# Copyright 2004-2014 Tenable Network Security
# This library may only be used with the LCE server and may not
# be used with other products or open source projects
#
# NAME:
# Linux log parser
#
# DESCRIPTION:
# This library is used to process logs from Linux systems.
#
# LAST UPDATE: $Date$
id=600
name=This Linux systems systemd has detected a service unit entering a failed state.
match=ail
match=ed
match=er
match=systemd
match=failed
match=ent
match=entered failed state
log=event:Linux-Systemd_Unit_Failed_State type:process
NEXT
id=601
name=This Linux systems systemd has detected a main process exit.
match=ed
match=ss
match=in
match=tem
match=exited
match=status
match=main process exited
log=event:Linux-Systemd_Main_Process_Exited type:process
NEXT
id=602
name=This Linux systems systemd has detected a service start.
match=St
match=tem
match=ar
match=ed
match=systemd: Started
log=event:Linux-Systemd_Service_Start type:process
NEXT
id=603
name=This Linux systems systemd-logind has removed a session.
match=log
match=st
match=ion
match=ss
match=lo
match=og
match=tem
match=systemd-logind: Removed session
log=event:Linux-Systemd_Logind_Session_Removed type:system
NEXT
id=604
name=This Linux systems systemd-logind has created a new session for a user.
match=in
match=lo
match=ss
match=ser
match=log
match=ystem
match=session
match=systemd-logind: New session
log=event:Linux-Systemd_Logind_Session_New type:system
NEXT
id=605
name=This Linux systems dbus-daemon has successfully activated a service.
match=ti
match=ed
match=er
match=ss
match=at
match=ser
match=ystem
match=Successfully activated service
log=event:Linux-Dbus_Service_Activated_Successfully type:system
NEXT
id=606
name=This Linux systems fprintd (fingerprint authentication daemon) has failed.
match=rr
match=ed
match=or
match=le
match=in
match=IN
match=ail
match=error
match=fprint init failed with error
log=event:Linux-Fprintd_Failed type:process
NEXT
id=607
name=This Linux systems Gnome Display Manager PAM service has unlocked the login keyring.
match=in
match=ss
match=ed
match=lo
match=ass
match=log
match=ing
match=gkr-pam: unlocked login keyring
log=event:Linux-GDM_Keyring_Login_Unlocked type:system
NEXT
id=608
name=This Linux systems Gnome Keyring Daemon has failed to initialize slot with master password.
match=st
match=or
match=ss
match=as
match=ing
match=er
match=lo
match=couldn't initialize slot with master password
log=event:Linux-GDM_Slot_Initialization_Password_Failure type:error
NEXT
id=609
name=This Linux system has detected that rsyslog has been sent a HUP signal (HUP).
match=or
match=as
match=lo
match=in
match=er
match=log
match=ed
match=rsyslogd was HUPed
log=event:Linux-Rsyslog_HUP type:process
NEXT
id=610
name=This Linux systems Automatic Bug Reporting Tool has generated a core backtrace.
match=or
match=re
match=er
match=at
match=in
match=ing
regex=(?:abrt-server|abrtd): Generating core_backtrace
log=event:Linux-ABRT_Core_Backtrace_Generated type:system
NEXT
id=611
name=This Linux systems Automatic Bug Reporting Tool has dectected a duplicate core backtrace.
match=or
match=re
match=ce
match=at
match=ace
regex=(?:abrt-server|abrtd): Duplicate: core backtrace
log=event:Linux-ABRT_Core_Backtrace_Duplicate type:system
NEXT
id=612
name=This Linux systems Automatic Bug Reporting Tool has dectected a duplicate directory.
match=DIR
match=P
match=UP
regex=(?:abrt-server|abrtd): DUP_OF_DIR
log=event:Linux-ABRT_Directory_Duplicate type:system
NEXT
id=613
name=This Linux systems Automatic Bug Reporting Tool is deleting a problem directory.
match=le
match=ect
match=ire
match=ti
match=re
match=ing
match=or
regex=(?:abrt-server|abrtd): Deleting problem directory
log=event:Linux-ABRT_Directory_Delete type:system
NEXT
id=614
name=This Linux systems NetworkManager has detected an error requesting authorization.
match=er
match=rr
match=an
match=st
match=or
match=ing
match=error
match=error requesting auth
match=NetworkManager
log=event:Linux-NetworkManager_Auth_Error type:login-failure
NEXT
id=615
name=This Linux systems NetworkManager has reported a device state change.
match=sta
match=at
match=an
match=or
match=in
match=NetworkManager
match=device state change
log=event:Linux-NetworkManager_State_Change_Device type:system
NEXT
id=616
name=This Linux systems NetworkManager policy has been set as default.
match=in
match=or
match=ol
match=er
match=ic
match=]:
match=as default for
match=Policy set
match=NetworkManager
log=event:Linux-NetworkManager_Policy_Set type:system
NEXT
id=617
name=This Linux systems NetworkManager reported a successful device activation.
match=or
match=ion
match=ed
match=ic
match=at
match=ss
match=ti
match=Activation
match=device activated
match=NetworkManager
log=event:Linux-NetworkManager_Activation_Device type:system
NEXT
id=618
name=This Linux systems NetworkManager has reported its state as CONNECTING.
match=CONNECTING
match=st
match=or
match=er
match=at
match=an
match=stat
match=!CONNECTED_GLOBAL
match=!CONNECTED_LOCAL
match=NetworkManager state is now
log=event:Linux-NetworkManager_State_Connecting type:system
NEXT
id=619
name=This Linux systems NetworkManager has reported its state as CONNECTED_LOCAL.
