# # parse auth.log for user-names and public keys # [PARSER] name syslog_msg format regex # there might be more than one space after month name regex ^[^ ]+ +[^ ]+ [^ ]+ [^ ]+ (?.*)$ [PARSER] name ssh_pubkey format regex regex ^sshd.*: Accepted publickey for (?[^ ]+) from (?[0-9.]+) port [0-9]+ (?[^:]+): (?[^ ]+) (?.*)$ # regex against proc_name[proc_pid]: situation [PARSER] name name_pid_msg format regex regex ^(?[^\[]+)\[(?[0-9]+)\]: (?.*)$ # regex against proc_name: situation [PARSER] name name_msg format regex regex ^(?[^\[:]+): (?.*)$