I correct my email, I meant rule 5503. On Thu, May 6, 2010 at 2:33 PM, Nicholas Ritter <[email protected]>wrote:
> Has anyone noticed issues with OSSEC 2.4.1 when alerting on SU related > events from Linux based hosts? Our Solaris boxes are fine, but I noticed > that when an SU session (say su to root) on a linux box occurs, an alert is > tripped (rule id 5303) but something doesn't seem right because 5303 is a > successful change UID to root rule, but this is a failure. I think the regex > might be to blame because the first regex for the rule is not in the log > entry, but the second regex appears to match. > > Anyone else seeing this? > >
