Transform Action for two different Authentication events

Path Finder

I have 2 events from 2 different systems which are displaying slightly different authentication sucessful messages (due to running differenent version firmware) but need to catch 'success' in the action.


Oct 23 03:50:36 2015 [] authmgr[596]: <522008> <NOTI> |authmgr|  User authenticated: Name=john.doe MAC=d8:45:95:37:19:3a IP= method=802.1x role=authenticated

Oct 23 03:49:53 lab2 authmgr[1883]: <522008> <NOTI> <lab2>  User Authentication Successful: username=mary.jane MAC=c0:aa:d1:db:7d:f8 IP= role=authenticated VLAN=601 AP=32.3.4 SSID=ssidlab AAA profile=Auth_AaaProfile auth method=802.1x auth

Both of these are sucess auths.


REGEX = User\s+(authenticated)|Authentication\s+(Successful|Failed)
FORMAT = aruba_user_action::$1

filename = aruba_user_action.csv

I have tried variations of the REGEX but I can only capture either one or the other log sample but not both.

Thanks in advance.

0 Karma


Hi pjohnson,

Try the following,

REGEX = User\s+(?:Authentication\s+)?(authenticated|Successful|Failed): 
Or this for a more generic match 
REGEX = User\s+(?:Authentication\s)?(\w+):

Note how you can use ?: to define a non-captured group in regex. Here's a link to regex101 if you would like to see what the regex is doing:

Hope this helps.