Has anyone noticed issues with OSSEC 2.4.1 when alerting on SU related events from Linux based hosts? Our Solaris boxes are fine, but I noticed that when an SU session (say su to root) on a linux box occurs, an alert is tripped (rule id 5303) but something doesn't seem right because 5303 is a successful change UID to root rule, but this is a failure. I think the regex might be to blame because the first regex for the rule is not in the log entry, but the second regex appears to match.
Anyone else seeing this?
