Solved: How do I extract the status from authentication lo...

ysifusuf · ‎05-28-2019

Hello!
Please let me know how can I extract the status of the authentication from the following logs into an action field.

CRON: pam_unix(cron:session): session opened for user root by (uid=0)
CRON: pam_unix(cron:session): session closed for user root

thanks!

DavidHourani · ‎05-28-2019

Hi @ysifusuf,

You can get that extracted directly within your search as follows :

..... | rex field=_raw "([^:]+\:)+\ssession\s(?<action>\w+)\s"

Or if you add it as an extracted field to have it automatically on your next search as shown here for GUI:
https://docs.splunk.com/Documentation/Splunk/7.2.6/Knowledge/Managesearch-timefieldextractions#Revie...
Or by editing props.conf :

[your_authentication_sourcetype]
EXTRACT-action = ([^:]+\:)+\ssession\s(?<action>\w+)\s

Cheers,
David

preactivity · ‎05-29-2019

You can also do like this,

| rex field=_raw "^(?:[^ \n]* ){3}(?P\w+)"

DavidHourani · ‎05-28-2019

Hi @ysifusuf,

You can get that extracted directly within your search as follows :

..... | rex field=_raw "([^:]+\:)+\ssession\s(?<action>\w+)\s"

Or if you add it as an extracted field to have it automatically on your next search as shown here for GUI:
https://docs.splunk.com/Documentation/Splunk/7.2.6/Knowledge/Managesearch-timefieldextractions#Revie...
Or by editing props.conf :

[your_authentication_sourcetype]
EXTRACT-action = ([^:]+\:)+\ssession\s(?<action>\w+)\s

Cheers,
David

ysifusuf · ‎05-28-2019

Hey man,
it works, thanks
@DavidHourani

DavidHourani · ‎05-28-2019

you're welcome !

richgalloway · ‎05-28-2019

There are a number of ways to do that, depending on your specific needs. Here's one:

 index=foo | rex "session (?<action>\S+) for user (?<user>\S+)" | ...

---
If this reply helps you, Karma would be appreciated.

How do I extract the status from authentication logs into an action field?