I'm having no success making sense of lookups. Some work, some don't, and I can't figure out why. Let's take an obvious example. sshd syslogs in all sorts of formats which indicate the username. I want to extract the username field from those various forms, then look that username up in my external CSV file. I know how to get that working in basic form, and have done it for one form of sshd syslog line.
Specifically, we have sshd events like:
user usernameHere authenticated as blahblah
session opened for usernameHere
session closed for usernameHere
Accepted someAuthMethod for usernameHere
All of those (defined as field extractions) need to trigger a lookup of usernameHere in the CSV file which is already defined in transforms.conf as 'employee'
The following does not work completely (only the "authenticated as" part looks up):
[syslog]
LOOKUP-username1 = employee uid AS Username1
EXTRACT-Username1 = (?i) for (?P<Username1>[^ ]+)
LOOKUP-username2 = employee uid AS Username2
EXTRACT-Username2 = (?i) (?P<Username2>[^ ]+) authenticated as
Nor does this ordering (a shot in the dark):
[syslog]
EXTRACT-Username1 = (?i) for (?P<Username1>[^ ]+)
EXTRACT-Username2 = (?i) (?P<Username2>[^ ]+) authenticated as
LOOKUP-username2 = employee uid AS Username2
LOOKUP-username1 = employee uid AS Username1
If I remove the functioning "authenticated as" LOOKUP and EXTRACT, then the other one starts working.
I have also tried the following, fixing the case of my LOOKUP classes:
[syslog]
EXTRACT-Username1 = (?i) for (?P<Username1>[^ ]+)
LOOKUP-Username1 = employee uid AS Username1
EXTRACT-Username2 = (?i) (?P<Username2>[^ ]+) authenticated as
LOOKUP-Username2 = employee uid AS Username2
So clearly I am not understanding the relationship between the field extraction and the lookup.
Really what I want is:
my_sshd_extraction1 to store username
my_sshd_extraction2 to store username
my_sshd_extraction3 to store username
my_sshd_extraction4 to store username
lookup username for any of those!
Any help would be greatly appreciated.
... View more