#include <StringConstants.au3> ; to declare the Constants of StringRegExp
#include <Array.au3> ; UDF needed for _ArrayDisplay and _ArrayConcatenate
Local $sRegex = "(?m)^(?<month>\S{3})? {1,2}(?<day>\S+) (?<time>\S+) (?<hostname>\S+) (?<process>.+?(?=\[)|.+?(?=))[^a-zA-Z0-9](?<pid>\d{1,7}|)[^a-zA-Z0-9]{1,3}(?<info>.*)$"
Local $sString = "Oct 2 02:21:02 init-adl-001 systemd-logind[613]: New session 516 of user initadm." & @CRLF & _
"Oct 2 02:21:02 init-adl-001 systemd: pam_unix(systemd-user:session): session opened for user initadm(uid=1000) by (uid=0)" & @CRLF & _
"Oct 2 02:25:40 init-adl-001 sudo: initadm : TTY=pts/0 ; PWD=/data/caddy ; USER=root ; COMMAND=/usr/bin/docker compose down" & @CRLF & _
"Oct 2 02:25:40 init-adl-001 sudo: pam_unix(sudo:session): session opened for user root(uid=0) by initadm(uid=1000)" & @CRLF & _
"Oct 2 02:25:42 init-adl-001 sudo: pam_unix(sudo:session): session closed for user root" & @CRLF & _
"Oct 2 02:38:04 init-adl-001 sshd[674609]: Received disconnect from 61.245.144.92 port 31442:11: disconnected by user" & @CRLF & _
"Oct 2 02:38:04 init-adl-001 sshd[674483]: pam_unix(sshd:session): session closed for user initadm" & @CRLF & _
"Oct 2 02:38:04 init-adl-001 systemd-logind[613]: Session 516 logged out. Waiting for processes to exit." & @CRLF & _
"Oct 2 02:38:04 init-adl-001 systemd-logind[613]: Removed session 516." & @CRLF & _
"Sep 25 23:17:01 mail CRON[166728]: pam_unix(cron:session): session closed for user root" & @CRLF & _
"Sep 25 23:32:02 mail auth: pam_unix(dovecot:auth): check pass; user unknown" & @CRLF & _
"Sep 25 23:32:02 mail auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=support rhost=178.176.175.68" & @CRLF & _
"Sep 28 16:08:48 mail sshd[195853]: Connection from 61.245.144.92 port 50922 on 112.213.36.242 port 3940 rdomain """ & @CRLF & _
"Sep 28 16:08:48 mail sshd[195853]: Postponed publickey for xaraxadm from 61.245.144.92 port 50922 ssh2 [preauth]" & @CRLF & _
"Sep 28 16:08:49 mail sshd[195853]: Accepted publickey for xaraxadm from 61.245.144.92 port 50922 ssh2: ED25519 SHA256:QZGnAVXHbGqSb+eA2RDBPUL9HZWhK201x/5jbVQKcxA" & @CRLF & _
"Sep 28 16:08:49 mail sshd[195853]: pam_unix(sshd:session): session opened for user xaraxadm by (uid=0)" & @CRLF & _
"Sep 28 16:08:49 mail systemd-logind[574]: New session 2112 of user xaraxadm." & @CRLF & _
"Sep 28 16:08:49 mail systemd: pam_unix(systemd-user:session): session opened for user xaraxadm by (uid=0)" & @CRLF & _
"Sep 28 16:08:49 mail sshd[195853]: User child is on pid 195877" & @CRLF & _
"Sep 28 16:08:49 mail sshd[195877]: Starting session: shell on pts/0 for xaraxadm from 61.245.144.92 port 50922 id 0" & @CRLF & _
"Sep 26 10:17:01 mail CRON[172205]: pam_unix(cron:session): session closed for user root" & @CRLF & _
"Sep 26 10:40:45 mail auth: pam_unix(dovecot:auth): check pass; user unknown" & @CRLF & _
"Sep 26 10:40:45 mail auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=karlb rhost=185.30.177.49" & @CRLF & _
"Sep 26 11:17:01 mail CRON[172677]: pam_unix(cron:session): session opened for user root by (uid=0)" & @CRLF & _
"Sep 26 00:00:01 mail CRON[167057]: pam_unix(cron:session): session opened for user root by (uid=0)" & @CRLF & _
