I am injecting logs from Microsoft multi-factor authentication server. Unfortunately, the log entries are rather inconsistent. Here is the example of logs depicting successful SMS-based authentication in reverse chronological order
May 13 11:12:54 server01 pfsvc: i|pendingSmses|updateSmsResult|#25c50ee6-d8fa-4725-96dd-dc7be580fadf|Updated authentication result. Call status: SUCCESS_SMS_AUTHENTICATED - SMS Authenticated
May 13 11:12:17 server01 pfsvc: Pfauth failed for user 'user1.lastname@mydomain.com' from 184.152.232.200. Call status: SUCCESS_SMS_SENT - "One-way SMS Sent".
As you can see the username and IP address is listed on one line and the result of the authentication is on the other. How can I build correlation between usernames and authentication results? I am not sure if my idea of stitching lines together with different LINE BREAKER in props.conf is a good one, since there are other non-authentication related log entries, which such approach may screw up.
Please, advise. Your suggestions will be greatly appreciated.
