Here is the raw event log:
Apr 22 08:04:46 10.14.10.66 1 2020-04-22T08:04:47-07:00 connect.abcd.com PulseSecure: - - - 2020-04-22 08:04:47 - ive - [10.12.6.240] sramachandran(VPNUsers)[] - Login failed. Reason: No Roles
Apr 22 08:04:46 10.14.10.66 1 2020-04-22T08:04:47-07:00 connect.abcd.com PulseSecure: - - - 2020-04-22 08:04:47 - ive - [10.12.6.240] sramachandran(VPNUsers)[] - Login failed from 10.12.6.240 for sramachandran/VPNUsers. All roles restricted.
I would like to extract only the username (ex: sramachandran in this case) to a field called "UserName"
.
Can you please help me achieve this?
Thanks in advance.
Assuming the username always follows the IP address, which is in square brackets, this should do it.
]\s+(?<UserName>\w+)
Use rex:
| rex "(?<UserName>\w+)\(VPNUsers\)"
Smaple query:
| makeresults | eval _raw="Apr 22 08:04:46 10.14.10.66 1 2020-04-22T08:04:47-07:00 connect.abcd.com PulseSecure: - - - 2020-04-22 08:04:47 - ive - [10.12.6.240] sramachandran(VPNUsers)[] - Login failed from 10.12.6.240 for sramachandran/VPNUsers. All roles restricted." | rex "(?<UserName>\w+)\(VPNUsers\)"
index="juniperindex" ("Login Failed*" OR "Primary authentication failed") is my initial query to find the results:
The outcome events look like:
Apr 22 21:21:21 10.14.10.66 1 2020-04-22T21:21:21-07:00 connect.abcd.com PulseSecure: - - - 2020-04-22 21:21:21 - ive - [12.12.2.28] vinduri(VPNUsers)[] - Login failed using auth server LasVegas DC (LDAP Server). Reason: Failed
Apr 22 21:21:21 10.14.10.66 1 2020-04-22T21:21:21-07:00 connect.abcd.com PulseSecure: - - - 2020-04-22 21:21:21 - ive - [14.13.8.28] rgunasek(VPNUsers)[] - Primary authentication failed for vinduri/LasVegas DC from x.y.z.a
Can you now help me?
Below query should work:
index="juniperindex" ("Login Failed*" OR "Primary authentication failed") | rex "(?<UserName>\w+)\(VPNUsers\)" | table UserName
Yes this did the task. But i still have many other fields to be extracted with regular expression and add them to table finally.
In my next reply, can i paste another sample log file? with which we can fine tune this query more?
Thanks lot in advance.