pC_mastersampamauthfailed2.md

Parser Content

{
Name = mastersam-pam-auth-failed-2
  DataType = "authentication-failed"
  Conditions = [ """ Activity:login_fail """ ]

mastersam-pam-events = {
  Vendor = MasterSAM
  Product = MasterSAM PAM
  Lms = Direct
  TimeFormat = "yyyy-MM-dd HH:mm:ss.SSS"
  Fields = [
    """({host}[\w\-.]{1,2000})\s{1,100}Event Time:\s{0,100}({time}\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d\.\d{1,100})""",
    """\WUser:\s{0,100}(({domain}[^\\\s]{1,2000})\\+)?({user}[^\\\s]{1,2000})""",
    """\Wname=({dest_host}[\w\-.]{1,2000})\s{1,100}(\w+=|$)""",
    """\Whost=({dest_ip}[A-Fa-f:\d.]{1,2000})""",
    """\Wprotocol=({protocol}.+?)\s{1,100}(\w+=|$)""",
    """\Wstatus=({outcome}.+?)\s{1,100}(\w+=|$)""",
    """\Wfailed_message=({failure_reason}.+?)\s{1,100}(\w+=|$)""",
    """\WActivity:\s{0,100}({activity}.+?)\s{1,100}User:""",
  
}