sudo_sourcetyping transform fails if the event doesn't contain a TTY= field

Opened this issue 4 months ago · 0 comments

barrettnet commented 4 months ago

I've found that some events within /var/log/secure aren't having their sourcetype changed from linux_secure to sudo and the commonality is that they don't have a TTY=xxx ; in them.

The REGEX within sudo_sourcetyping is looking for 3 KV pairs and these particular events only have 2. I'm unable to provide samples as they're on a system without internet connectivity.

The simple fix would appear to be to change the count from 3 to 2 but that risks changing the sourcetype of unrelated events to sudo.

A better(?) fix could be to change the REGEX line from
REGEX = ([A-Z]+=\S+ ; ){3}
to
REGEX = ((TTY|PWD|USER)=\S+ ; ){2}