- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Regex for Sudo.log extractions
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Regex for Sudo.log extractions
Hello folks, I am having a difficult time extracting fields properly from the sudo.log file on several of our servers. Three examples of the data events are as follows:
Jun 7 16:51:05 : si : HOST=dsssplunk101 : 1 incorrect password attempt ; TTY=pts/1 ; PWD=/home/si/billingdata/jianfang ; USER=root ; COMMAND=/usr/bin/sudosh sghosh
Jun 7 09:17:08 : srivas : HOST=dssbackup101 : command not allowed ; TTY=pts/4 ; PWD=/opt/SIDBBackup/cron ; USER=root ; COMMAND=/bin/su -
Jun 10 10:45:52 : balt : HOST=dssbackup101 : TTY=pts/1 ; PWD=/users/balt ; USER=root ; COMMAND=/usr/bin/sudosh
Jun 15 09:37:23 : srivas : HOST=dsssplunk101 : user NOT in sudoers ; TTY=pts/0 ; PWD=/ ; USER=root ; COMMAND=/usr/bin/sudosh
I want to be able to extract the error field as its own entity like to following:
user NOT in sudoers
command not allowed
1 incorrect password attempt
However the closest I have gotten is as follows:
(?im)^[^=]*=\w+\s+:\s(?P<FIELDNAME>.+?)\s;\s[T]
which extracts
user NOT in sudoers
command not allowed
but does not extract
1 incorrect password attempt
When I use the built in Ai to create the extraction it always grabs the TTY=pts/* field and will not let me exclude it.
Any help would be greatly appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We found out what the issue with the regex statement was and were able to correct the issue. The issue is that the sudo.log file syntax shows up as having a return character at the end of the lines after they reach a certain length. We fixed this with the following:
HOST=\w+\s+:\s+(?P.+);\s+T
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hmm. I tried your regex in a regex tool and it seems like your regex is actually working. Now it could be that there is some whitespace change when you posted your example, so perhaps you could try the following (slightly modified) regex. You can test your extractions interactively using using the rex search command:
source=*sudo.log | rex "(?i)^[^=]*=\w+\s+:\s*(?P<message>.+?)\s*;\s*TTY="
Once your get your regex working with rex you can add it to tie it to a source/sourcetype within one of your local props.conf files:
[syslog]
EXTRACT-sudo-message = (?i)^[^=]*=\w+\s+:\s*(?P<message>.+?)\s*;\s*TTY=
Instead of using [syslog] you could also make it based on the filename ("source") as well. Simply change the stanza name to [source::.../sudo.log], for example.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
