i'm trying to match sudo log messages in syslog, but i'm having issues with the filter i've written- on a failure, it matches every field properly, but on a success, it only matches up to TTY=.
the filter:
(<%{POSINT:syslog_pri}>)?%{TIMESTAMP_ISO8601:timestamp}\s*%{IPORHOST:sudo_host}\s*sudo:\s*%{USERNAME:sudo_user}\s*:\s*(%{SUDO_DENIED:sudo_errmsg})?\s*(:|;)\s*TTY=%{DATA:sudo_tty}\s*;\s*PWD=%{DATA:sudo_pwd}\s*;\s*USER=%{DATA:sudo_targetuser}\s*;\s*COMMAND=%{GREEDYDATA:sudo_command}
the SUDO_DENIED variable:
SUDO_DENIED=user NOT in sudoers|user NOT authorized on host|command not allowed|3 incorrect password attempts|a password is required|sorry, you are not allowed to set the following environment variables
the sample data that i'm using:
<81>2018-05-22T16:23:11-04:00 fake-host-01.domain.tld sudo: username1 : command not allowed ; TTY=pts/0 ; PWD=/usr/home/username1 ; USER=root ; COMMAND=netstat
<85>2018-05-22T17:56:40-04:00 fake-host-02.domain.tld sudo: username2 : TTY=pts/1 ; PWD=/usr/local/etc/path ; USER=root ; COMMAND=/usr/bin/netstat -an
any help would be greatly appreciated. thank you!