Wondering if there a default sorucetype that can be used to extract source_ip and user from secure.log files?
source_ip is easy because of the format
user is a little bit tricky because of different format of log lines
Example events -
Thu Mar 16 2017 05:42:48 www1 sshd: Failed password for invalid user ubuntu from 126.96.36.199 port 3346 ssh2
Thu Mar 16 2017 05:31:31 www1 sshd: Accepted password for djohnson from 10.3.10.46 port 2750 ssh2
Thu Mar 16 2017 04:42:27 www1 sshd: pam_unix(sshd:session): session opened for user djohnson by (uid=0)
In this case, should we run the extraction several times and save the reg-ex pattern for each type of event separately?