Can you give us log samples?
On Thu, May 6, 2010 at 3:38 PM, Nicholas Ritter <[email protected]> wrote: > I correct my email, I meant rule 5503. > > On Thu, May 6, 2010 at 2:33 PM, Nicholas Ritter <[email protected]> > wrote: >> >> Has anyone noticed issues with OSSEC 2.4.1 when alerting on SU related >> events from Linux based hosts? Our Solaris boxes are fine, but I noticed >> that when an SU session (say su to root) on a linux box occurs, an alert is >> tripped (rule id 5303) but something doesn't seem right because 5303 is a >> successful change UID to root rule, but this is a failure. I think the regex >> might be to blame because the first regex for the rule is not in the log >> entry, but the second regex appears to match. >> >> Anyone else seeing this? >> > >
