--- /dev/null
+**Phase 1: Completed pre-decoding.
+ full event: 'Sep 11 01:40:59 bogus.com su: ericx to root on /dev/ttyu0'
+ hostname: 'bogus.com'
+ program_name: 'su'
+ log: 'ericx to root on /dev/ttyu0'
+
+**Phase 2: Completed decoding.
+ decoder: 'su'
+ srcuser: 'ericx'
+ dstuser: 'root'
+
+**Phase 3: Completed filtering (rules).
+ Rule id: '5303'
+ Level: '3'
+ Description: 'User successfully changed UID to root.'
+**Alert to be generated.
+
+