I am facing problem with root login rule.
I would like to obtain alert (from RE) everytime when somebody login as root and it usualy works, but...
Today we tested root login on Debian server and it sent log:
" Sep 22 16:01:57 10.10.10.10 login: ROOT LOGIN on '/dev/tty1' "
whole part " login: ROOT LOGIN on '/dev/tty1' " is parsed as "event.desc" and message ID is 00010:22
Unfortunately root is not parsed as username, so I tryed to parse this by using rule such as:
" msg.id='00010:22' && event.desc contains 'ROOT LOGIN' "
but it's not working. Also in investigation query " event.desc = 'login: ROOT LOGIN on '/dev/tty1'' " is not working.
Do you guys know some solution for this? I suspect those apostrophs in desc are problem, but idk how to force it to work.
Is parser modification the only way?
Thank in advance for any idea.