On Wed, 13 Jul 2011 14:54:48 -0700 (PDT), jplee3 wrote:
Hey Michael,
Thanks for doing this. So this is what I get when I run
ossec-logtest:
**Phase 1: Completed pre-decoding.
full event: 'type=USER_ACCT msg=audit(1310592861.936:1222):
user pid=24675 uid=0 auid=501 ses=188
subj=system_u:system_r:unconfined_t:s0 msg='op=PAM:accounting
acct="jplee3" exe="/usr/bin/sudo" (hostname=?, addr=?, terminal=pts/5
res=success)''
hostname: 'irprinfntp1'
program_name: '(null)'
log: 'type=USER_ACCT msg=audit(1310592861.936:1222): user
pid=24675 uid=0 auid=501 ses=188
subj=system_u:system_r:unconfined_t:s0 msg='op=PAM:accounting
acct="jplee3" exe="/usr/bin/sudo" (hostname=?, addr=?, terminal=pts/5
res=success)''
**Phase 2: Completed decoding.
decoder: 'auditd'
action: 'USER_ACCT'
id: '1222'
extra_data: '/usr/bin/sudo'
srcip: '?'
status: 'success'
I left out Phase 3 as I created an auditd based rule from the
simplified decoder I created prior. I guess I'm just curious about
the
decoder that was identified in Phase 2. Shouldn't it have decoded my
log message as auditd-user?
You're not seeing auditd-user because ossec-logtest doesn't show the
child decoder. It looks like it decoded it properly, but it would be
more useful with the user. What distro is this from? I would like to
compare this with my samples to see why I may not have decoded the user.
--
Michael Starks
[I] Immutable Security
http://www.immutablesecurity.com
