https://community.splunk.com/t5/Splunk-Search/Extracting-usernames-from-Solaris-9-syslog/m-p/101911#M26321 <P>Hi guys,<BR /> I hope this is an easy one for you. We have Solaris 9 boxes sending syslogs to nfs share and our Splunk 4.3 consumes them. We need to generate mgmt reports capturing all user logins to Solaris via mainly SSH and ALOM (SC). I cannot seem to extract the fields correctly for both entry points because the log syntax is different for each log-in method. Here is an example for SSH:<BR /> "10:23:41.000 AM &lt;38&gt;1 2013-01-28T10:23:41-05:00 solaris_host sshd 26371 - - sshd[26371]: [ID 800047 auth.info] Accepted password for root from 1.2.3.4 port 63843 ssh2<BR /> source=/nfssoruce/syslogs host=ssolaris_host"</P> <P>and this is for ALOM logins:<BR /> "10:58:05.000 PM &lt;5&gt;1 2013-01-21T22:58:05-05:00 solaris_host rmclomv - - - rmclomv: [ID 197766 kern.notice] SC Login: User some_user Logged out.<BR /> source=/nfssoruce/syslogs host=solaris_host"</P> <P>Would anything have a handy regex or lookup for this scenario? In general, what is the best approach to parse Solaris 9 syslogs?<BR /> Thank you kindly.</P> Mon, 28 Sep 2020 13:11:46 GMT cgisplunk 2020-09-28T13:11:46Z https://community.splunk.com/t5/Splunk-Search/Extracting-usernames-from-Solaris-9-syslog/m-p/101911#M26321 <P>Hi guys,<BR /> I hope this is an easy one for you. We have Solaris 9 boxes sending syslogs to nfs share and our Splunk 4.3 consumes them. We need to generate mgmt reports capturing all user logins to Solaris via mainly SSH and ALOM (SC). I cannot seem to extract the fields correctly for both entry points because the log syntax is different for each log-in method. Here is an example for SSH:<BR /> "10:23:41.000 AM &lt;38&gt;1 2013-01-28T10:23:41-05:00 solaris_host sshd 26371 - - sshd[26371]: [ID 800047 auth.info] Accepted password for root from 1.2.3.4 port 63843 ssh2<BR /> source=/nfssoruce/syslogs host=ssolaris_host"</P> <P>and this is for ALOM logins:<BR /> "10:58:05.000 PM &lt;5&gt;1 2013-01-21T22:58:05-05:00 solaris_host rmclomv - - - rmclomv: [ID 197766 kern.notice] SC Login: User some_user Logged out.<BR /> source=/nfssoruce/syslogs host=solaris_host"</P> <P>Would anything have a handy regex or lookup for this scenario? In general, what is the best approach to parse Solaris 9 syslogs?<BR /> Thank you kindly.</P> Mon, 28 Sep 2020 13:11:46 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-usernames-from-Solaris-9-syslog/m-p/101911#M26321 cgisplunk 2020-09-28T13:11:46Z https://community.splunk.com/t5/Splunk-Search/Extracting-usernames-from-Solaris-9-syslog/m-p/101912#M26322 <P>If sshd appears in the event and the rmclomv text is distinct in your events then you can separate out the results in the search criteria. Even if you need to show the 2 in the same report, you can sum as separate totals. Other than that yes of course you can regex them out as say different source types, but it hardly seems to be worth it. Keep it simple? <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Mon, 28 Jan 2013 16:08:56 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-usernames-from-Solaris-9-syslog/m-p/101912#M26322 DaveSavage 2013-01-28T16:08:56Z https://community.splunk.com/t5/Splunk-Search/Extracting-usernames-from-Solaris-9-syslog/m-p/101913#M26323 <P>DaveSavage,<BR /> Yes, I can separate based on the process name - sshd or rmclomv - but separating the usernames is a challenge somehow. My regex skills are not too good yet and it catches a lot of noise into the extraction. For one, this regex from the built-in field extractor:<BR /> "(?i)^(?:[^]]*]){2}\s+\w+\s+\w+\s+\w+\s+(?P<FIELDNAME>[^ ]+)"<BR /> against the very 1st example (see above) <BR /> gets me 1 username but also 4 useless extracts from the string, incl. dashes and prepositions.</FIELDNAME></P> Mon, 28 Jan 2013 16:24:38 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-usernames-from-Solaris-9-syslog/m-p/101913#M26323 cgisplunk 2013-01-28T16:24:38Z https://community.splunk.com/t5/Splunk-Search/Extracting-usernames-from-Solaris-9-syslog/m-p/101914#M26324 <P>here is a regex matching both with an OR condition </P> <P><CODE>| rex "(Accepted password for |SC Login: User )(?&lt; username &gt;\w+))" | table username _raw</CODE></P> <P>(remove the extra espaces in the xml tag, i had to add then the forum was escaping the whole attribute)</P> Mon, 28 Jan 2013 16:57:33 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-usernames-from-Solaris-9-syslog/m-p/101914#M26324 yannK 2013-01-28T16:57:33Z https://community.splunk.com/t5/Splunk-Search/Extracting-usernames-from-Solaris-9-syslog/m-p/101915#M26325 <P>Understood. Yannk did the business below <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Mon, 28 Jan 2013 17:05:41 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-usernames-from-Solaris-9-syslog/m-p/101915#M26325 DaveSavage 2013-01-28T17:05:41Z https://community.splunk.com/t5/Splunk-Search/Extracting-usernames-from-Solaris-9-syslog/m-p/101916#M26326 <P>Nicee..like that</P> Mon, 28 Jan 2013 17:06:56 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-usernames-from-Solaris-9-syslog/m-p/101916#M26326 DaveSavage 2013-01-28T17:06:56Z https://community.splunk.com/t5/Splunk-Search/Extracting-usernames-from-Solaris-9-syslog/m-p/101917#M26327 <P>Dear yannK,</P> <P>Bullseye! Works like a charm with few cosmetic touches. Thank you kindly.<BR /> DanSavage, appreciate your assistance as well.</P> Tue, 29 Jan 2013 17:38:15 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-usernames-from-Solaris-9-syslog/m-p/101917#M26327 cgisplunk 2013-01-29T17:38:15Z https://community.splunk.com/t5/Splunk-Search/Extracting-usernames-from-Solaris-9-syslog/m-p/101918#M26328 <P>You are welcome.</P> Tue, 29 Jan 2013 18:25:30 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-usernames-from-Solaris-9-syslog/m-p/101918#M26328 yannK 2013-01-29T18:25:30Z