I would like to parse pam files with the following two examples and look for deny configuration.
auth required pam_faillock.so authsucc deny=4 even_deny_root unlock_time=1200
auth required pam_faillock.so authsucc even_deny_root unlock_time=1200
The pattern should match both lines:
1 Line Match should return group1 "deny=4" and group2 "4"
2 Line Match should return empty group1 and empty group2
(^auth\s+required\s+pam_faillock\.so).*?(?(1) (deny\=(\d+))|(.*))
You can use
^auth\s+required\s+pam_faillock\.so\s(?|.*?(deny=(\d*))|()())?
Details:
^auth\s+required\s+pam_faillock\.so - auth required pam_faillock.so string where the spaces can be one or many\s - a single whitespace(?|.*?(deny=(\d*))|()())? - an optional branch reset group that matches
.*?(deny=(\d*)) - any zero or more chars other than line break chars as few as possible, then a Group 1 that captures deny= + zero or more digits that are themselves captured into Group 2| - or()() - Group 1 and 2 that contain empty strings.See the regex demo.