Hi, I was wondering why the rule 5501 is always setting the user to "none" even though we can see it in the syslog message. "session opened for user root by (uid=0)"
** Alert 1286899055.442273: - pam,syslog,authentication_success, 2010 Oct 12 11:57:35 ossec->/var/log/secure Rule: 5501 (level 3) -> 'Login session opened.' Src IP: (none) User: (none) Oct 12 11:57:34 ossec sshd[2067]: pam_unix(sshd:session): session opened for user root by (uid=0) Thank you for your time Eric
