kmadac · July 29, 2014 12:54
diff --git a/gistfile1.txt b/gistfile1.txt
 \w{3}\s{1,2}\d{1,2} \d\d:\d\d:\d\d (\w)+ \[.+?\]: (\w+)@\[(.+)_\d+\]:IN:ssh2 shell:(SSH INPUT COMMAND is )*(.+)

 ### Examples of log file:
 Jul 29 09:48:39 filer1 [rshd_0: debug]: user@[10.229.144.23_46673]:IN:ssh2 shell:SSH INPUT COMMAND is rdfile /etc/rc
 Jul 29 10:14:23 filer2 [telnet_0: debug]: user@[10.229.144.23_47147]:IN:ssh2 shell:ping 10.10.10.10
 Jul 29 10:15:08 filer3 [filer3: rshd_0:debug]: user@[10.229.144.23_39181]:IN:ssh2 shell:SSH INPUT COMMAND is snapvault status
 Jul  4 12:45:11 filer4 [filer4: rshd_0:debug]: user@[10.229.144.25_34672]:IN:ssh2 shell:SSH INPUT COMMAND is ifstat e4b

 ### Use in grep:
 grep -P '\w{3}\s{1,2}\d{1,2} \d\d:\d\d:\d\d (\w)+ \[.+?\]: (\w+)@\[(.+)_\d+\]:IN:ssh2 shell:(SSH INPUT COMMAND is )*(.+)' auditlog
	\w{3}\s{1,2}\d{1,2} \d\d:\d\d:\d\d (\w)+ \[.+?\]: (\w+)@\[(.+)_\d+\]:IN:ssh2 shell:(SSH INPUT COMMAND is )*(.+)

	### Examples of log file:
	Jul 29 09:48:39 filer1 [rshd_0: debug]: user@[10.229.144.23_46673]:IN:ssh2 shell:SSH INPUT COMMAND is rdfile /etc/rc
	Jul 29 10:14:23 filer2 [telnet_0: debug]: user@[10.229.144.23_47147]:IN:ssh2 shell:ping 10.10.10.10
	Jul 29 10:15:08 filer3 [filer3: rshd_0:debug]: user@[10.229.144.23_39181]:IN:ssh2 shell:SSH INPUT COMMAND is snapvault status
	Jul 4 12:45:11 filer4 [filer4: rshd_0:debug]: user@[10.229.144.25_34672]:IN:ssh2 shell:SSH INPUT COMMAND is ifstat e4b

	### Use in grep:
	grep -P '\w{3}\s{1,2}\d{1,2} \d\d:\d\d:\d\d (\w)+ \[.+?\]: (\w+)@\[(.+)_\d+\]:IN:ssh2 shell:(SSH INPUT COMMAND is )*(.+)' auditlog