I don't think it's possible at this time. You can get it to display the log entries though, which will give you that information.
On Thu, Oct 13, 2011 at 10:20 AM, Marco Bonetti <[email protected]> wrote: > Hello all, > I am taking a look at Ossec and I have to say I am very impressed by the tool > right now. > I'm trying to understand how the ossec-reportd works but I am a bit puzzled. > Take for example rule 5303 (successful su for user root): > > # cat /var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-reportd -f > rule 5303 > ... > Top entries for 'Username': > ------------------------------------------------ > root |3 | > ... > > reported 'Username' is "root" which is... well... not really useful :) > However Ossec is able to understand who su-ed to root, because the decoder > has this kind of information: > > # echo "Oct 13 11:22:33 ossec su[11171]: + /dev/pts/0 someone:root" | > /var/ossec/bin/ossec-logtest > ... > **Phase 2: Completed decoding. > decoder: 'su' > srcuser: 'someone' > dstuser: 'root' > ... > > so, how could I access to decoder information like srcuser from the report > tool? > > Thanks in advance, > Marco > > -- > Marco Bonetti > Tor research and other stuff: http://sid77.slackware.it/ > Slackintosh Linux Project Developer: http://workaround.ch/ > Linux-live for powerpc: http://workaround.ch/pub/rsync/mb/linux-live/ > > My GnuPG key id: 0x0B60BC5F >
