Hi guys,
I hope this is an easy one for you. We have Solaris 9 boxes sending syslogs to nfs share and our Splunk 4.3 consumes them. We need to generate mgmt reports capturing all user logins to Solaris via mainly SSH and ALOM (SC). I cannot seem to extract the fields correctly for both entry points because the log syntax is different for each log-in method. Here is an example for SSH:
"10:23:41.000 AM <38>1 2013-01-28T10:23:41-05:00 solaris_host sshd 26371 - - sshd[26371]: [ID 800047 auth.info] Accepted password for root from 1.2.3.4 port 63843 ssh2
source=/nfssoruce/syslogs host=ssolaris_host"
and this is for ALOM logins:
"10:58:05.000 PM <5>1 2013-01-21T22:58:05-05:00 solaris_host rmclomv - - - rmclomv: [ID 197766 kern.notice] SC Login: User some_user Logged out.
source=/nfssoruce/syslogs host=solaris_host"
Would anything have a handy regex or lookup for this scenario? In general, what is the best approach to parse Solaris 9 syslogs?
Thank you kindly.
here is a regex matching both with an OR condition
| rex "(Accepted password for |SC Login: User )(?< username >\w+))" | table username _raw
(remove the extra espaces in the xml tag, i had to add then the forum was escaping the whole attribute)
here is a regex matching both with an OR condition
| rex "(Accepted password for |SC Login: User )(?< username >\w+))" | table username _raw
(remove the extra espaces in the xml tag, i had to add then the forum was escaping the whole attribute)
You are welcome.
Dear yannK,
Bullseye! Works like a charm with few cosmetic touches. Thank you kindly.
DanSavage, appreciate your assistance as well.
Nicee..like that
If sshd appears in the event and the rmclomv text is distinct in your events then you can separate out the results in the search criteria. Even if you need to show the 2 in the same report, you can sum as separate totals. Other than that yes of course you can regex them out as say different source types, but it hardly seems to be worth it. Keep it simple? 😉
Understood. Yannk did the business below 😉
DaveSavage,
Yes, I can separate based on the process name - sshd or rmclomv - but separating the usernames is a challenge somehow. My regex skills are not too good yet and it catches a lot of noise into the extraction. For one, this regex from the built-in field extractor:
"(?i)^(?:[^]]*]){2}\s+\w+\s+\w+\s+\w+\s+(?P
against the very 1st example (see above)
gets me 1 username but also 4 useless extracts from the string, incl. dashes and prepositions.