Solved: Re: Extract mac address from different logs

marco_massari11 · ‎09-02-2022

Hi,

I'm trying to extract some fields from my Access Point Aruba in order to be CIM compliant. For authentication log I have two kinds of event:

Login failed:

cli[5405]: <341004> <WARN> AP:ML_AP01 <................................> Client 60:f2:62:8c:a8:a7 authenticate fail because RADIUS server authentication failure

Login success:

stm[5434]: <501093> <NOTI> AP:ML_AP01 <..................................> Auth success: 60:f2:62:8c:a8:a7: AP ...................................ML_AP01

My goal is to extract the mac address after "Client" in the first log and the mac after "Auth success" in the second one in a common field called "src", can someone please help me?

Thanks in advance!

ITWhisperer · ‎09-02-2022

| rex "(Client |Auth success: )(?<src>..:..:..:..:..:..)"

View solution in original post

ITWhisperer · ‎09-02-2022

| rex "(Client |Auth success: )(?<src>..:..:..:..:..:..)"

How to extract mac address from different logs?

field extraction

host

props.conf

syslog

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Join the Conversation