match=CONNECTED_LOCAL
match=st
match=or
match=er
match=at
match=an
match=stat
match=!CONNECTED_GLOBAL
match=!CONNECTING
match=NetworkManager state is now
log=event:Linux-NetworkManager_State_Connected_Local type:system
NEXT
id=620
name=This Linux systems NetworkManager has reported its state as CONNECTED_GLOBAL.
match=CONNECTED_GLOBAL
match=st
match=or
match=er
match=at
match=an
match=stat
match=!CONNECTED_LOCAL
match=!CONNECTING
match=NetworkManager state is now
log=event:Linux-NetworkManager_State_Connected_Global type:system
NEXT
id=621
name=This Linux systems NetworkManager has reported a new ethernet device.
match=in
match=er
match=ic
match=ce
match=an
match=NetworkManager
match=new Ethernet device
log=event:Linux-NetworkManager_Device_Ethernet_New type:system
NEXT
id=622
name=This Linux systems NetworkManager is auto-activating a connection.
match=in
match=ion
match=ect
match=at
match=er
match=Auto-activating connection
match=NetworkManager
log=event:Linux-NetworkManager_Connection_Auto_Activating type:system
NEXT
id=1300
name=This Linux system has had a new user added.
match=ser
match=user
match=useradd[
match=]: new user: name=
match=, home=/
match=, shell=/
regex= name=([^,]+),
log=event:Linux-User_Added type:system user:$1
NEXT
id=1301
name=This Linux system had a group added.
match=ser
match=useradd[
match=user
match=]: new group: name=
log=event:Linux-Group_Added type:system
NEXT
id=1302
name=The user has been locked.
match=]:
match=ck
match=ser
match=usermod[
match=user
match=pass
match=]: lock user
log=event:Linux-User_Locked type:system
NEXT
id=1303
name=The user has been unlocked.
match=]:
match=ck
match=ser
match=usermod[
match=user
match=pass
match=]: unlock user
log=event:Linux-User_Unlocked type:system
NEXT
id=1304
name=The user's shell has been changed.
match=]:
match=ser
match=ang
match=usermod[
match=user
match=shell
match=]: change user
log=event:Linux-User_Changed_Shell type:system
NEXT
id=1305
name=The user's UID has been changed.
match=]:
match=ser
match=ang
match=usermod[
match=user
match=UID
match=]: change user
log=event:Linux-User_Changed type:system
NEXT
id=1306
name=This Linux system had a root login.
match=lo
match=log
match= login[
match=OT
match=]: ROOT LOGIN
match=IN
match=LO
match=ROOT
match=OOT
regex=ROOT LOGIN (?:on|ON) \S+
log=event:Linux-Root_Login type:login
NEXT
id=1307
name=This Linux system had a password change.
match=ss
match=ass
match= passwd[
match=pass
match=]: password for `
match=ser
match=ed
match=' changed by user `
match=an
match=user
regex=passwd\[\d+\]: password for \S+ changed by user
log=event:Linux-Password_Change type:system
NEXT
id=1308
name=This Linux system had an invalid login attempt with a bad password.
match=lo
match=log
match=login[
match=ss
match=ass
match=]: invalid password for `
match=pass
regex=login\[\d+\]: invalid password for \S+
log=event:Linux-Failed_Login type:login-failure
NEXT
id=1309
name=This Linux system had failed login.
match=lo
match=log
match=login
match=: FAILED LOGIN
match=IN
match=LO
match= FOR
match=FO
match=ail
match=ailure
match=ent
match=ion
match=, Authentication failure
match=uthentication
log=event:Linux-Failed_Login type:login-failure
NEXT
id=1310
name=This Linux system had software installed via the dpkg package manager.
match=sta
match=le
match=ed
match= status installed
match=nstall
match=status
regex=^20[0-9][0-9]-[0-3][0-9]-[0-9][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9] status installed
log=event:Linux-DPKG_Software_Installed type:system
NEXT
id=1311
name=This Linux system had software removed via dpkg package manager.
match=rem
match= remove
regex=^20[0-9][0-9]-[0-3][0-9]-[0-9][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9] remove
log=event:Linux-DPKG_Software_Removed type:system
NEXT
id=1312
name=This Linux system had an rpc.statd exploit attempt.
match=AT
match=Oct 27 13:27:54 igunda rpc.statd[353]: POSSIBLE SPOOF/ATTACK ATTEMPT!
match= rpc.statd[
match=MP
match=]: POSSIBLE SPOOF/ATTACK ATTEMPT!
match=ATTACK
log=event:Linux-RPC_Statd_Exploit type:intrusion dstport:111
NEXT
id=1313
name=This Linux system had a mountd export request.
match=xport
match=est
match=request
match=rom
match=rpc.mountd: export request from
regex=rpc\.mountd: export request from ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Linux-RPC_Mountd_Export_Request srcip:$1 type:connection
NEXT
id=1314
name=This Linux system had a remote pam_unix authentication failure.
match=pam_unix
match=ailure
match=ho
match= authentication failure;
match=authentication failure;
match=uthentication
match=io
match=fa
match=at
match=un
match=he
match=on
match=ent
match=auth
match=re
match=user
match=se
match=ser
match=host
match=ca
match=nt
match=en
match=ai
match=ic
match=cat
match=nti
match=use
match=au
match=ur
match=log
match=er
match=ut
match=fail
match=failure
match=st
match=ion
regex= rhost=([^ $]{1,100})
log= event:Linux-PAM_Remote_Auth_Failure type:login-failure srcip:$1
NEXT
id=1315
name=This Linux system had a local pam_unix authentication failure.
