hi,all
i have log like this
Nov 6 15:23:43 web001 su: pam_unix(su:session): session opened for user bot
by robert(uid=0)
and code like this
<decoder name="pam">
<program_name></program_name>
<prematch>^pam_unix|^\(pam_unix\)</prematch>
</decoder>
<decoder name="pam-user">
<parent>pam</parent>
<prematch>^session \w+</prematch>
<regex offset="after_prematch">\.* for user (\S+)</regex>
<order>user</order>
</decoder>
but logtest see
**Phase 1: Completed pre-decoding.
full event: 'Nov 6 15:23:43 web001 su: pam_unix(su:session): session opened
for user bot by robert(uid=0)'
hostname: 'web001'
program_name: 'su'
log: 'pam_unix(su:session): session opened for user bot by robert(uid=0)'
**Phase 2: Completed decoding.
decoder: 'pam'
**Rule debugging:
Trying rule: 1 - Generic template for all syslog rules.
*Rule 1 matched.
*Trying child rules.
Trying rule: 5500 - Grouping of the pam_unix rules.
*Rule 5500 matched.
*Trying child rules.
Trying rule: 5552 - PAM and gdm are not playing nicely.
Trying rule: 5503 - User login failed.
Trying rule: 5504 - Attempt to login with an invalid user.
Trying rule: 5501 - Login session opened.
*Rule 5501 matched.
*Trying child rules.
Trying rule: 5521 - Ignoring Annoying Ubuntu/debian cron login events.
Trying rule: 40101 - System user successfully logged to the system.
Trying rule: 40112 - Multiple authentication failures followed by a
success.
Trying rule: 101008 - User successfully changed UID (su command).
*Rule 101008 matched.
*Trying child rules.
Trying rule: 101009 - User successfully changed UID (su command) to Public
user.
**Phase 3: Completed filtering (rules).
Rule id: '101008'
Level: '8'
Description: 'User successfully changed UID (su command).'
**Alert to be generated.
why child decoder can not work? why not match user?
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
