Hello folks, I am having a difficult time extracting fields properly from the sudo.log file on several of our servers. Three examples of the data events are as follows:
Jun 7 16:51:05 : si : HOST=dsssplunk101 : 1 incorrect password attempt ;
TTY=pts/1 ; PWD=/home/si/billingdata/jianfang ; USER=root ;
COMMAND=/usr/bin/sudosh sghosh
Jun 7 09:17:08 : srivas : HOST=dssbackup101 : command not allowed ; TTY=pts/4 ;
PWD=/opt/SIDBBackup/cron ; USER=root ; COMMAND=/bin/su -
Jun 10 10:45:52 : balt : HOST=dssbackup101 : TTY=pts/1 ; PWD=/users/balt ;
USER=root ; COMMAND=/usr/bin/sudosh
Jun 15 09:37:23 : srivas : HOST=dsssplunk101 : user NOT in sudoers ; TTY=pts/0 ;
PWD=/ ; USER=root ; COMMAND=/usr/bin/sudosh
I want to be able to extract the error field as its own entity like to following:
user NOT in sudoers
command not allowed
1 incorrect password attempt
However the closest I have gotten is as follows:
(?im)^[^=]*=\w+\s+:\s(?P<FIELDNAME>.+?)\s;\s[T]
which extracts
user NOT in sudoers
command not allowed
but does not extract
1 incorrect password attempt
When I use the built in Ai to create the extraction it always grabs the TTY=pts/* field and will not let me exclude it.
Any help would be greatly appreciated.
... View more