match=ailure
match=ho
match=lo
match= rhost=
match=ame
match=io
match=ser
match=at
match=uth
match=ail
match=he
match= authentication failure;
match=authentication failure;
match=uthentication
match=on
match=log
match=ent
match=tion
match=auth
match=ty
match=pam_unix
match=re
match=host
match=ca
match=nt
match=en
match=na
match=failure
match=ai
match=ic
match=cat
match=user
match=nti
match=use
match=og
match=fail
match=st
match=ion
match=name
regex= rhost=\s+user=([^ $]{1,100})
log=event:Linux-PAM_Local_Auth type:login-failure
NEXT
id=1316
name=This Linux system had promiscuous mode enabled. This means a sniffer is now active.
match=kernel
match=rom
match=romiscuous
match=le
match=ed
match=: Promiscuous mode enabled.
log=event:Linux-Promiscuous_Mode_Enabled type:system
NEXT
id=1317
name=This Linux system had promiscuous mode enabled. This means a sniffer is now active.
match=kernel
match=rom
match=romiscuous
match=ent
match=ed
match= entered promiscuous mode
log=event:Linux-Promiscuous_Mode_Enabled type:system
NEXT
id=1318
name=This Linux system had a group account added.
match=ser
match=user
match= useradd[
match=ed
match=]: account added to group - account=
match=acc
log=event:Linux-Group_Added type:system
NEXT
id=1319
name=This Linux system had an account added which already existed.
match=ser
match=user
match= useradd[
match=]: account already exists - account=
match=acc
log=event:Linux-User_Exists type:error
NEXT
id=1320
name=This Linux system had an account added.
match=ser
match=user
match= useradd[
match=ed
match=]: new account added - account=
match=acc
regex= account=([^,]+),
log=event:Linux-User_Added type:system user:$1
NEXT
id=1321
name=This Linux system had an account removed from a group.
match=rom
match=ed
match=]: account removed from group - account=
match=acc
match=rem
match=, group=
match=, gid=
match=, by=
log=event:Linux-User_Removed_From_Group type:system
NEXT
id=1322
name=This Linux system had an account deleted.
match= shadow[
match=le
match=ed
match=]: account deleted
match=acc
match=- account=
log=event:Linux-User_Deleted type:system
NEXT
id=1323
name=This Linux system had a user password changed.
match=ss
match=ass
match= passwd[
match=pass
match=ed
match=]: password changed - account=
match=acc
match=an
log=event:Linux-User_PW_Changed type:system
NEXT
id=1324
name=This Linux system had a password changed.
match=ss
match=ass
match=passwd
match=pass
match=ed
match=: password changed for
match=an
log=event:Linux-User_PW_Changed type:system
NEXT
id=1325
name=This Linux system had a user deleted.
match=!from group
match=!removed group
match=ser
match=userdel[
match=user
match=le
match=]: delete user
log=event:Linux-User_Deleted type:system
NEXT
id=1326
name=This Linux system had a user added.
match=ser
match= adduser[
match=]: new user: name=
match=user
regex= name=([^,]+),
log=event:Linux-User_Added type:system user:$1
NEXT
id=1327
name=This Linux system had a group added.
match=ser
match= adduser[
match=]: new group: name=
match=user
log=event:Linux-Group_Added type:system
NEXT
id=1328
name=This Linux system is running SE Linux and had an AVC access granted.
match=tem
match=ystem
match= avc:
match=kernel
match=kernel: audit(
match=ed
match=: avc: granted {
match=an
log=event:SELinux-AVC_granted sensor:$1 type:system
NEXT
id=1329
name=This Linux system is running SE Linux and had an AVC access denied.
match=kernel
match=tem
match=ystem
match=kernel:
match= avc:
match=ed
match=: avc: denied {
log=event:SELinux-AVC_denied sensor:$1 type:access-denied
NEXT
id=1331
name=This Linux system is out of memory.
match=kernel
match=ce
match=ss
match=ut
match=cr
match=kernel: Out of memory: Kill
log=event:Linux-Out_Of_Memory type:error
NEXT
id=1332
name=This Linux system had a local named cache hit denied.
match=ed
match=named[
match=ent
match=]: client
match=client
match=: query (cache) denied
regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Named-Cache_Denied srcip:$1 type:access-denied
NEXT
id=1333
name=This Linux system had named configuration failure.
match=ed
match= named[
match=ail
match=lo
match=ion
match=ing
match=]: loading configuration: failure
match=ailure
log=event:Named-Configuration_Failure type:error
NEXT
id=1334
name=This Linux system is running SELinux and it has prevented a system process from accessing a resource.
match=SE
match=SELinux
match=ent
match=ing
match=is preventing
match=le
match=. For complete
log=event:SELinux-Action_Prevention type:access-denied
NEXT
id=1335
name=This Linux system is out of memory.
match=kernel
match=ce
match=le
match=ed
match=ss
match=kernel: Out of Memory: Killed process
log=event:Linux-Out_Of_Memory type:error
NEXT
id=1336
name=This Linux system has logged an error with the CD-ROM drive.
match=kernel
match=rom
match= cdrom_pc_intr:
log=event:Linux-CDROM_Error type:error
NEXT
id=1337
name=This Linux server has logged a connection to a service being hosted by the xinetd daemon.
