I have 2 events from 2 different systems which are displaying slightly different authentication sucessful messages (due to running differenent version firmware) but need to catch 'success' in the action.
**Sample**
Oct 23 03:50:36 2015 [192.168.1.2] authmgr[596]: <522008> |authmgr| User authenticated: Name=john.doe MAC=d8:45:95:37:19:3a IP=192.168.1.24 method=802.1x server=radius.lab.com role=authenticated
Oct 23 03:49:53 lab2 authmgr[1883]: <522008> User Authentication Successful: username=mary.jane MAC=c0:aa:d1:db:7d:f8 IP=192.168.2.34 role=authenticated VLAN=601 AP=32.3.4 SSID=ssidlab AAA profile=Auth_AaaProfile auth method=802.1x auth server=radius.lab.com
Both of these are sucess auths.
**transforms.conf**
[aruba_user_action]
REGEX = User\s+(authenticated)|Authentication\s+(Successful|Failed)
FORMAT = aruba_user_action::$1
[aruba_user_action_lookup]
filename = aruba_user_action.csv
I have tried variations of the REGEX but I can only capture either one or the other log sample but not both.
Thanks in advance.
↧