It's a log file contained lines like this
...
Mar 1 03:34:24 domain sshd[19178]: Failed password for root from 222.186.55.230 port 3005 ssh2
...
I would like to put in array every line where user fail and in other array lines where user succeed Lines started with xxx=Failed or succeed till yyy=ssh2 so then I could get ip from both array with:
preg_match_all("/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/", $securelogfile, $matches);
and get the difference ip in a new array. I'm terrible at regex what I was trying is just wasting my time.
Answering my question as @ThomasKilian did . I use for failed:
preg_match_all("/^(\b(Failed)\b\s+)(\w+ +){4}((\d+\.){3}\d+)( +\w+){3}/", $securelogfile, $matches);
for Failed log lines and:
preg_match_all("/^(\b(Success)\b\s+)(\w+ +){4}((\d+\.){3}\d+)( +\w+){3}/", $securelogfile, $matches);
Keep in mind that first {4} indicate 4 words counting after "Failed or Succeed"
That give arrays where I should I should get clean IPs and then get the difference.