https://community.splunk.com/t5/Security/Transform-Action-for-two-different-Authentication-events/m-p/203988#M5877 <P>I have 2 events from 2 different systems which are displaying slightly different authentication sucessful messages (due to running differenent version firmware) but need to catch 'success' in the action.</P> <P><STRONG>Sample</STRONG></P> <PRE><CODE>Oct 23 03:50:36 2015 [192.168.1.2] authmgr[596]: &lt;522008&gt; &lt;NOTI&gt; |authmgr| User authenticated: Name=john.doe MAC=d8:45:95:37:19:3a IP=192.168.1.24 method=802.1x server=radius.lab.com role=authenticated Oct 23 03:49:53 lab2 authmgr[1883]: &lt;522008&gt; &lt;NOTI&gt; &lt;lab2 192.168.1.10&gt; User Authentication Successful: username=mary.jane MAC=c0:aa:d1:db:7d:f8 IP=192.168.2.34 role=authenticated VLAN=601 AP=32.3.4 SSID=ssidlab AAA profile=Auth_AaaProfile auth method=802.1x auth server=radius.lab.com </CODE></PRE> <P>Both of these are sucess auths.</P> <P><STRONG>transforms.conf</STRONG></P> <PRE><CODE>[aruba_user_action] REGEX = User\s+(authenticated)|Authentication\s+(Successful|Failed) FORMAT = aruba_user_action::$1 [aruba_user_action_lookup] filename = aruba_user_action.csv </CODE></PRE> <P>I have tried variations of the REGEX but I can only capture either one or the other log sample but not both.</P> <P>Thanks in advance.</P> Fri, 23 Oct 2015 03:57:32 GMT pjohnson1 2015-10-23T03:57:32Z https://community.splunk.com/t5/Security/Transform-Action-for-two-different-Authentication-events/m-p/203988#M5877 <P>I have 2 events from 2 different systems which are displaying slightly different authentication sucessful messages (due to running differenent version firmware) but need to catch 'success' in the action.</P> <P><STRONG>Sample</STRONG></P> <PRE><CODE>Oct 23 03:50:36 2015 [192.168.1.2] authmgr[596]: &lt;522008&gt; &lt;NOTI&gt; |authmgr| User authenticated: Name=john.doe MAC=d8:45:95:37:19:3a IP=192.168.1.24 method=802.1x server=radius.lab.com role=authenticated Oct 23 03:49:53 lab2 authmgr[1883]: &lt;522008&gt; &lt;NOTI&gt; &lt;lab2 192.168.1.10&gt; User Authentication Successful: username=mary.jane MAC=c0:aa:d1:db:7d:f8 IP=192.168.2.34 role=authenticated VLAN=601 AP=32.3.4 SSID=ssidlab AAA profile=Auth_AaaProfile auth method=802.1x auth server=radius.lab.com </CODE></PRE> <P>Both of these are sucess auths.</P> <P><STRONG>transforms.conf</STRONG></P> <PRE><CODE>[aruba_user_action] REGEX = User\s+(authenticated)|Authentication\s+(Successful|Failed) FORMAT = aruba_user_action::$1 [aruba_user_action_lookup] filename = aruba_user_action.csv </CODE></PRE> <P>I have tried variations of the REGEX but I can only capture either one or the other log sample but not both.</P> <P>Thanks in advance.</P> Fri, 23 Oct 2015 03:57:32 GMT https://community.splunk.com/t5/Security/Transform-Action-for-two-different-Authentication-events/m-p/203988#M5877 pjohnson1 2015-10-23T03:57:32Z https://community.splunk.com/t5/Security/Transform-Action-for-two-different-Authentication-events/m-p/203989#M5878 <P>Hi pjohnson,</P> <P>Try the following,</P> <PRE><CODE>REGEX = User\s+(?:Authentication\s+)?(authenticated|Successful|Failed): Or this for a more generic match REGEX = User\s+(?:Authentication\s)?(\w+): </CODE></PRE> <P>Note how you can use ?: to define a non-captured group in regex. Here's a link to regex101 if you would like to see what the regex is doing: <A href="https://regex101.com/r/bX8vH0/1">https://regex101.com/r/bX8vH0/1</A></P> <P>Hope this helps.</P> Fri, 23 Oct 2015 06:38:32 GMT https://community.splunk.com/t5/Security/Transform-Action-for-two-different-Authentication-events/m-p/203989#M5878 gcato 2015-10-23T06:38:32Z