trying to search for when sudo user1 adds user2 to a group and I want to extract the name of the user2 that was added to a group.
I am searching the audit.log file from my universal forwarder that's running on a Linux box. I am having trouble using regex to grab the name from acct="NAME" field because of the double quotes.
Below is my search string and log results:
index=* host=* sourcetype="*" "usermod" OR "visudo" AND "type=USER_MGMT"