I need help with the regular expression for field extraction of login status:
Successful:
source="/var/log/secure" | rex field=_raw " user (?[^ ]+)"| search user="*" | chart count BY host,user
Failed:
source="/var/log/secure" | rex field=_raw " invalid user (?[^ ]+)"| search user="*" | chart count BY host,user
Is this the right way to do it, or there is a better way?
Please help.
Assuming your regex is correctly extracting the users, I would try like this (I would always throw the index and sourcetype as well)
Successfull
index=yourIndex sourcetype=yourSourcetype source="/var/log/secure" "session opened for user " | rex field=_raw "session opened for user (?<user>[^ ]+)" | chart count BY host,user
Failed
index=yourIndex sourcetype=yourSourcetype source="/var/log/secure" fail OR invalid | rex field=_raw " invalid user (?<user>[^ ]+)" | chart count BY host,user
Assuming your regex is correctly extracting the users, I would try like this (I would always throw the index and sourcetype as well)
Successfull
index=yourIndex sourcetype=yourSourcetype source="/var/log/secure" "session opened for user " | rex field=_raw "session opened for user (?<user>[^ ]+)" | chart count BY host,user
Failed
index=yourIndex sourcetype=yourSourcetype source="/var/log/secure" fail OR invalid | rex field=_raw " invalid user (?<user>[^ ]+)" | chart count BY host,user
@somesoni2 Awesome, thanks a lot but failed regex is added NULL user and I am unable to figure out.
Answer:
source="/var/log/secure" input_userauth_request AND (fail OR invalid) | rex field=_raw " invalid user (?[^ ]+)" | chart count BY host,user
What does the log entry look like? Can you share one event with successful logon and one with failed logon?