On Wed, 13 Jul 2011 14:54:48 -0700 (PDT), jplee3 wrote:
**Phase 2: Completed decoding.
decoder: 'auditd'
action: 'USER_ACCT'
id: '1222'
extra_data: '/usr/bin/sudo'
srcip: '?'
status: 'success'
I took a look at the decoder. Here's a version that will decode the
username for you: http://pastebin.com/UjzyvH46. Just replace the <!--
user-related --> section. I have to do some regression testing, but I
don't think it will break the other formats.
--
Michael Starks
[I] Immutable Security
http://www.immutablesecurity.com