match= xinetd[
match=RT
match= START:
match=ST
match=rom
match= from=
match=from
regex= from(?:=|=::ffff:)([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Linux-Xinetd_Connection type:connection srcip:$1
NEXT
id=1338
name=The Yum application manager has installed a system package.
match=yum
match=sta
match=le
match=ed
match= Installed:
match=nstall
log=event:Linux-Yum_Installation type:system
NEXT
id=1339
name=This Linux operating system has recently rebooted. The matched syslog message indicating the kernel type is only displayed during the boot process.
match=io
match=on
match=ersion
match=ver
match=kern
match=er
match=ve
match=version
match=kernel
match=ion
match=kernel: Linux version 2.
log=event:Linux-System_Start type:restart
NEXT
id=1340
name=The Yum application manager has installed updated a system package.
match=yum
match=ate
match=ed
match= Updated:
match=date
log=event:Linux-Yum_Updated type:system
NEXT
id=1341
name=The Yum application manager has erased a system package
match=yum
match=ed
match= Erased:
log=event:Linux-Yum_Erased type:system
NEXT
id=1342
name=The Up2date application successfully authenticated to an up2date server. This means that a Red Hat server was able to connect to a server to receive an update.
match=ate
match=] up2date
match=date
match=ent
match=ion
match=uthentication
match=ce
match=ed
match=ss
match= successfully retrieved authentication token
log=event:Linux-Up2date_Authenticated type:system
NEXT
id=1343
name=The Up2date application failed to connect to an up2date server. This could mean that the Red Hat server is not configured correctly, or has network connectivity issues.
match=ate
match=] up2date
match=date
match=ser
match=rr
match=ing
match= Error communicating with server
log=event:Linux-Up2date_Connection_Failure type:error
NEXT
id=1344
name=The Up2date application registered the system. This is part of the process of receiving system updates from Red Hat.
match=ate
match=] up2date
match=date
match=tem
match=ed
match= Registered system.
match=ystem
log=event:Linux-Up2date_Registered_System type:system
NEXT
id=1345
name=The Up2date application added packages to the package profile. Software was added to the Red Hat server.
match=ate
match=] up2date
match=date
match=ack
match=ing
match=le
match= Adding packages to package profile
log=event:Linux-Up2date_Package_Additions type:system
NEXT
id=1346
name=The Up2date application removed packages from the package profile. Software was removed from the Red Hat server.
match=ate
match=] up2date
match=date
match=rom
match=ack
match=ing
match=le
match= Removing packages from package profile
log=event:Linux-Up2date_Package_Deletions type:system
NEXT
id=1347
name=The Up2date application was unable to activate installation. This could mean that the Red Hat server is not configured correctly, or has network connectivity issues.
match=ate
match=] up2date
match=date
match=sta
match=rr
match=ion
match=ing
match=le
match= There was an error while activating the installation
match=an
match=nstall
log=event:Linux-Up2date_Activation_Failure type:error
NEXT
id=1348
name=The Up2date application passed invalid credentials. This could mean that a Red Hat server's maintenance has expired.
# Please note, no initial up2date token in this up2date log record
match=rr
match=ss
match=ass
match=Error Class Info
match=ent
match=tem
match=ed
match=Invalid System Credentials
match=ystem
log=event:Linux-Up2date_Invalid_Credentials type:error
NEXT
id=1349
name=The network time protocol has synchronized to a network time source.
match=tp
match=ntpd[
match=ntp
match=ed
match= synchronized to
match= stratum
match=! LOCAL
regex=synchronized to ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),
log=event:Linux-Network_Time_Update type:system dstip:$1
NEXT
id=1350
name=This Linux system had promiscuous mode disabled. This means a sniffer is now deactivated.
match=kernel
match=rom
match=romiscuous
match=le
match= left promiscuous mode
log=event:Linux-Promiscuous_Mode_Disabled type:system
NEXT
id=1351
name=This Linux system had a user removed from a group.
match=!removed group
match=rom
match=from group
match=ser
match=userdel[
match=user
match=le
match=]: delete `
log=event:Linux-User_Removed_From_Group type:system
NEXT
id=1352
name=This Linux system had a group removed.
match=ser
match=userdel[
match=user
match=ed
match=]: removed group
match=rem
match=owned by
log=event:Linux-Group_Removed type:system
NEXT
id=1353
name=This Linux system had a system administrator run the gpasswd command to perform a bulk change of users.
match=ss
match=ass
match=pass
match=gpasswd[
log=event:Linux-Group_Passwd_Change type:system
NEXT
id=1354
name=The ntpd is shutting down.
match=tp
match=ntp
match=ntpd[
match=ing
match=ntpd exiting on signal 15
match=signal
log=event:Linux-Network_Time_Daemon_Shutdown type:process
NEXT
id=1355
name=The ntpd is starting up.
match=tp
match=ntp
match=ntpd[
match= ntpd
regex=ntpd\[([0-9]+)\]\: ntpd [0-9]\.[0-9].*20[0-9][0-9]
log=event:Linux-Network_Time_Daemon_Version type:system
NEXT
id=1356
name=This Linux system has logged a segfault from a running process.
match=kernel
match=segfault at
log=event:Linux-Segfault_Detected type:process
NEXT
id=1357
name=The ntp daemon cannot open the temporary drift file.
match=tp
match=ntp
match=ntpd[
match=ion
match=ed
match=ss
match=can't open /etc/ntp/drift.TEMP: Permission denied
match=an
match=MP
log=event:Linux-Network_Time_Permission_Denied type:error
NEXT
id=1358
name=This Linux system had promiscuous mode enabled. This means a sniffer is now active.
