On Thu, Jun 21, 2018 at 3:28 PM, Mark M <[email protected]> wrote: > > > I don't see anything in my rsyslog.conf that should affect local log format? > Why might the decoder be failing? > > Jun 21 12:27:37 dactyl unix_chkpwd[4723]: password check failed for user > (root) > Jun 21 12:27:37 dactyl su: pam_unix(su-l:auth): authentication failure; > logname=mmoorcro uid=853945932 euid=0 tty=pts/1 ruser=mmoorcro rhost= > user=root > Jun 21 12:27:37 dactyl su: pam_succeed_if(su-l:auth): requirement "uid >= > 1000" not met by user "root" >
I don't think it's anything you changed. Log messages change over time and sometimes by distro/OS. The log messages you're getting don't quite fit what we had seen previously. > > On Thursday, June 21, 2018 at 9:25:49 AM UTC-7, dan (ddpbsd) wrote: >> >> On Wed, Jun 20, 2018 at 8:24 PM, Mark M <[email protected]> wrote: >> > >> > I'm re-visiting my OSSEC rules today because failed su - root attempts >> > (level 9) no longer fire or send email. You can see 5301 fires, but not >> > 5302? This was working in the past on the same server. >> > >> >> The `root` user isn't decoded in the provided log sample: >> Jun 20 17:19:59 dactyl su: FAILED SU (to root) mmoorcro on pts/0 >> >> >> **Phase 1: Completed pre-decoding. >> full event: 'Jun 20 17:19:59 dactyl su: FAILED SU (to root) >> mmoorcro on pts/0' >> hostname: 'dactyl' >> program_name: 'su' >> log: 'FAILED SU (to root) mmoorcro on pts/0' >> >> **Phase 2: Completed decoding. >> decoder: 'su' >> >> **Phase 3: Completed filtering (rules). >> Rule id: '5301' >> Level: '5' >> Description: 'User missed the password to change UID (user id).' >> **Alert to be generated. >> >> >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
