On Fri, 24 Jun 2011 08:50:08 -0700, Jeremy Lee wrote:
The other log I set this up for was the auditd logs. I Googled around and found someone who had already done this, however it only seems to work withPAM enabled: http://blog.securestate.com/post/2010/09/03/Getting-OSSEC-To-Parse-Auditd.aspx
I have a very comprehensive auditd decoder that is just about ready. I'll post a link for people to check it out soon.
-- Michael Starks [I] Immutable Security http://www.immutablesecurity.com
