Here is an example log entry I'm trying to do field extractions from:
2012 Jun 22 11:15:08 server.company.com [authpriv.notice] sshd[8410]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=host.company.com user=joe
In all of the events I've seen, the logname= and ruser= fields are always empty. But I cannot be sure that they will always be empty in future events. If I do a field extraction like the following, it never matches:
failure;\slogname\=(?P
Why won't the logname=(one or more characters that aren't a space) work? And how can I work around it?
Thx.
Craig
failure;\slogname\=(?P<logname>\S*)\s+suid\=(?P<uid>\d+)
would be simpler.
failure;\slogname\=(?P<logname>\S*)\s+suid\=(?P<uid>\d+)
would be simpler.
I figured it out. I have to do:
failure;\slogname\=(?P