I have 2 events from 2 different systems which are displaying slightly different authentication sucessful messages (due to running differenent version firmware) but need to catch 'success' in the action.
Sample
Oct 23 03:50:36 2015 [192.168.1.2] authmgr[596]: <522008> <NOTI> |authmgr| User authenticated: Name=john.doe MAC=d8:45:95:37:19:3a IP=192.168.1.24 method=802.1x server=radius.lab.com role=authenticated
Oct 23 03:49:53 lab2 authmgr[1883]: <522008> <NOTI> <lab2 192.168.1.10> User Authentication Successful: username=mary.jane MAC=c0:aa:d1:db:7d:f8 IP=192.168.2.34 role=authenticated VLAN=601 AP=32.3.4 SSID=ssidlab AAA profile=Auth_AaaProfile auth method=802.1x auth server=radius.lab.com
Both of these are sucess auths.
transforms.conf
[aruba_user_action]
REGEX = User\s+(authenticated)|Authentication\s+(Successful|Failed)
FORMAT = aruba_user_action::$1
[aruba_user_action_lookup]
filename = aruba_user_action.csv
I have tried variations of the REGEX but I can only capture either one or the other log sample but not both.
Thanks in advance.
Hi pjohnson,
Try the following,
REGEX = User\s+(?:Authentication\s+)?(authenticated|Successful|Failed):
Or this for a more generic match
REGEX = User\s+(?:Authentication\s)?(\w+):
Note how you can use ?: to define a non-captured group in regex. Here's a link to regex101 if you would like to see what the regex is doing: https://regex101.com/r/bX8vH0/1
Hope this helps.