AnsweredAssumed Answered

Unable to use 'contains' on 'event.desc'

Question asked by David Bursik on Sep 22, 2016
Latest reply on Sep 27, 2016 by Christopher Ahearn

Hi Guys,


I am facing problem with root login rule.


I would like to obtain alert (from RE) everytime when somebody login as root and it usualy works, but...


Today we tested root login on Debian server and it sent log:

" Sep 22 16:01:57 login[20773]: ROOT LOGIN on '/dev/tty1' "

whole part " login[20773]: ROOT LOGIN on '/dev/tty1' " is parsed as "event.desc" and message ID is 00010:22


Unfortunately root is not parsed as username, so I tryed to parse this by using rule such as:

"'00010:22' && event.desc contains 'ROOT LOGIN' "

but it's not working. Also in investigation query " event.desc = 'login[20773]: ROOT LOGIN on '/dev/tty1'' " is not working.


Do you guys know some solution for this? I suspect those apostrophs in desc are problem, but idk how to force it to work.

Is parser modification the only way?


Thank in advance for any idea.