match=ce
match= device
match=ent
match=rom
match=ed
match= entered promiscuous mode
log=event:Linux-Promiscuous_Mode_Enabled type:system
NEXT
id=1359
name=This Linux system had promiscuous mode disabled. This means a sniffer is now deactivated.
match=ce
match= device
match=rom
match=romiscuous
match=le
match= left promiscuous mode
log=event:Linux-Promiscuous_Mode_Disabled type:system
NEXT
id=1360
name=This system had multiple SUDO login attempts.
match=sudo:
match=tem
match=rr
match=ss
match=ass
match=pt
match=incorrect password attempts
match=ect
match=pass
match=USER
match=SE
match=ER
match=; USER=
match=; PWD=
match=; COMMAND=
log=event:Linux-Multiple_SUDO_Failures type:login-failure
NEXT
id=1361
name=The network time protocol has synchronized to a local network time source.
match=tp
match=ntp
match=AL
match=ntpd[
match=ed
match= synchronized to
match= stratum
match= LOCAL
match=LO
log=event:Linux-Network_Time_Local_Update type:system
NEXT
id=1362
name=This Linux system had a user removed.
match=ser
match=userdel[
match=user
match=le
match=ed
match=]: account deleted - account=
match=acc
log=event:Linux-User_Account_Removed type:system
NEXT
id=1363
name=This Linux system is running SELinux and it has been disabled.
match= avc:
match=ce
match=ed
match= received setenforce notice
match=ing
match= (enforcing=0)
log=event:SELinux-Disabled type:system
NEXT
id=1364
name=This Linux system is running SELinux and it has been enabled.
match= avc:
match=ce
match=ed
match= received setenforce notice
match=ing
match= (enforcing=1)
log=event:SELinux-Enabled type:system
NEXT
id=1365
name=This Linux system is running the xinetd service.
match= xinetd[
match=ion
match= xinetd Version
match=sta
match=ar
match=ed
match= started with
match=start
log=event:Linux-Xinetd type:restart
NEXT
id=1366
name=This Linux server has finished a connection to a service being hosted by the xinetd daemon.
match= xinetd[
match= EXIT:
match=sta
match= status=
match=status
match= pid=
match=ion
match= duration=
log=event:Linux-Xinetd_Connection_Finished type:connection
NEXT
id=1367
name=This Linux server had a command issued by root.
match=ser
match=User 'root'
match=User
match=an
match=ecu
match=ed
match= executed command
match=!parent process
match=ce
match=ss
match= The process executed for
match=ing
match= during which an average of
match= of memory was used.
match= minor page faults,
match= major page faults,
match=ommand
log=event:Linux-Command_Issued_By_Root type:process
NEXT
id=1368
name=This Linux server had commands issued by a superuser not named root.
match=!User 'root'
match=ecu
match=ed
match= executed command
match=ommand
match=an
match=!parent process
match=ce
match=ss
match= The process executed for
match=ing
match= during which an average of
match= of memory was used.
match= minor page faults,
match= major page faults,
match=ser
match=le
match= Superuser priveleges were used.
log=event:Linux-Command_Issued_By_SuperUser type:process
NEXT
id=1369
name=This Linux server had commands issued by a non-root user.
match=!User 'root'
match=ecu
match=ed
match= executed command
match=ommand
match=an
match=!parent process
match=!Superuser priveleges were used.
match=ce
match=ss
match= The process executed for
match=ing
match= during which an average of
match= of memory was used.
match= minor page faults,
match= major page faults,
log=event:Linux-User_Issued_Command type:process
NEXT
id=1370
name=This Linux system had software configured via the dpkg package manager.
match=sta
match=status
match=le
match= status config-files
regex=^20[0-9][0-9]-[0-3][0-9]-[0-9][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9] status config-files
log=event:Linux-DPKG_Software_Configured type:system
NEXT
id=1371
name=The network time protocol has synchronized to a network time source.
match=tp
match=ntp
match=ntpd[
match=: time reset
log=event:Linux-Network_Time_Reset type:system
NEXT
id=1372
name=This Linux server had a Small Footprint CIM Broker error accepting an SSL connection.
match=SSL
match=ion
match=onnection
match=onnect
match=ect
match=sfcb[
match=rr
match=ing
match=ce
match=pt
match= Error accepting SSL
match=acc
match=connection -- exiting
log=event:Linux-SFCB_SSL_Connection_Error type:error
NEXT
id=1373
name=This Linux server had commands issued by a superuser not named root.
match=!User 'root'
match=ecu
match=ed
match= executed command
match=ommand
match=an
match=ent
match=ar
match=ce
match=ss
match= parent process
match= The process executed for
match=ing
match= during which an average of
match= of memory was used.
match= minor page faults,
match= major page faults,
match=ser
match=le
match= Superuser priveleges were used.
log=event:Linux-Command_Issued_By_SuperUser_With_ParentID type:process
NEXT
id=1374
name=This Linux server had commands issued by a non-root user.
match=!User 'root'
match=ecu
match=ed
match= executed command
match=ommand
match=an
match=ent
match=ar
match=ce
match=ss
match= parent process
match=!Superuser priveleges were used.
match= The process executed for
match=ing
match= during which an average of
match= of memory was used.
match= minor page faults,
match= major page faults,
log=event:Linux-User_Issued_Command_With_ParentID type:process
NEXT
id=1375
name=This Linux server had a command issued by root.
