[ossec-list] Audit log and OSSEC unde RHEL6

[carlopmart]

Hi all,

 I am trying to decode auditd messages using OSSEC under RHEL6 host. To do this I 
followed this howto: 
http://securestate.blogspot.com/2010/09/getting-ossec-to-parse-auditd.html.

 My local_decoder.xml file is:

<decoder name="auditd">
<prematch>type=\S+ msg=audit</prematch>
<regex offset="after_prematch">msg=</regex>
<regex>'PAM: \.+ acct="(\S+)" : exe="(\S+)" \(hostname=(\S+), addr=(\S+), 
terminal=(\S+) res=(\S+)\)'</regex>
<order>user, extra_data, srcip, dstip, id, status </order>
</decoder>

On my local_rules.xml, I put this:

<group name="local,syslog,">
<rule id="100001" level="7">
<decoded_as>auditd</decoded_as>
<user>root</user>
</rule>
</group>

And I configure ossec.conf to monitor /var/log/audit/audit.log file.

But It doesn't works ... On my audit.log I can't see the user=root param or similar. 
For example, executing "sudo ls -la", I see this:

type=CRED_ACQ msg=audit(1293039242.348:130): user pid=14323 uid=0 auid=1000 ses=1 
msg='op=PAM:setcred acct="root" exe="/usr/bin/sudo" hostname=laptop.hpulabs.org 
addr=172.25.50.30 terminal=/dev/pts/3 res=success'
type=USER_START msg=audit(1293039242.349:131): user pid=14323 uid=0 auid=1000 ses=1 
msg='op=PAM:session_open acct="root" exe="/usr/bin/sudo" hostname=laptop.hpulabs.org 
addr=172.25.50.30 terminal=/dev/pts/3 res=success'
type=USER_END msg=audit(1293039242.349:132): user pid=14323 uid=0 auid=1000 ses=1 
msg='op=PAM:session_close acct="root" exe="/usr/bin/sudo" 
hostname=laptop.hpulabs.org addr=172.25.50.30 terminal=/dev/pts/3 res=success'
type=USER_CMD msg=audit(1293039242.349:133): user pid=14323 uid=0 auid=1000 ses=1 
msg='cwd="/tmp/f/csf" cmd=2F62696E2F6C73202D6C61 terminal=pts/3 res=success'

Do I need to change user for acct on my local_rules.xml??

Thanks.

--
CL Martinez
carlopmart {at} gmail {d0t} com