I'm looking to create a custom search for dashboard I'm working on related to security. The idea is to detect the execution or attempted execution of sudo commands, and to be alerted or notified when there are failed attempts.
My goal is to create a search that displays only the relevant and desired pieces of datum, so that it's simple and easy to read so that I can pivot that into a daily/weekly/monthly report.
Of course, we'll add notification via e-mail for sudo failures too.
Now, the trouble is that I wrote this monstrosity of a regex and I also wrote a very SIMPLE search string, and they are both producing the SAME results...so you can imagine how frustrated I am for busting my butt on the regex.
Here are the two searches I've composed:
source="/var/log/auth.log" | search sudo NOT "/usr/sbin/megacli"
VS
source="/var/log/auth.log" | rex "(? [A-Z]\w+\s+\d\s\d{2}:\d{2}:\d{2})\s(? [a-z.]).(? (?<=:)\s+\w+\s*(?=:)).(? (?<=:)[\s\d\w]+(?=;)). (? (?<=COMMAND=).*)" | search sudo NOT "/usr/sbin/megacli"
Why do the search results appear the same?
... View more