Regular Expressions 101

Community Patterns

SSHD log analysis

0

Regular Expression
Python

r"
\[(?P<ssh_id>\d{1,}(?=\])).*(?P<action>(Accepted)|(Failed)).+(?P<username>(?<=(for\s)).+(?=\sfrom)).+(?P<host>(?<=(from\s)).+(?=\sport)).+(?P<port>(?<=(port\s))\d{1,})
"
g

Description

journalctl provides a bunch of different output messsages. This regex is searching for failed or accepted connection strings. The following groups are defined:

  • ssh_id:   The connection id.
  • action:   Can be 'Accepted' or 'Failed'
  • username:  The username which tried to login.
  • host:   The address of the remote host.
  • port:    The port of the remote host.
Submitted by Xerath Ahbrosha - 7 years ago