I am dealing with a filter where it pulls out sudo commands from RHEL 6 OS.
An example is this: "argc=2 a0=sudo a1=chpasswd"
I currently in my grok filter use this command to assign it to a variable: ".*argc=%{DATA:CMD}\d{2}"
results in: "2 a0=sudo a1=chpasswd"
My question is how can I still get that data filtered for my variable CMD, but remove the "2 a0=" and the "a1=" so that the results for CMD ends up being: "sudo chpasswd"?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.