"Sep 26 00:00:01 mail CRON[167058]: pam_unix(cron:session): session opened for user root by (uid=0)" & @CRLF & _
"Sep 26 00:00:01 mail CRON[167058]: pam_unix(cron:session): session closed for user root" & @CRLF & _
"Oct 5 02:41:01 init-adl-001 CRON[1059278]: pam_unix(cron:session): session closed for user smmsp" & @CRLF & _
"Oct 5 02:44:22 init-adl-001 sshd[1059328]: error: kex_exchange_identification: banner line contains invalid characters" & @CRLF & _
"Oct 5 02:44:22 init-adl-001 sshd[1059328]: banner exchange: Connection from 176.113.115.86 port 63918: invalid format" & @CRLF & _
"Oct 5 03:00:01 init-adl-001 CRON[1069071]: pam_unix(cron:session): session opened for user smmsp(uid=114) by (uid=0)" & @CRLF & _
"Oct 5 03:45:25 init-adl-001 systemd-logind[613]: Session 816 logged out. Waiting for processes to exit." & @CRLF & _
"Oct 5 03:45:25 init-adl-001 systemd-logind[613]: Removed session 816." & @CRLF & _
"Oct 5 05:31:32 init-adl-001 sshd[1079931]: Accepted publickey for initadm from 61.245.144.92 port 5550 ssh2: ED25519 SHA256:QZGnAVXHbGqSb+eA2RDBPUL9HZWhK201x/5jbVQKcxA" & @CRLF & _
"Oct 21 04:47:44 fw sshd[31558]: Disconnecting: Too many authentication failures for root [preauth]" & @CRLF & _
"Oct 21 04:47:44 fw sshd[31558]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.2.0.125 user=root" & @CRLF & _
"Oct 21 04:47:44 fw sshd[31558]: PAM service(sshd) ignoring max retries; 6 > 3" & @CRLF & _
"Oct 21 04:47:46 fw sshd[31562]: Failed password for root from 218.2.0.125 port 12277 ssh2" & @CRLF & _
"Oct 21 04:47:46 fw sshd[31581]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.2.0.125 user=root" & @CRLF & _
"Oct 21 04:47:48 fw sshd[31560]: message repeated 5 times: [ Failed password for root from 218.2.0.125 port 9188 ssh2]" & @CRLF & _
"Oct 21 04:47:48 fw sshd[31560]: Disconnecting: Too many authentication failures for root [preauth]" & @CRLF & _
"Oct 21 04:47:48 fw sshd[31560]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.2.0.125 user=root" & @CRLF & _
"Oct 21 04:47:48 fw sshd[31560]: PAM service(sshd) ignoring max retries; 6 > 3" & @CRLF & _
"Oct 21 04:47:48 fw sshd[31581]: Failed password for root from 218.2.0.125 port 13148 ssh2" & @CRLF & _
"Oct 21 04:47:52 fw sshd[31595]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.2.0.125 user=root" & @CRLF & _
"Oct 21 04:47:55 fw sshd[31595]: Failed password for root from 218.2.0.125 port 14409 ssh2" & @CRLF & _
"Oct 21 04:47:55 fw CRON[31494]: pam_unix(cron:session): session closed for user clamav" & @CRLF & _
"Oct 21 04:47:59 fw sshd[31562]: message repeated 5 times: [ Failed password for root from 218.2.0.125 port 12277 ssh2]" & @CRLF & _
"Oct 21 04:47:59 fw sshd[31562]: Disconnecting: Too many authentication failures for root [preauth]" & @CRLF & _
"Oct 21 04:47:59 fw sshd[31562]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.2.0.125 user=root" & @CRLF & _
"Oct 21 04:47:59 fw sshd[31562]: PAM service(sshd) ignoring max retries; 6 > 3" & @CRLF & _
"Oct 21 04:47:59 fw sshd[31581]: message repeated 5 times: [ Failed password for root from 218.2.0.125 port 13148 ssh2]" & @CRLF & _
"Oct 21 04:47:59 fw sshd[31581]: Disconnecting: Too many authentication failures for root [preauth]" & @CRLF & _
"Oct 21 04:47:59 fw sshd[31581]: fatal: Write failed: Connection reset by peer [preauth]" & @CRLF & _
