haf/gist:d30ea2c1862b507ef51c

## gistfile1.txt
USERNAME ([a-zA-Z0-9\._-]+)
TAG      ([a-zA-Z0-9\._-]+)


type=%{WORD:audit_type} msg=audit\(%{NUMBER:audit_epoch}:%{NUMBER:audit_counter}\): pid=%{NUMBER:audit_pid} uid=%{NUMBER:audit_uid} auid=%{NUMBER:audit_audid} ses=%{NUMBER:audit_session} subj=%{WORD:audit_se_user}:%{WORD:audit_se_role}:%{WORD:audit_se_type}:%{USERNAME:audit_se_mls}:%{TAG:audit_se_tags} msg='op=%{WORD:audit_sshd_op} acct="%{USERNAME:audit_sshd_user}" exe="%{PATH:audit_sshd_path}" hostname=%{NOTSPACE:audit_sshd_hostname} addr=%{IP:audit_sshd_ip} terminal=%{WORD:audit_sshd_terminal} res=%{WORD:audit_sshd_result}'
	USERNAME ([a-zA-Z0-9\._-]+)
	TAG ([a-zA-Z0-9\._-]+)



	type=%{WORD:audit_type} msg=audit\(%{NUMBER:audit_epoch}:%{NUMBER:audit_counter}\): pid=%{NUMBER:audit_pid} uid=%{NUMBER:audit_uid} auid=%{NUMBER:audit_audid} ses=%{NUMBER:audit_session} subj=%{WORD:audit_se_user}:%{WORD:audit_se_role}:%{WORD:audit_se_type}:%{USERNAME:audit_se_mls}:%{TAG:audit_se_tags} msg='op=%{WORD:audit_sshd_op} acct="%{USERNAME:audit_sshd_user}" exe="%{PATH:audit_sshd_path}" hostname=%{NOTSPACE:audit_sshd_hostname} addr=%{IP:audit_sshd_ip} terminal=%{WORD:audit_sshd_terminal} res=%{WORD:audit_sshd_result}'