Solved: Need help forming regex to extract username from l...

jcorkey · ‎08-02-2017

trying to search for when sudo user1 adds user2 to a group and I want to extract the name of the user2 that was added to a group.
I am searching the audit.log file from my universal forwarder that's running on a Linux box. I am having trouble using regex to grab the name from acct="NAME" field because of the double quotes.

Below is my search string and log results:

search string:
index=* host=* sourcetype="*" "usermod" OR "visudo" AND "type=USER_MGMT"

log results:
type=USER_MGMT msg=audit(1501611744.115:10994): pid=24473 uid=0 auid=1002 ses=1236 msg='op=add-user-to-shadow-group grp="wheel" acct="addbyjoe" exe="/usr/sbin/usermod" hostname=? addr=? terminal=pts/1 res=success'

How to I extract the name(addbyjoe) from acct="addbyjoe" in the log results above?

gcusello · ‎08-02-2017

Hi jcorkey,
if the format of your logs is the one you described in your question, Splunk already extracts acct field.
otherwise you have to use a regex like the following

| rex "acct\=\"(?<user>[^\"]*)\""

if it doesn'r run, please share an example of your logs.
Bye.
Giuseppe

View solution in original post

gcusello · ‎08-02-2017

Hi jcorkey,
if the format of your logs is the one you described in your question, Splunk already extracts acct field.
otherwise you have to use a regex like the following

| rex "acct\=\"(?<user>[^\"]*)\""

if it doesn'r run, please share an example of your logs.
Bye.
Giuseppe

Need help forming regex to extract username from log

ATTENTION!! We’re MOVING (not really)

Splunk Admins: Build a Smarter Stack with These Must-See .conf25 Sessions

AppDynamics Summer Webinars

Are you a member of the Splunk Community?

Need help forming regex to extract username from log

ATTENTION!! We’re MOVING (not really)

Splunk Admins: Build a Smarter Stack with These Must-See .conf25 Sessions

AppDynamics Summer Webinars