**Phase 1: Completed pre-decoding.
       full event: 'Apr 27 15:22:23 niban sudo:     dcid : TTY=pts/4 ; PWD=/home/dcid ; USER=root ; COMMAND=/usr/bin/tail /var/log/snort/alert.fast'
       hostname: 'niban'
       program_name: 'sudo'
       log: '    dcid : TTY=pts/4 ; PWD=/home/dcid ; USER=root ; COMMAND=/usr/bin/tail /var/log/snort/alert.fast'

**Phase 2: Completed decoding.
       decoder: 'sudo'
       dstuser: 'dcid'

**Phase 3: Completed filtering (rules).
       Rule id: '5403'
       Level: '4'
       Description: 'First time user executed sudo.'
**Alert to be generated.