Help with linux cron log parsing with regex

Hi, I have the following log message, from which I want to extract ‘root’, ‘4403’ and everything past ‘cmd’.
crond[2059]: USER root pid 4403 cmd docker exec -u 33 -t nextcloud-app-1-old php -f /var/www/html/cron.php
I’d like to do that with regex, but I don’t know how, since this gives me error

// extracting crond process, user and 
rule "cron parser"
when
    contains(to_string($message.hostname), "crond[", true)
then
    regex(pattern: "USER (\w+) pid", value: to_string($message.message))

regex101 is great for interactively building and checking your regex patterns.

1 Like

Hey @mlazzarotto

Something like this,

rule "batman"
when
  has_field("message") and contains(to_string($message.message), "crond")
then
  let something = regex("(user=\\s*(\\S+))", to_string($message.message));
  set_field("username", "something");
end

That should give you a start.

1 Like

Thank you for the hint!
I did it this way

rule "crond_parser"
when
    has_field("message") and contains(to_string($message.message), "crond")
then
    let m = regex("USER (\\w+) pid (\\d+) cmd (.+$)",to_string($message.message));
    set_field("cron_user", m["0"]);
    set_field("cron_pid", m["1"]);
    set_field("cron_cmd", m["2"]);
end

@mlazzarotto

Nice, and thanks for sharing :+1:

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.