AnsweredAssumed Answered

Unable to use 'contains' on 'event.desc'

Question asked by David Bursik on Sep 22, 2016
Latest reply on Sep 27, 2016 by Christopher Ahearn

Hi Guys,

 

I am facing problem with root login rule.

 

I would like to obtain alert (from RE) everytime when somebody login as root and it usualy works, but...

 

Today we tested root login on Debian server and it sent log:

" Sep 22 16:01:57 10.10.10.10 login[20773]: ROOT LOGIN on '/dev/tty1' "

whole part " login[20773]: ROOT LOGIN on '/dev/tty1' " is parsed as "event.desc" and message ID is 00010:22

 

Unfortunately root is not parsed as username, so I tryed to parse this by using rule such as:

" msg.id='00010:22' && event.desc contains 'ROOT LOGIN' "

but it's not working. Also in investigation query " event.desc = 'login[20773]: ROOT LOGIN on '/dev/tty1'' " is not working.

 

Do you guys know some solution for this? I suspect those apostrophs in desc are problem, but idk how to force it to work.

Is parser modification the only way?

 

Thank in advance for any idea.

 

--

David

Outcomes