The only way I could extract the user names and 'from' IP addresses is to use a few temp files. Split up by 'Failed keyboard-interactive' and 'Failed password'.
Anyone have any idea to do this all in one go?
aaa.bbb.ccc.ddd 2009-03-23 01:28:33 sshd[16272]: Failed keyboard-interactive/pam for invalid user jkljlkjlj from 111.222.333.444 port 52095 ssh2
aaa.bbb.ccc.ddd 2009-03-23 03:33:10 sshd[16648]: Failed password for invalid user oracle from 222.333.444.555 port 29093 ssh2
aaa.bbb.ccc.ddd 2009-03-23 05:23:53 sshd[17589]: Failed password for root from 333.444.555.666 port 59095 ssh2
Ideally, I am looking at the following columns:
Timestamp UserName SourceIP
From both of these 2 types of authentication log entries.