Hi,
I am trying to extract fields from events and here are the sample events:
AUD_Proc user1 OK Thu Sep 16 15:09:45 2010 audit
pid: 0 cmd: 4
TCB_Exec user1 OK Thu Sep 16 15:09:45 2010 audit
filename: /usr/sbin/audit
CRON_Start root OK Tue Oct 05 23:40:00 2010 cron
S_PASSWD_READ root OK Tue Oct 05 23:40:00 2010 java
I am tring to extract the "login" field (user1,root) but the generated pattern doesn't match all values.
For example,if i selected user1 and root as the example values,the pattern generated only captures event for TCB_Exec,and not other events like AUD_Proc,CRON_Start & S_PASSWD_READ.
yes, something like:
[yoursourcetype]
EXTRACT-loginfield = ^\S+\s+(?<login>\S+)
EXTRACT-Status = ^\S+\s+\S+\s+(?<status>\S+)
..etc..
props.conf.spec for more info
yes, something like:
[yoursourcetype]
EXTRACT-loginfield = ^\S+\s+(?<login>\S+)
EXTRACT-Status = ^\S+\s+\S+\s+(?<status>\S+)
..etc..
props.conf.spec for more info
I see..thanks it works fine.
thanks for the prompt reply.
Do I specify the commands you've provided in props.conf?
Here is a list of examples where it contains 5 columns:
(eg. event-FS_CHdir, login-user3, status-OK, time, command - tsm,su)etc
I'm trying to extract these fields for the 5 columns.
FS_Chdir user3 OK Tue Oct 26 11:10:49 2004 tsm
change current directory to: /home/user3
S_ENVIRON_WRITE user3 FAIL Tue Oct 26 11:10:49 2004 tsm
audit object write event detected /etc/security/environ
S_PASSWD_READ user3 OK Tue Oct 26 11:10:50 2004 su
audit object read event detected /etc/security/passwd
S_PASSWD_READ user3 OK Tue Oct 26 11:10:50 2004 su
audit object read event detected /etc/security/passwd
USER_SU user3 OK Tue Oct 26 11:10:53 2004 su
root
AUD_Proc user1 OK Thu Sep 16 15:09:45 2010 audit
pid: 0 cmd: 4
TCB_Exec user1 OK Thu Sep 16 15:09:45 2010 audit
filename: /usr/sbin/audit
CRON_Start root OK Tue Oct 05 23:40:00 2010 cron
I would use:
REGEX = ^\S+\s+(?<fieldname>\S+)
i think something like this should work for you:
REGEX = ^\w+ (\w+)
Yourfield = $1
If you can send a bigger log file i can be a bit more sure, but using a regex tester this works ok for me.
Hope this helps