trying to search for when sudo user1 adds user2 to a group and I want to extract the name of the user2 that was added to a group.
I am searching the audit.log file from my universal forwarder that's running on a Linux box. I am having trouble using regex to grab the name from acct="NAME" field because of the double quotes.
Below is my search string and log results:
search string:
index=* host=* sourcetype="*" "usermod" OR "visudo" AND "type=USER_MGMT"
log results:
type=USER_MGMT msg=audit(1501611744.115:10994): pid=24473 uid=0 auid=1002 ses=1236 msg='op=add-user-to-shadow-group grp="wheel" acct="addbyjoe" exe="/usr/sbin/usermod" hostname=? addr=? terminal=pts/1 res=success'
How to I extract the name(addbyjoe) from acct="addbyjoe" in the log results above?
Hi jcorkey,
if the format of your logs is the one you described in your question, Splunk already extracts acct field.
otherwise you have to use a regex like the following
| rex "acct\=\"(?<user>[^\"]*)\""
if it doesn'r run, please share an example of your logs.
Bye.
Giuseppe
Hi jcorkey,
if the format of your logs is the one you described in your question, Splunk already extracts acct field.
otherwise you have to use a regex like the following
| rex "acct\=\"(?<user>[^\"]*)\""
if it doesn'r run, please share an example of your logs.
Bye.
Giuseppe