Splunk Search

Extracting usernames from Solaris 9 syslog

cgisplunk
Path Finder

Hi guys,
I hope this is an easy one for you. We have Solaris 9 boxes sending syslogs to nfs share and our Splunk 4.3 consumes them. We need to generate mgmt reports capturing all user logins to Solaris via mainly SSH and ALOM (SC). I cannot seem to extract the fields correctly for both entry points because the log syntax is different for each log-in method. Here is an example for SSH:
"10:23:41.000 AM <38>1 2013-01-28T10:23:41-05:00 solaris_host sshd 26371 - - sshd[26371]: [ID 800047 auth.info] Accepted password for root from 1.2.3.4 port 63843 ssh2
source=/nfssoruce/syslogs host=ssolaris_host"

and this is for ALOM logins:
"10:58:05.000 PM <5>1 2013-01-21T22:58:05-05:00 solaris_host rmclomv - - - rmclomv: [ID 197766 kern.notice] SC Login: User some_user Logged out.
source=/nfssoruce/syslogs host=solaris_host"

Would anything have a handy regex or lookup for this scenario? In general, what is the best approach to parse Solaris 9 syslogs?
Thank you kindly.

Tags (1)
0 Karma
1 Solution

yannK
Splunk Employee
Splunk Employee

here is a regex matching both with an OR condition

| rex "(Accepted password for |SC Login: User )(?< username >\w+))" | table username _raw

(remove the extra espaces in the xml tag, i had to add then the forum was escaping the whole attribute)

View solution in original post

yannK
Splunk Employee
Splunk Employee

here is a regex matching both with an OR condition

| rex "(Accepted password for |SC Login: User )(?< username >\w+))" | table username _raw

(remove the extra espaces in the xml tag, i had to add then the forum was escaping the whole attribute)

yannK
Splunk Employee
Splunk Employee

You are welcome.

0 Karma

cgisplunk
Path Finder

Dear yannK,

Bullseye! Works like a charm with few cosmetic touches. Thank you kindly.
DanSavage, appreciate your assistance as well.

0 Karma

DaveSavage
Builder

Nicee..like that

0 Karma

DaveSavage
Builder

If sshd appears in the event and the rmclomv text is distinct in your events then you can separate out the results in the search criteria. Even if you need to show the 2 in the same report, you can sum as separate totals. Other than that yes of course you can regex them out as say different source types, but it hardly seems to be worth it. Keep it simple? 😉

0 Karma

DaveSavage
Builder

Understood. Yannk did the business below 😉

0 Karma

cgisplunk
Path Finder

DaveSavage,
Yes, I can separate based on the process name - sshd or rmclomv - but separating the usernames is a challenge somehow. My regex skills are not too good yet and it catches a lot of noise into the extraction. For one, this regex from the built-in field extractor:
"(?i)^(?:[^]]*]){2}\s+\w+\s+\w+\s+\w+\s+(?P[^ ]+)"
against the very 1st example (see above)
gets me 1 username but also 4 useless extracts from the string, incl. dashes and prepositions.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...