ConfigServer Community Forum

Peer support forums for ConfigServer Scripts
https://mail.forum.configserver.com/

Need some help with a log regex

https://mail.forum.configserver.com/viewtopic.php?t=13287

Page 1 of 1

Need some help with a log regex

Posted: 11 Nov 2024, 23:58
by threecats
Can someone provide a regex that handles this line in /var/log/secure? I tried a couple of things, and don't seem to get it, even trying to copy and adapt one that's already there. Here's the line:

Nov 11 13:00:01 boston systemd[2322963]: pam_unix(systemd-user:session): session opened for user root(uid=0) by root(uid=0)

I'm getting these in LFD Log Scanner reports

Re: Need some help with a log regex

Posted: 20 Nov 2024, 01:59
by Sergio
What are you looking for the REGEX to do with that info?

Sergio

Re: Need some help with a log regex

Posted: 20 Nov 2024, 18:35
by threecats
I think we got it solved. Basically, since those messages are being generated from Cron jobs, my goal was to filter them out of the (secure) log file, without removing them from the log itself.

Here's the regex we came up with, which seems to be working:

^(\S+|\S+\s+\d+\s+\S+) [^\s\.]+ systemd\[[[:digit:]]+\]: pam_unix\(systemd-user:session\): session opened for user root\(uid=0\) by root\(uid=0\)

I also created one for mailman, since we're not using it on this server.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited