^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su(\[[0-9]+\])?: (\+|-) (/dev/)?(pts/[0-9]{1,2}|tty[0-9]) [._[:alnum:]-]+:[._[:alnum:]-]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su(\[[0-9]+\])?: Successful su for [._[:alnum:]-]+ by [._[:alnum:]-]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su(\[[0-9]+\])?: \(pam_[[:alnum:]]+\) session closed for user [._[:alnum:]-]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su(\[[0-9]+\])?: \(pam_[[:alnum:]]+\) session opened for user [._[:alnum:]-]+ by ([._[:alnum:]-]+)?\(uid=[0-9]+\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su(\[[0-9]+\])?: \+ \?\?\? root:[._[:alnum:]-]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su(\[[0-9]+\])?: pam_[[:alnum:]]+\(su(-l)?:session\): session closed for user [._[:alnum:]-]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su(\[[0-9]+\])?: pam_[[:alnum:]]+\(su(-l)?:session\): session opened for user [._[:alnum:]-]+(\(uid=[[:digit:]]+\))? by ([._[:alnum:]-]+)?\(uid=[0-9]+\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su(\[[0-9]+\])?: pam_authenticate: Authentication failure$
