debian/ossec-hids/usr/share/doc/ossec-hids/contrib/logtesting/11/res

   1 **Phase 1: Completed pre-decoding.
   2        full event: 'Sep 11 01:40:59 bogus.com su: ericx to root on /dev/ttyu0'
   3        hostname: 'bogus.com'
   4        program_name: 'su'
   5        log: 'ericx to root on /dev/ttyu0'
   6
   7 **Phase 2: Completed decoding.
   8        decoder: 'su'
   9        srcuser: 'ericx'
  10        dstuser: 'root'
  11
  12 **Phase 3: Completed filtering (rules).
  13        Rule id: '5305'
  14        Level: '4'
  15        Description: 'First time (su) is executed by user.'
  16 **Alert to be generated.
  17
  18