match=ser
match=User 'root'
match=User
match=ecu
match=ed
match= executed command
match=ommand
match=an
match=ent
match=ar
match=ce
match=ss
match= parent process
match= The process executed for
match=ing
match= during which an average of
match= of memory was used.
match= minor page faults,
match= major page faults,
log=event:Linux-Command_Issued_By_Root_With_ParentID type:process
NEXT
id=1376
name=A process exited abnormally.
match=exited abnormally
match= ALER
match=ER
match=:
match= [
match=RT
match=ed
match=ALERT
match=AL
log=event:Linux-Command_Exited_Abnormally type:process
NEXT
id=1377
name=A user attempted to authenticate but the account was unknown to the local system.
match=error retrieving information about user
match=succ
match=if
match=nformation
match=io
match= user
match=se
match=ser
match=at
match=form
match=on
match=tion
match=rror
match=fo
match=ing
match=ed
match=ret
match=ab
match=su
match=ou
match=in
match=vi
match=user
match=rr
match=ce
match=error
match=ti
match=use
match=info
match=for
match=ma
match=er
match=pam_succeed_if
match=ut
match=ion
match=rm
log=event:Linux-PAM_Unknown_User type:login-failure
NEXT
id=1378
name=This Linux PAM system had a user start a session.
match=sess
match=io
match= user
match=ser
match=se
match=un
match=for
match=on
match=fo
match=pam_unix
match=ed
match=ss
match=ess
match=session
match=session opened for user
match=en
match=for user
match=by
match=or
match=user
match=use
match=ses
match=for
match=opened
match=er
match=ned
match=ion
match=user
match=op
regex=session opened for user ([^\ ]{1,40})
log=event:Linux-PAM_Session_Opened type:login user:$1
NEXT
id=1379
name=The Linux PAM system had a session close.
match=sess
match=lo
match=io
match= user
match=se
match=ser
match=un
match=for
match=on
match=fo
match=pam_unix
match=ed
match=ess
match=ss
match=for user
match=or
match=session closed
match=user
match=use
match=ses
match=for
match=er
match=session
match=sed
match=session closed for user
match=ion
regex=session closed for user ([^\ ]{2,25})
log=event:Linux-PAM_Session_Closed type:logout user:$1
# id=1380 free
NEXT
id=1382
name=This Linux system has a session started for argus.
match=argus[
match=gu
match=argus
match=ar
match=st
match=started
log=event:Linux-Argus_Started type:process
NEXT
id=1383
name=This Linux system has issued an argus interface status.
match=argus[
match=gu
match=argus
match=ar
match=Get
match=te
match=fa
match=St
match=at
match=ArgusGetInterfaceStatus:
log=event:Linux-Argus_Interface_Status type:process
NEXT
id=1384
name=This Linux system has issued a cron command.
match=!audit
match=CRON[
match=CRON
match=CR
match=CMD
log=event:Linux-CRON_CMD type:system
NEXT
id=1385
name=This Linux system has issued a cron command.
match=!audit
match=CROND[
match=CRON
match=CR
match=CMD
log=event:Linux-CRON_CMD type:system
NEXT
id=1386
name=This Linux system had a user fail authentication.
match=uthentication
match=io
match=fa
match=at
match=pam_krb
match=pam_krb5
match=authentication fails for
match=th
match=uth
match=ail
match=he
match=ent
match=tion
match=auth
match=fo
match=ca
match=nt
match=or
match=ai
match=ic
match=cat
match=il
match=ti
match=au
match=for
match=ut
match=fail
match=ion
regex=authentication fails for '([^ ]{2,25})'
log=event:Linux-PAM-KRB5_Authentication_Failure type:login-failure
NEXT
id=1387
name=This Linux system had a user authenticate.
match=uthentication
match=authentication succeeds for
match=succ
match=io
match=at
match=pam_krb
match=pam_krb5
match=th
match=uth
match=he
match=cc
match=ent
match=tion
match=auth
match=fo
match=ed
match=ca
match=nt
match=en
match=ic
match=cat
match=nti
match=ce
match=ti
match=for
match=ut
match=ion
regex=authentication succeeds for '([^ ]{2,25})'
log=event:Linux-PAM-KRB5_Authentication_Succeeds type:login user:$1
NEXT
id=1388
name=This Linux system had an error reading keytab.
match=error
match=or
match=rr
match=rror
match=ing
match=pam_krb
match=pam_krb5
match=error reading keytab
log=event:Linux-Error_Reading_Keytab type:error
NEXT
id=1389
name=This Linux systems NetworkManager has reported a DHCP state change.
match=sta
match=an
match=or
match=in
match=NetworkManager
match=DHCPv4 state changed
log=event:Linux-NetworkManager_State_Change_DHCP type:system
NEXT
id=1390
name=The network time protocol has had its time sync staus changed.
match=tp
match=ntp
match=ntpd[
match=time sync status change
log=event:Linux-Network_Time_Status_Change type:system
NEXT
id=1391
name=The Linux system had an invalid query packet from the avahi daemon.
match=avahi-daemon
match=Invalid query packet
match=er
match=packet
match=pac
match=ack
match=daemon
log=event:Linux-Avahi_Invalid_Query type:system
NEXT
id=1392
name=The Linux system had an invalid response packet from the host.
match=avahi-daemon
match=Invalid response packet
match=packet
match=pac
match=ack
match=daemon
regex=host ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Linux-Avahi_Invalid_Response type:system srcip:$1
NEXT
id=1393
name=The Linux PAM system encountered an unknown user.
