Issue parsing sudo messages with grok


(ire) #1

i'm trying to match sudo log messages in syslog, but i'm having issues with the filter i've written- on a failure, it matches every field properly, but on a success, it only matches up to TTY=.

the filter:

(<%{POSINT:syslog_pri}>)?%{TIMESTAMP_ISO8601:timestamp}\s*%{IPORHOST:sudo_host}\s*sudo:\s*%{USERNAME:sudo_user}\s*:\s*(%{SUDO_DENIED:sudo_errmsg})?\s*(:|;)\s*TTY=%{DATA:sudo_tty}\s*;\s*PWD=%{DATA:sudo_pwd}\s*;\s*USER=%{DATA:sudo_targetuser}\s*;\s*COMMAND=%{GREEDYDATA:sudo_command}

the SUDO_DENIED variable:

SUDO_DENIED=user NOT in sudoers|user NOT authorized on host|command not allowed|3 incorrect password attempts|a password is required|sorry, you are not allowed to set the following environment variables

the sample data that i'm using:

<81>2018-05-22T16:23:11-04:00 fake-host-01.domain.tld sudo: username1 : command not allowed ; TTY=pts/0 ; PWD=/usr/home/username1 ; USER=root ; COMMAND=netstat
<85>2018-05-22T17:56:40-04:00 fake-host-02.domain.tld sudo:   username2 : TTY=pts/1 ; PWD=/usr/local/etc/path ; USER=root ; COMMAND=/usr/bin/netstat -an

any help would be greatly appreciated. thank you!


(system) #2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.