On Thu, Nov 6, 2014 at 10:01 PM, <[email protected]> wrote: > but "pam-user" is "pam" child decoder,and "pam" decoder prematch "pam_unix" >
What does that even mean? I explained the issue, and hinted at a fix. Was that not enough? Here: <decoder name="pam-user"> <parent>pam</parent> <prematch offset="after_parent"> session \w+</prematch> <regex offset="after_prematch"> for user (\S+)</regex> <order>user</order> </decoder> Of course this is untested. If you need me to do that too, just let me know. > > On Thursday, November 6, 2014 6:07:39 PM UTC+8, [email protected] wrote: >> >> hi,all >> >> >> i have log like this >> >> Nov 6 15:23:43 web001 su: pam_unix(su:session): session opened for user >> bot by robert(uid=0) >> >> >> and code like this >> >> >> <decoder name="pam"> >> <program_name></program_name> >> <prematch>^pam_unix|^\(pam_unix\)</prematch> >> </decoder> >> >> <decoder name="pam-user"> >> <parent>pam</parent> >> <prematch>^session \w+</prematch> >> <regex offset="after_prematch">\.* for user (\S+)</regex> >> <order>user</order> >> </decoder> >> >> >> but logtest see >> >> >> **Phase 1: Completed pre-decoding. >> full event: 'Nov 6 15:23:43 web001 su: pam_unix(su:session): session >> opened for user bot by robert(uid=0)' >> hostname: 'web001' >> program_name: 'su' >> log: 'pam_unix(su:session): session opened for user bot by robert(uid=0)' >> >> **Phase 2: Completed decoding. >> decoder: 'pam' >> >> **Rule debugging: >> Trying rule: 1 - Generic template for all syslog rules. >> *Rule 1 matched. >> *Trying child rules. >> Trying rule: 5500 - Grouping of the pam_unix rules. >> *Rule 5500 matched. >> *Trying child rules. >> Trying rule: 5552 - PAM and gdm are not playing nicely. >> Trying rule: 5503 - User login failed. >> Trying rule: 5504 - Attempt to login with an invalid user. >> Trying rule: 5501 - Login session opened. >> *Rule 5501 matched. >> *Trying child rules. >> Trying rule: 5521 - Ignoring Annoying Ubuntu/debian cron login events. >> Trying rule: 40101 - System user successfully logged to the system. >> Trying rule: 40112 - Multiple authentication failures followed by a >> success. >> Trying rule: 101008 - User successfully changed UID (su command). >> *Rule 101008 matched. >> *Trying child rules. >> Trying rule: 101009 - User successfully changed UID (su command) to Public >> user. >> >> **Phase 3: Completed filtering (rules). >> Rule id: '101008' >> Level: '8' >> Description: 'User successfully changed UID (su command).' >> **Alert to be generated. >> >> >> >> >> why child decoder can not work? why not match user? > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
