Using the auditd decoder (auditd-syscall), with the following rule file: <group name="syslog,"> <rule id="1111111" level="7"> <decoded_as>auditd</decoded_as> <match>FOO</match> </rule> </group>
ALWAYS gives me at least one additional audit entry in the alert. This frequently pukes with rule 1003 non standard syslog message size too large. I want to match any message in audit.log that contains the (audit key) key=FOO, and absolutely nothing else. Why am I getting at least 1 additional audit entry in this log, when it should only be the syscall entry? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/65f4e913-bdae-48d9-a0e3-2aefed452bacn%40googlegroups.com.
