^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ su(\[[0-9]+\])?: pam_krb5\(su:auth\): user [._[:alnum:]-]+ authenticated as [._[:alnum:]-]+@[.A-Z]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su(\[[0-9]+\])?: (\+|-) (/dev/)?(pts/[0-9]{1,2}|tty[0-9]) [_[:alnum:]-]+:[_[:alnum:]-]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su(\[[0-9]+\])?: \(pam_[[:alnum:]]+\) session opened for user [._[:alnum:]-]+ by ([[:alnum:]-]+)?\(uid=[0-9]+\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su(\[[0-9]+\])?: \(pam_[[:alnum:]]+\) session closed for user [._[:alnum:]-]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su(\[[0-9]+\])?: pam_[[:alnum:]]+\(su(-l)?:session\): session opened for user [._[:alnum:]-]+(\(uid=[[:digit:]]+\))? by ([[:alnum:]-]+)?\(uid=[0-9]+\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su(\[[0-9]+\])?: pam_[[:alnum:]]+\(su(-l)?:session\): session closed for user [._[:alnum:]-]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su(\[[0-9]+\])?: \+ \?\?\? root:[_[:alnum:]-]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su(\[[0-9]+\])?: Successful su for [._[:alnum:]-]+ by [._[:alnum:]-]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su(\[[0-9]+\])?: pam_authenticate: Authentication failure$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su: \(to [._[:alnum:]-]+\) [._[:alnum:]-]+ on (none|pts/[0-9]{1,2})$
