Linux logs su failures like so:
Sep 23 15:23:25 linuxhost su[6903]: pam_unix(su-l:auth): authentication failure; logname= uid=99 euid=0 tty=pts/3 ruser=nobody rhost= user=myuser
Whereas solaris logs them like this:
Sep 23 15:07:50 solhost su[23608]: [ID 810491 auth.crit] 'su root' failed for myuser on /dev/pts/1
I wanted to extract a user field using the rex command and came up with the following:
for linux: I can just use the user field
for solaris: rex field=_raw "failed for (?<user>\w) on)"
So ultimately I'd like to be able to search for either string, and then extract the user field and report on that field regardless of log format. Any ideas?
Something like :
rex field=_raw ".*(?:failed for |user=)(?<user>\w+).*"
oh neat thanks, didn't know there was an OR operator(the pipe) in a regex, and didn't think to parse out the name=value pair since it normally does it on it's own anyway. Seems to do the trick, thanks!