the action.

Sample

Oct 23 03:50:36 2015 [192.168.1.2] authmgr[596]: <522008> <NOTI> |authmgr|  User authenticated: Name=john.doe MAC=d8:45:95:37:19:3a IP=192.168.1.24 method=802.1x server=radius.lab.com role=authenticated

Oct 23 03:49:53 lab2 authmgr[1883]: <522008> <NOTI> <lab2 192.168.1.10>  User Authentication Successful: username=mary.jane MAC=c0:aa:d1:db:7d:f8 IP=192.168.2.34 role=authenticated VLAN=601 AP=32.3.4 SSID=ssidlab AAA profile=Auth_AaaProfile auth method=802.1x auth server=radius.lab.com

Both of these are sucess auths.

transforms.conf

[aruba_user_action]
REGEX = User\s+(authenticated)|Authentication\s+(Successful|Failed)
FORMAT = aruba_user_action::$1

[aruba_user_action_lookup]
filename = aruba_user_action.csv

I have tried variations of the REGEX but I can only capture either one or the other log sample but not both.

Thanks in advance.

gcato · ‎10-22-2015

Hi pjohnson,

Try the following,

REGEX = User\s+(?:Authentication\s+)?(authenticated|Successful|Failed): 
Or this for a more generic match 
REGEX = User\s+(?:Authentication\s)?(\w+):

Note how you can use ?: to define a non-captured group in regex. Here's a link to regex101 if you would like to see what the regex is doing: https://regex101.com/r/bX8vH0/1

Hope this helps.

Transform Action for two different Authentication events

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life