On Thu, Nov 6, 2014 at 5:07 AM, <r...@cnmoker.org> wrote: > hi,all > > > i have log like this > > Nov 6 15:23:43 web001 su: pam_unix(su:session): session opened for user bot > by robert(uid=0) > > > and code like this > > > <decoder name="pam"> > <program_name></program_name> > <prematch>^pam_unix|^\(pam_unix\)</prematch> > </decoder> > > <decoder name="pam-user"> > <parent>pam</parent> > <prematch>^session \w+</prematch> > <regex offset="after_prematch">\.* for user (\S+)</regex> > <order>user</order> > </decoder> > > > but logtest see > > > **Phase 1: Completed pre-decoding. > full event: 'Nov 6 15:23:43 web001 su: pam_unix(su:session): session opened > for user bot by robert(uid=0)' > hostname: 'web001' > program_name: 'su' > log: 'pam_unix(su:session): session opened for user bot by robert(uid=0)' >
The log that OSSEC is looking at starts with "pam_unix" not "session." The "^" in your decoder's prematch is wrong. > **Phase 2: Completed decoding. > decoder: 'pam' > > **Rule debugging: > Trying rule: 1 - Generic template for all syslog rules. > *Rule 1 matched. > *Trying child rules. > Trying rule: 5500 - Grouping of the pam_unix rules. > *Rule 5500 matched. > *Trying child rules. > Trying rule: 5552 - PAM and gdm are not playing nicely. > Trying rule: 5503 - User login failed. > Trying rule: 5504 - Attempt to login with an invalid user. > Trying rule: 5501 - Login session opened. > *Rule 5501 matched. > *Trying child rules. > Trying rule: 5521 - Ignoring Annoying Ubuntu/debian cron login events. > Trying rule: 40101 - System user successfully logged to the system. > Trying rule: 40112 - Multiple authentication failures followed by a success. > Trying rule: 101008 - User successfully changed UID (su command). > *Rule 101008 matched. > *Trying child rules. > Trying rule: 101009 - User successfully changed UID (su command) to Public > user. > > **Phase 3: Completed filtering (rules). > Rule id: '101008' > Level: '8' > Description: 'User successfully changed UID (su command).' > **Alert to be generated. > > > > > why child decoder can not work? why not match user? > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.