I would like to extract user name, source IP, source port and access protocol from the following 2 events from /var/log/secure. 03/06/2021 17:29:44.000 Jun 3 17:29:44 XXX sshd[9668]: Failed password for userXXX from 192.168.XXX.XXX port 63568 ssh2 · host = 10.0.0.XXX · source = /var/log/secure · sourcetype = linux_secure 03/06/2021 00:13:41.000 Jun 3 00:13:41 XXX sshd[18404]: Accepted password for userXXX from 192.168.XXX.XXX port 60272 ssh2 · host = 10.0.0.XXX · source = /var/log/secure · sourcetype = linux_secure The search output statistics should be like these: Host, User, Source IP, Source Port, Protocol 10.0.0.XXX, userXXX, 192.168.XXX.XXX, 6XXXX, ssh2 Could anyone help to finish the search below? Much appreciated. sourcetype=linux_secure " Accepted password " | rex field= ???? (?<user>[^ ]+)" | chart count BY host,user, source_ip, source_port, protocal sourcetype=linux_secure "Failed password" | rex field= ???? (?<user>[^ ]+)" | chart count BY host,user, source_ip, source_port, protocal
... View more