Hi, there. I'm trying to extract some fields from SSH log in messages, and store in separate fields so that I can easily retrieve user names and source IPs. I have such match:
Accepted (.*) for (.*) from ([^[:space:]]) where $1 is the authentication method (password, RSA...), $2 is the user name and $3 is the source IP for the connection. My idea is to place a separator for these fields, and making parsing easy. Something like $_$<username>$_$<method>$_$<IP>$_$ I know I could use a template, the same regular expression 3 times and extract one field at a time. But I wonder if it's possible to process the RE once, and then extract ($1, $2, $3) and NOT $0 in one go. This would be much faster, and speed matters to me. Thanks. -- Luis Fernando Muñoz Mejías [email protected] _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
