Hello folks, I am having a difficult time extracting fields properly from the sudo.log file on several of our servers. Three examples of the data events are as follows:
Jun 7 16:51:05 : si : HOST=dsssplunk101 : 1 incorrect password attempt ; TTY=pts/1 ; PWD=/home/si/billingdata/jianfang ; USER=root ; COMMAND=/usr/bin/sudosh sghosh
Jun 7 09:17:08 : srivas : HOST=dssbackup101 : command not allowed ; TTY=pts/4 ; PWD=/opt/SIDBBackup/cron ; USER=root ; COMMAND=/bin/su -
Jun 10 10:45:52 : balt : HOST=dssbackup101 : TTY=pts/1 ; PWD=/users/balt ; USER=root ; COMMAND=/usr/bin/sudosh
Jun 15 09:37:23 : srivas : HOST=dsssplunk101 : user NOT in sudoers ; TTY=pts/0 ; PWD=/ ; USER=root ; COMMAND=/usr/bin/sudosh
I want to be able to extract the error field as its own entity like to following:
user NOT in sudoers
command not allowed
1 incorrect password attempt
However the closest I have gotten is as follows:
(?im)^[^=]*=\w+\s+:\s(?P<FIELDNAME>.+?)\s;\s[T]
which extracts
user NOT in sudoers
command not allowed
but does not extract
1 incorrect password attempt
When I use the built in Ai to create the extraction it always grabs the TTY=pts/* field and will not let me exclude it.
Any help would be greatly appreciated.
We found out what the issue with the regex statement was and were able to correct the issue. The issue is that the sudo.log file syntax shows up as having a return character at the end of the lines after they reach a certain length. We fixed this with the following:
HOST=\w+\s+:\s+(?P.+);\s+T
Hmm. I tried your regex in a regex tool and it seems like your regex is actually working. Now it could be that there is some whitespace change when you posted your example, so perhaps you could try the following (slightly modified) regex. You can test your extractions interactively using using the rex
search command:
source=*sudo.log | rex "(?i)^[^=]*=\w+\s+:\s*(?P<message>.+?)\s*;\s*TTY="
Once your get your regex working with rex
you can add it to tie it to a source/sourcetype within one of your local props.conf
files:
[syslog]
EXTRACT-sudo-message = (?i)^[^=]*=\w+\s+:\s*(?P<message>.+?)\s*;\s*TTY=
Instead of using [syslog]
you could also make it based on the filename ("source") as well. Simply change the stanza name to [source::.../sudo.log]
, for example.