match=check pass; user unknown
match=no
match=as
match= user
match=se
match=ser
match=un
match=nknown
match=he
match=own
match=pam_unix
match=ass
match=ss
match=pass
match=wn
match=ch
match=user
match=check pass; user
match=now
match=use
match=ck
match=er
match=unknown
match=user
log=event:Linux-PAM_User_Unknown type:login-failure
NEXT
id=1394
name=This Linux system has refused a mount point.
match=est
match=request
match=rom
match=ed
match=rpc.mountd: refused mount request from
regex=rpc\.mountd: refused mount request from ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) for
log=event:Linux-Failed_NFS_Mount type:access-denied srcip:$1
NEXT
id=1395
name=This Linux system had a failed password attempt logged.
match=as
match=fa
match= user
match=un
match=ail
match=he
match=pw
match=ed
match=ss
match=for user
match=failed
match=or
match=ch
match=ai
match=user
match=il
match=ailed
match=use
match=ck
match=ile
match=for
match=password
match=er
match= failed
match=rd
match=fail
match=failed for user
match=unix_chkpwd
log=event:Linux-Password_Check_Failed type:login-failure
NEXT
id=1396
name=Telnet user has access denied due to terminal not being secure.
match=login:
match=pam
match=tt
match=secure
match=access
match=ss
match=denied
match=ed
match=access denied
match=is
match=not
match=is not secure
log=event:Linux-Telnet_Login_Not_Secure type:login-failure
NEXT
id=1397
name=A login failure due to a requirement not being met.
match=pam
match=requirement
match=cc
match=succeed
match="uid >= 1000"
match=not met by user
match=user
match=er
match=ed
regex=not met by user "([^\ ]{1,25})"
log=event:Linux-Login_Failure type:login-failure
NEXT
id=1398
name=This Linux system has issued a cron command.
match=!audit
match=crond[
match=cron
match=cr
match=CMD
log=event:Linux-CRON_CMD type:system
NEXT
id=1399
name=This Linux system has saved a core dump from a crashing process.
match=id
match=core d
match=ed
match=re
match=co
match=ab
match=rt
match= pid
match= abrt[
log=event:Linux-Process_Core_Dump_Saved type:process
NEXT
id=11400
name=This Linux systems Policy Kit has had an operator of a session fail to authenticate.
match=polkitd
match=pol
match=kit
match=FAILED to authenticate to gain authorization for action
match=FA
match=ED
match=to
match=au
match=ate
match=ai
match=ion
match=ac
log=event:Linux-Polkit_Autentication_Operator_Failed type:login-failure
NEXT
id=11401
name=This Linux systems Policy Kit has Registered Authentication Agent for session.
match=polkitd
match=pol
match=kit
match=Registered Authentication Agent for
match=Re
match=ed
match=Au
match=ion
match=or
match=ss
match=se
match=st
log=event:Linux-Polkit_Authentication_Agent_Registered type:login
NEXT
id=11402
name=This Linux systems Policy Kit has unregistered an Authentication Agent for a session.
match=polkitd
match=pol
match=kit
match=Unregistered Authentication Agent for session
match=Un
match=ed
match=Au
match=ion
match=or
match=ss
match=se
match=st
log=event:Linux-Polkit_Authentication_Agent_Unregistered type:system
NEXT
id=11403
name=This Linux systems Policy Kit has had an operator of a session successfully authenticate.
match=polkitd
match=pol
match=kit
match=successfully authenticated as
match=ll
match=Oper
match=to
match=au
match=ate
match=ai
match=ion
match=ac
log=event:Linux-Polkit_Authentication_Operator_Successful type:login
NEXT
id=15400
name=This Linux systems Automatic Bug Reporting Tool has dectected the sending of an email.
match=en
match=an
match=Se
match=il
match=ail
match=in
regex=(?:abrt-server|abrtd): Sending an email
log=event:Linux-ABRT_Email_Sending type:system
NEXT
id=15401
name=This Linux systems Automatic Bug Reporting Tool has dectected an email being sent to an account.
match=en
match=as
match=to
match=il
match=ent
match=ail
regex=(?:abrt-server|abrtd): Email was sent to:
log=event:Linux-ABRT_Email_Sent type:system
NEXT
id=15402
name=This Linux systems Automatic Bug Reporting Tool has dectected a duplicate UUID.
match=ic
match=at
regex=(?:abrt-server|abrtd): Duplicate: UUID
log=event:Linux-ABRT_UUID_Duplicate_Detected type:system
NEXT
id=15403
name=This Linux systems Automatic Bug Reporting Tool has dectected a new problem directory (processing).
match=in
match=re
match=or
match=ect
match=ire
match=ing
regex=(?:abrt-server|abrtd): New problem directory
log=event:Linux-ABRT_Directory_Problem_New type:system
NEXT
id=15404
name=This Linux systems Automatic Bug Reporting Tool has dectected that the problem directory is a duplicate.
match=at
match=re
match=or
match=ect
match=ire
match=ic
regex=(?:abrt-server|abrtd): Problem directory is a duplicate of
log=event:Linux-ABRT_Directory_Problem_Duplicate type:system
NEXT
id=15405
name=This Linux systems Automatic Bug Reporting Tool has detected a missing file or directory.
match=an
match=en
match=re
match=to
match=or
match=ire
match=No such file or directory
regex=(?:abrt-server|abrtd): Can't open file
log=event:Linux-ABRT_Directory_Or_File_Missing type:system
NEXT
id=15406
name=This Linux systems Automatic Bug Reporting Tool has dectected the creation of a directory.
