Wondering if there a default sorucetype that can be used to extract source_ip and user from secure.log files?
source_ip is easy because of the format
user is a little bit tricky because of different format of log lines
Example events -
Thu Mar 16 2017 05:42:48 www1 sshd[3061]: Failed password for invalid user ubuntu from 78.111.167.117 port 3346 ssh2
Thu Mar 16 2017 05:31:31 www1 sshd[9216]: Accepted password for djohnson from 10.3.10.46 port 2750 ssh2
Thu Mar 16 2017 04:42:27 www1 sshd[56680]: pam_unix(sshd:session): session opened for user djohnson by (uid=0)
In this case, should we run the extraction several times and save the reg-ex pattern for each type of event separately?
Hi jagadeeshm,
have you seen:
In these apps you can find all the usual definition for unix.
Bye.
Giuseppe