Need help forming regex to extract username from log

jcorkey — Wed, 02 Aug 2017 15:05:08 GMT

trying to search for when sudo user1 adds user2 to a group and I want to extract the name of the user2 that was added to a group.
I am searching the audit.log file from my universal forwarder that's running on a Linux box. I am having trouble using regex to grab the name from acct="NAME" field because of the double quotes.

Below is my search string and log results:

search string:
index=* host=* sourcetype="*" "usermod" OR "visudo" AND "type=USER_MGMT"

log results:
type=USER_MGMT msg=audit(1501611744.115:10994): pid=24473 uid=0 auid=1002 ses=1236 msg='op=add-user-to-shadow-group grp="wheel" acct="addbyjoe" exe="/usr/sbin/usermod" hostname=? addr=? terminal=pts/1 res=success'

How to I extract the name(addbyjoe) from acct="addbyjoe" in the log results above?

Re: Need help forming regex to extract username from log

gcusello — Wed, 02 Aug 2017 15:14:52 GMT

Hi jcorkey,
if the format of your logs is the one you described in your question, Splunk already extracts acct field.
otherwise you have to use a regex like the following

| rex "acct\=\"(?<user>[^\"]*)\""

if it doesn'r run, please share an example of your logs.
Bye.
Giuseppe

topic Re: Need help forming regex to extract username from log in Splunk Search

Need help forming regex to extract username from log

Re: Need help forming regex to extract username from log