2

I'd like to extract login information from the Linux auth.log and report on it but having trouble with the regex to extract the pertinent information. I thought a group bordered by spaces (.*) would match the complete segment of text between those spaces. It works fine for the first word and user name, but for the IP address, it spits out the entire line of text starting from the IP address. What am I missing?

s='Accepted keyboard-interactive/pam for user101 from 10.19.36.76 port 36272 ssh2'
s2='Postponed keyboard-interactive for user101 from 10.19.36.76 port 36303 ssh2 [preauth]'

w = re.compile ("(.*) keyboard-interactive.*for (.*) from (.*) ");
m = w.search(s2)
if m:
   print "login by:", m.group(2)
   print "src ip  :", m.group(3)
   print "status  :", m.group(1)

OUTPUT:

login by: user101
src ip  : 10.19.36.76 port 36303 ssh2 [preauth]
status  : Postponed

OR:

login by: user101
src ip  : 10.19.36.76 port 36272 ssh2
status  : Accepted
Improve this question
1
  • 1
    "(.*)" captures also a space, maybe you meant ([^ ]*) ? or, as it has to be an ip "([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})" ? Commented Nov 18, 2015 at 14:37

2 Answers 2

Reset to default
1 
w = re.compile ("(.*?) keyboard-interactive.*for (.*?) from (.*?) ");

                    ^^                              ^^         ^^

Make your regex non greedy

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

Because (.*) will match every thing (except new line) after from. If you just want to match IP address you can use a character class like following :

[\d.]+

Or and a much safer approach use following:

((?:\d{1,3}\.){3}\d{1,3})
Improve this answer

2 Comments

or replacing all (.*) with (\S+) would do the job perfectly.
@AvinashRaj Yep, It has several way but I think the safer one is better.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.