+++ /dev/null
-[su: failed ]
-log 1 pass = Apr 27 15:22:23 niban su[2921936]: failed: ttyq4 changing from ldap to root
-log 2 pass = Jun 20 17:19:59 dactyl su: FAILED SU (to root) mmoorcro on pts/0
-rule = 5302
-alert = 9
-decoder = su
-
-[su: bad pass]
-log 1 pass = Apr 27 15:22:23 niban su[234]: BAD SU ger to fwmaster on /dev/ttyp0
-rule = 5301
-alert = 5
-decoder = su
-
-[su: pam - auth fail]
-log 1 fail = Apr 27 15:22:23 niban su(pam_unix)[23164]: authentication failure; logname= uid=1342 euid=0 tty= ruser=dcid rhost= user=osaudit
-log 2 fail = Apr 27 15:22:23 niban su(pam_unix)[2298]: authentication failure; logname= uid=1342 euid=0 tty= ruser=dcid rhost= user=root
-rule = 5503
-alert = 5
-decoder = su
-
-
-[su: work fts]
-log 1 pass = Apr 22 17:51:51 enigma su: dcid to root on /dev/ttyp1
-rule = 5305
-alert = 4
-decoder = su
-