On 10/27/2011 04:50 AM, mikes wrote:
My decoder.xml for "audit":
<decoder name="auditd">
<prematch>type=\S+ msg=audit</prematch>
<regex offset="after_prematch">msg=</regex>
<regex>'PAM: \.+ acct="(\S+)" : exe="(\S+)" \(hostname=(\S+),
addr=(\S+), terminal=(\S+) res=(\S+)\)'</regex>
<order>user, extra_data, srcip, dstip, id, status </order>
</decoder>
Give my decoders a try since they will ultimately be in the release:
https://bitbucket.org/mstarks01/ossec-hids-mstarks/changeset/88cfa486124d
Let me know if you have issues with the decoder and then we can look at
the rules.
