I'm trying to extract some Oracle audit log fields on the fly. I can't seem to get my regex to match.
Source:
Audit file /u01/app/oracle/admin/prodprt/adump/prodprt2_ora_8944_1.aud
Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 - 64bit Production
With the Partitioning, Real Application Clusters, Automatic Storage Management, OLAP,
Data Mining and Real Application Testing options
ORACLE_HOME = /u01/app/oracle/product/11.2.0.2/prodprt
System name: Linux
Node name: prodprtdb02
Release: 2.6.18-164.el5
Version: #1 SMP Thu Sep 3 04:15:13 EDT 2009
Machine: x86_64
Instance name: prodprt2
Redo thread mounted by this instance: 2
Oracle process number: 107
Unix process pid: 8944, image: oracle@prodprtdb02 (TNS V1-V3)
Wed Mar 16 09:01:08 2011 -06:00
LENGTH : '155'
ACTION :[7] 'CONNECT'
DATABASE USER:[1] '/'
PRIVILEGE :[6] 'SYSDBA'
CLIENT USER:[6] 'oracle'
CLIENT TERMINAL:[0] ''
STATUS:[1] '0'
DBID:[10] '1941709108'
Search string:
rex field=_raw "DATABASE\s+USER:\[\d\]\s+'(?<db_user>.+)?' PRIVILEGE\s+:\[\d\]\s+'(?<db_privilege>.+)?'"
I'm not sure how to indicate that there are one or more lines between the two.
... View more