"Oct 21 04:47:59 fw sshd[31581]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.2.0.125 user=root" & @CRLF & _
"Oct 21 04:47:59 fw sshd[31581]: PAM service(sshd) ignoring max retries; 6 > 3" & @CRLF & _
"Oct 21 04:48:00 fw sshd[31595]: message repeated 2 times: [ Failed password for root from 218.2.0.125 port 14409 ssh2]" & @CRLF & _
"Oct 5 05:31:32 init-adl-001 sshd[1079931]: pam_unix(sshd:session): session opened for user initadm(uid=1000) by (uid=0)" & @CRLF & _
"Oct 5 05:31:32 init-adl-001 systemd-logind[613]: New session 835 of user initadm." & @CRLF & _
"Oct 5 05:31:32 init-adl-001 systemd: pam_unix(systemd-user:session): session opened for user initadm(uid=1000) by (uid=0)" & @CRLF & _
"Oct 5 05:31:38 init-adl-001 sshd[1080056]: Received disconnect from 61.245.144.92 port 5550:11: disconnected by user" & @CRLF & _
"Oct 5 05:31:38 init-adl-001 sshd[1079931]: pam_unix(sshd:session): session closed for user initadm" & @CRLF & _
"Oct 5 05:31:38 init-adl-001 systemd-logind[613]: Session 835 logged out. Waiting for processes to exit." & @CRLF & _
"Oct 5 05:31:38 init-adl-001 systemd-logind[613]: Removed session 835." & @CRLF & _
"Oct 5 05:31:44 init-adl-001 sshd[1080068]: Connection closed by authenticating user root 61.245.144.92 port 5552 [preauth]" & @CRLF & _
"Oct 5 05:31:45 init-adl-001 sshd[1080070]: Connection closed by authenticating user root 61.245.144.92 port 5554 [preauth]" & @CRLF & _
"Oct 5 05:31:46 init-adl-001 sshd[1080072]: Connection closed by authenticating user root 61.245.144.92 port 5556 [preauth]" & @CRLF & _
"Oct 5 05:31:57 init-adl-001 sshd[1080077]: Accepted publickey for initadm from 61.245.144.92 port 5458 ssh2: ED25519 SHA256:QZGnAVXHbGqSb+eA2RDBPUL9HZWhK201x/5jbVQKcxA" & @CRLF & _
"Oct 3 08:17:01 init-adl-001 CRON[835419]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)" & @CRLF & _
"Oct 3 08:17:01 init-adl-001 CRON[835419]: pam_unix(cron:session): session closed for user root" & @CRLF & _
"Oct 3 08:20:01 init-adl-001 CRON[835438]: pam_unix(cron:session): session opened for user smmsp(uid=114) by (uid=0)" & @CRLF & _
"Oct 5 01:32:02 init-adl-001 sshd[1058589]: Accepted publickey for initadm from 61.245.144.92 port 5546 ssh2: ED25519 SHA256:QZGnAVXHbGqSb+eA2RDBPUL9HZWhK201x/5jbVQKcxA" & @CRLF & _
"Oct 5 01:32:02 init-adl-001 sshd[1058589]: pam_unix(sshd:session): session opened for user initadm(uid=1000) by (uid=0)" & @CRLF & _
"Oct 5 01:32:02 init-adl-001 systemd-logind[613]: New session 816 of user initadm." & @CRLF & _
"Oct 5 01:32:02 init-adl-001 systemd: pam_unix(systemd-user:session): session opened for user initadm(uid=1000) by (uid=0)" & @CRLF & _
""
Local $aArray = StringRegExp($sString, $sRegex, $STR_REGEXPARRAYGLOBALFULLMATCH)
Local $aFullArray[0]
For $i = 0 To UBound($aArray) -1
_ArrayConcatenate($aFullArray, $aArray[$i])
Next
$aArray = $aFullArray
; Present the entire match result
_ArrayDisplay($aArray, "Result")
Please keep in mind that these code samples are automatically generated and are not guaranteed to work. If you find any syntax errors, feel free to submit a bug report. For a full regex reference for AutoIt, please visit: https://www.autoitscript.com/autoit3/docs/functions/StringRegExp.htm