Right now I'm using regex to pull data with the phrase "MFA challenge succeeded" using the following regex:
| rex "(?<MFA>[a-z,A-Z,\s,\bcode\b]+)account\s+(?<account>\w+)\s+with\s+email\s+(?<email>[^ ]+).\s+\w+\s+\w+\s+\w+\s+\w+\s+(?<keycloak_id>[a-z,0-9,-]+)"
from the following field:
message: MFA challenge succeeded for account aaaaaaa. Email is example@example.com. Keycloak session id is 11111111-1111-1111-1111-1111111111111
However in the message field the MFA challenge succeeded will often be different, such as:
MFA challenge issued
MFA code issued
MFA challenge failed.
I need a way to use regex to pull out messages where it says MFA challenge issued, MFA code issued, MFA challenge failed and then display them in a table
The regex is looking for the phrase " with email ", but that text is not in the example event. Can you make sure the provided examples are correct, please?
Entries in a regex character class are not separated by commas. Use ([a-zA-Z\s]|\bcode\b) in place of [a-z,A-Z,\s,\bcode\b] and [a-z0-9-] in place of [a-z,0-9,-].
This rex command works with the provided text.
| rex "(?<MFA>MFA (challenge succeeded|challenge issued|challenge failed|code issued)) for account (?<account>\w+)\. Email is (?<email>\S+)\. Keycloak session id is (?<keycloak>\S+)"
Thanks Rich, I've used the following code:
index=keycloak "MFA"
| rex "(?<MFA>MFA (challenge succeeded|challenge issued|challenge failed|code issued)) for account (?<account>\w+)\. Email is (?<email>\S+)\. Keycloak session id is (?<keycloak>\S+)"
| where isnotnull (account)
| table account, email, keycloak_id, MFA, _time
However, in the MFA column in the table it's only printing "MFA challenge issued"
Where there other events during the selected time window? Can you please share them so I can verify the regex?
Yes there were other events as well such as:
message: MFA code issued for account bbbbbbbb with email example@example.com using sms. Keycloak session id is dddddddd-4444-5555-6666-ggggggggggggg
The events that say MFA code issued are going to be displayed in one table, then the events that say MFA challenge issued will be displayed in another table etc
I read the OP was wanting to put all MFAs in a single table rather than in separate tables. To put them into separate tables requires separate searches using a regex specific to the desired MFA.
Sorry I should have been clearer. The regex used to extract MFA challenge issued, MFA code issued, MFA successful, MFA failed will all go into their own separate tables
Thanks for clarifying. Separate tables call for separate searches and each search would have a rex command that matched only one of the MFA values.
I've tried using
| rex "(?<MFA>MFA (code issued)) for account (?<account>\w+)\. Email is (?<email>\S+)\. Keycloak session id is (?<keycloak>\S+)"
But that doesn't seem to want to work, at least when I test it on regex101 it doesn't like it
Regex doesn't like it because it doesn't match the event. Despite similarities around "MFA" the messages are not the same.
message: MFA challenge succeeded for account aaaaaaa. Email is example@example.com. Keycloak session id is 11111111-1111-1111-1111-1111111111111
has different noise words between the fields than does
message: MFA code issued for account bbbbbbbb with email example@example.com using sms. Keycloak session id is dddddddd-4444-5555-6666-ggggggggggggg
The regex needs to match the event from which you are extracting fields. Try this for "MFA code issued" events:
| rex "(?<MFA>MFA code issued) for account (?<account>\w+) with email (?<email>\S+) using sms\. Keycloak session id is (?<keycloak>\S+)"