Hello Everyone,
I'm trying to extract usernames from the logs of a proftpd.
An event looks like this:
2021-11-16 16:17:43,866 HOST proftpd[28071] 10.10.10.10 (11.11.11.11[22.22.22.22]): USER ASD-ASDASD: Login successful.
Simple usernames (ASDFG) works fine, also usernames with _ like ASD_ASD. But as soon as the username contains - character, its only extract the first part ASD-ASDASD
How do I circumvent this? How can I extract strings that contains - ?
| makeresults
| eval _raw = "2021-11-16 16:17:43,866 HOST proftpd[28071] 10.10.10.10 (11.11.11.11[22.22.22.22]): USER ASD-ASDASD: Login successful."
| rex field=_raw ":\sUSER\s(?<user_id>[^:]*)"
| table user_id
What extraction are you currently using?
It was extracted automatically, and so far I trusted it until I realized its not complete. Now I believe I need a regex the gets everything after the string USER and before the :
Extracting everything between "USER" and a colon (":") is relatively easy:
USER\s(?<username>[^:]*):
There is one caveat though. If your username contains a colon (":"), it will only capture the username up to (and without) that colon.
BTW, you could try TA for proftpd - https://github.com/jewnix/TA-proftpd