+[su: failed ]
+log 1 pass = Apr 27 15:22:23 niban su[2921936]: failed: ttyq4 changing from ldap to root
+log 2 pass = Jun 20 17:19:59 dactyl su: FAILED SU (to root) mmoorcro on pts/0
+rule = 5302
+alert = 9
+decoder = su
+
+[su: bad pass]
+log 1 pass = Apr 27 15:22:23 niban su[234]: BAD SU ger to fwmaster on /dev/ttyp0
+rule = 5301
+alert = 5
+decoder = su
+
+[su: pam - auth fail]
+log 1 fail = Apr 27 15:22:23 niban su(pam_unix)[23164]: authentication failure; logname= uid=1342 euid=0 tty= ruser=dcid rhost= user=osaudit
+log 2 fail = Apr 27 15:22:23 niban su(pam_unix)[2298]: authentication failure; logname= uid=1342 euid=0 tty= ruser=dcid rhost= user=root
+rule = 5503
+alert = 5
+decoder = su
+
+
+[su: work fts]
+log 1 pass = Apr 22 17:51:51 enigma su: dcid to root on /dev/ttyp1
+rule = 5305
+alert = 4
+decoder = su
+