Issue parsing sudo messages with grok

(ire) #1

i'm trying to match sudo log messages in syslog, but i'm having issues with the filter i've written- on a failure, it matches every field properly, but on a success, it only matches up to TTY=.

the filter:


the SUDO_DENIED variable:

SUDO_DENIED=user NOT in sudoers|user NOT authorized on host|command not allowed|3 incorrect password attempts|a password is required|sorry, you are not allowed to set the following environment variables

the sample data that i'm using:

<81>2018-05-22T16:23:11-04:00 fake-host-01.domain.tld sudo: username1 : command not allowed ; TTY=pts/0 ; PWD=/usr/home/username1 ; USER=root ; COMMAND=netstat
<85>2018-05-22T17:56:40-04:00 fake-host-02.domain.tld sudo:   username2 : TTY=pts/1 ; PWD=/usr/local/etc/path ; USER=root ; COMMAND=/usr/bin/netstat -an

any help would be greatly appreciated. thank you!

(system) #2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.