match=at
match=ti
match=re
match=ire
match=ect
match=tion
match=creation detected
regex=(?:abrt-server|abrtd): Directory
log=event:Linux-ABRT_Directory_Creation type:system
NEXT
id=15407
name=This Linux systems Automatic Bug Reporting Tool has dectected an executable that doesn't belong to any package.
match=to
match=an
match=lo
match=ecu
match=doesn't belong to any package
regex=(?:abrt-server|abrtd): Executable
log=event:Linux-ABRT_Executable_ type:system
NEXT
id=15408
name=This Linux systems Automatic Bug Reporting Tool has dectected a post-create exit.
match=at
match=ed
match=st
match=re
match=exited
regex=(?:abrt-server|abrtd): 'post-create' on
log=event:Linux-ABRT_Post-create_Exit type:system
NEXT
id=15409
name=This Linux systems Automatic Bug Reporting Tool has dectected a corrupted or bad directory. Deleting.
match=to
match=or
match=re
match=ire
match=pt
match=rr
regex=(?:abrt-server|abrtd): Corrupted or bad directory
log=event:Linux-ABRT_Corrupt_Bad_Directory type:system
NEXT
id=15410
name=This Linux systems Automatic Bug Reporting Tool has dectected a new client connection.
match=nn
match=ed
match=ent
match=ect
match=en
regex=(?:abrt-server|abrtd): New client connected
log=event:Linux-ABRT_Client_Connected_New type:system
NEXT
id=15411
name=This Linux has detected an I/O error.
match=er
match=st
match=en
match=rr
match=to
match=est
match=end_request: I/O error
log=event:Linux-IO_Error type:error
NEXT
id=15412
name=This Linux system has dectected a Buffer I/O error.
match=ic
match=er
match=or
match=rr
match=cal
match=log
match=Buffer I/O error on device
log=event:Linux-IO_Error_Buffer type:error
NEXT
id=11404
name=The network time protocol is listening for interface updates.
match=tp
match=ntpd[
match=ntp
match=face
match=socket
match=update
match=Listening on routing socket on
log=event:Linux-Network_Time_Listen_Socket type:system
NEXT
id=11405
name=The network time protocol is listening normally on an interface.
match=tp
match=ntpd[
match=ntp
match=mal
match=Li
match=lly
match=on
match=Listen normally on
regex=Listen normally on \d+ \S+ ([a-fA-F0-9.:]+)
log=event:Linux-Network_Time_Listen_Normal type:system srcip:$1
NEXT
id=11406
name=The network time protocol is reporting on its I/O information.
match=tp
match=ntpd[
match=ntp
match=script
match=socket
match=max
match=ntp_io: estimated max descriptors
log=event:Linux-Network_Time_IO_Info type:system
NEXT
id=11407
name=The network time protocol has refreshed its peers.
match=tp
match=ntpd[
match=ntp
match=ee
match=res
match=peers refreshed
log=event:Linux-Network_Time_Peers_Refreshed type:system
NEXT
id=11408
name=The network time protocol is in Listen and Drop mode on an interface.
match=tp
match=ntpd[
match=ntp
match=on
match=and
match=drop
match=Listen and drop on
regex=on \d+ \S+ ([a-fA-F0-9.:]+)
log=event:Linux-Network_Time_Listen_Drop type:system srcip:$1
NEXT
id=11409
name=The network time protocol has reported on its protocol precision.
match=tp
match=ntpd[
match=ntp
match=proto
match=rec
match=usec
match=proto: precision =
log=event:Linux-Network_Time_Proto_Info type:system
NEXT
id=11410
name=The network time protocol has failed to bind to a wildcard address.
match=tp
match=ntpd[
match=ntp
match=bin
match=addr
match=unable
match=another process may be running
match=unable to bind to wildcard address
regex=wildcard address ([a-fA-F0-9.:]+)
log=event:Linux-Network_Time_Bind_Failed type:error srcip:$1
NEXT
id=11411
name=The network time protocol has found a new interface, and is waking up the resolver.
match=tp
match=ntpd[
match=ntp
match=interface
match=new
match=found
match=waking up resolver
match=new interface(s) found:
log=event:Linux-Network_Time_Interface_Found type:system
NEXT
id=11412
name=The network time protocol has deleted an interface.
match=tp
match=ntpd[
match=ntp
match=Deleting interface
match=secs
match=stats
match=drop
match=time
log=event:Linux-Network_Time_Interface_Delete type:system
NEXT
id=11413
name=The network time protocol has failed to bind, and cannot assign a requested address.
match=tp
match=ntpd[
match=ntp
match=bin
match=failed:
match=addr
match=Can
match=Cannot assign requested address
log=event:Linux-Network_Time_Bind_Failed type:error
NEXT
id=11414
name=The network time protocol has failed to init and interface for an address.
match=tp
match=ntpd[
match=ntp
match=failed
match=init
match=addr
match=face
match=failed to init interface for address
log=event:Linux-Network_Time_Interface_Failed type:error
NEXT
id=11415
name=The network time protocol has failed to create a socket on an interface.
match=tp
match=ntpd[
match=ntp
match=socket
match=create
match=unable
match=to
match=unable to create socket on
log=event:Linux-Network_Time_Socket_Failed type:error
NEXT
id=11459
name=This Linux system logged that a group was successfully added.
match=group
match=groupadd
match=name=
match=]:
log=event:Linux-Group_Added type:system