How to create a sudo to root, dedup 24 hour by user report?
So far I have:
process=sudo "USER=root"| rex "(?i) PWD=(?P[^ ]+)"| table date_month, date_mday, host, path_name | dedup host|sort date_mday, host, path_name|rename "date_month" as "Month" "date_mday" as "Day" "host" as "Server" "path_name" as "User ID"
I am getting about 90% of what I want...But the dedup host is causing me to miss data related to multiple users sudo'ing into the same server on the same day. If I take dedup host out, I get numerous transactions of the SUDO user on the same machine.
You can use dedup with multiple fields. So if you do your dedup in the following way (or a variation of it) you should be good.
| dedup host user
This is providing that "user" is an actual field of course.
Final version:
COMMAND=/bin/su - process=sudo| rex "(?i) sudo: (?P[^ ]+)"| table date_month, date_mday, host, path_name |dedup host path_name| sort date_mday, host, path_name| search path_name>0| rename "date_month" as "Month" "date_mday" as "Day" "host" as "Server" "path_name" as "User ID"
Works perfect!
Thank you!
You can use dedup with multiple fields. So if you do your dedup in the following way (or a variation of it) you should be good.
| dedup host user
This is providing that "user" is an actual field of course.