I am trying to get identity from some of my users logging into a Centos 6.  I am able to get the IP address of the machine but am having trouble parsing the username.  I am not able to get the quotes stripped from the username.  The regex string with ISE 2.3P1 doesn't seem to follow the regex that I am used to.  How can I strip the "" from the username, or does it matter that it is surrounded by quotes?

I tried using acct=[^, ]* but that results in my issue of getting "jsmith".

type=CRED_DISP msg=audit(1513039700.390:8262): user pid=19739 uid=0 auid=500 ses=1225 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="jsmith" exe="/usr/sbin/sshd" hostname=metlab2008-svr1.metlab.local addr=10.1.1.92 terminal=ssh res=success'

Thanks