use strict;
my $str = 'Sat Jun 03 2017 22:53:03 cisco_router1 sshd[4926]: Failed password for invalid user info from 2.229.4.58 port 4509 ssh2
Sat Jun 03 2017 22:55:37 cisco_router1 sshd[3720]: Failed password for peevish from 2.229.4.58 port 1299 ssh2
Sat Jun 03 2017 22:54:09 cisco_router1 sshd[15833]: pam_unix(sshd:session): session opened for user nsharpe by (uid=0)
Tue Jul 04 2017 16:59:10 cisco_router1 sshd[64913]: pam_unix(sshd:session): session closed for user nsharpe by (uid=0)
Tue Jul 04 2017 14:21:40 cisco_router1 su: pam_unix(su:session): session closed for user root
Sat Jun 03 2017 22:55:13 cisco_router1 sshd[1952]: Accepted password for djohnson from 10.3.10.46 port 1182 ssh2
Sat Jun 03 2017 22:55:37 cisco_router1 sudo: myuan ; TTY=pts/0 ; PWD=/home/myuan ; USER=root ; COMMAND=/bin/su
Tue Jul 04 2017 16:59:10 cisco_router1 sshd[59602]: Received disconnect from 10.2.10.163 11: disconnected by user
Tue Jul 04 2017 16:59:10 cisco_router1 sshd[59602]: Received disconnect from 10.2.10.163 11: disconnected by user
';
my $regex = qr/(?:rd|ed|USER=|disconnected by|closed)\s?(?:for)?\s?(?:invalid\suser\s)?(?<user>\w+)/p;
if ( $str =~ /$regex/g ) {
print "Whole match is ${^MATCH} and its start/end positions can be obtained via \$-[0] and \$+[0]\n";
# print "Capture Group 1 is $1 and its start/end positions can be obtained via \$-[1] and \$+[1]\n";
# print "Capture Group 2 is $2 ... and so on\n";
}
# ${^POSTMATCH} and ${^PREMATCH} are also available with the use of '/p'
# Named capture groups can be called via $+{name}
Please keep in mind that these code samples are automatically generated and are not guaranteed to work. If you find any syntax errors, feel free to submit a bug report. For a full regex reference for Perl, please visit: http://perldoc.perl.org/perlre.html