12-12-2017 10:03 AM - edited 02-21-2020 10:41 AM
I am trying to get identity from some of my users logging into a Centos 6. I am able to get the IP address of the machine but am having trouble parsing the username. I am not able to get the quotes stripped from the username. The regex string with ISE 2.3P1 doesn't seem to follow the regex that I am used to. How can I strip the "" from the username, or does it matter that it is surrounded by quotes?
I tried using acct=[^, ]* but that results in my issue of getting "jsmith".
type=CRED_DISP msg=audit(1513039700.390:8262): user pid=19739 uid=0 auid=500 ses=1225 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="jsmith" exe="/usr/sbin/sshd" hostname=metlab2008-svr1.metlab.local addr=10.1.1.92 terminal=ssh res=success'
Thanks
Solved! Go to Solution.
12-15-2017 08:18 AM
Sam,
The below should get you what you need:
acct="([a-zA-Z0-9\_]+)"
Regards,
-Tim
12-15-2017 08:18 AM
Sam,
The below should get you what you need:
acct="([a-zA-Z0-9\_]+)"
Regards,
-Tim
12-15-2017 12:26 PM
That worked. Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide