# Copyright 2004-2014 Tenable Network Security # This library may only be used with the LCE server and may not # be used with other products or open source projects # # NAME: # Linux log parser # # DESCRIPTION: # This library is used to process logs from Linux systems. # # LAST UPDATE: $Date$ id=600 name=This Linux systems systemd has detected a service unit entering a failed state. match=ail match=ed match=er match=systemd match=failed match=ent match=entered failed state log=event:Linux-Systemd_Unit_Failed_State type:process NEXT id=601 name=This Linux systems systemd has detected a main process exit. match=ed match=ss match=in match=tem match=exited match=status match=main process exited log=event:Linux-Systemd_Main_Process_Exited type:process NEXT id=602 name=This Linux systems systemd has detected a service start. match=St match=tem match=ar match=ed match=systemd: Started log=event:Linux-Systemd_Service_Start type:process NEXT id=603 name=This Linux systems systemd-logind has removed a session. match=log match=st match=ion match=ss match=lo match=og match=tem match=systemd-logind: Removed session log=event:Linux-Systemd_Logind_Session_Removed type:system NEXT id=604 name=This Linux systems systemd-logind has created a new session for a user. match=in match=lo match=ss match=ser match=log match=ystem match=session match=systemd-logind: New session log=event:Linux-Systemd_Logind_Session_New type:system NEXT id=605 name=This Linux systems dbus-daemon has successfully activated a service. match=ti match=ed match=er match=ss match=at match=ser match=ystem match=Successfully activated service log=event:Linux-Dbus_Service_Activated_Successfully type:system NEXT id=606 name=This Linux systems fprintd (fingerprint authentication daemon) has failed. match=rr match=ed match=or match=le match=in match=IN match=ail match=error match=fprint init failed with error log=event:Linux-Fprintd_Failed type:process NEXT id=607 name=This Linux systems Gnome Display Manager PAM service has unlocked the login keyring. match=in match=ss match=ed match=lo match=ass match=log match=ing match=gkr-pam: unlocked login keyring log=event:Linux-GDM_Keyring_Login_Unlocked type:system NEXT id=608 name=This Linux systems Gnome Keyring Daemon has failed to initialize slot with master password. match=st match=or match=ss match=as match=ing match=er match=lo match=couldn't initialize slot with master password log=event:Linux-GDM_Slot_Initialization_Password_Failure type:error NEXT id=609 name=This Linux system has detected that rsyslog has been sent a HUP signal (HUP). match=or match=as match=lo match=in match=er match=log match=ed match=rsyslogd was HUPed log=event:Linux-Rsyslog_HUP type:process NEXT id=610 name=This Linux systems Automatic Bug Reporting Tool has generated a core backtrace. match=or match=re match=er match=at match=in match=ing regex=(?:abrt-server|abrtd): Generating core_backtrace log=event:Linux-ABRT_Core_Backtrace_Generated type:system NEXT id=611 name=This Linux systems Automatic Bug Reporting Tool has dectected a duplicate core backtrace. match=or match=re match=ce match=at match=ace regex=(?:abrt-server|abrtd): Duplicate: core backtrace log=event:Linux-ABRT_Core_Backtrace_Duplicate type:system NEXT id=612 name=This Linux systems Automatic Bug Reporting Tool has dectected a duplicate directory. match=DIR match=P match=UP regex=(?:abrt-server|abrtd): DUP_OF_DIR log=event:Linux-ABRT_Directory_Duplicate type:system NEXT id=613 name=This Linux systems Automatic Bug Reporting Tool is deleting a problem directory. match=le match=ect match=ire match=ti match=re match=ing match=or regex=(?:abrt-server|abrtd): Deleting problem directory log=event:Linux-ABRT_Directory_Delete type:system NEXT id=614 name=This Linux systems NetworkManager has detected an error requesting authorization. match=er match=rr match=an match=st match=or match=ing match=error match=error requesting auth match=NetworkManager log=event:Linux-NetworkManager_Auth_Error type:login-failure NEXT id=615 name=This Linux systems NetworkManager has reported a device state change. match=sta match=at match=an match=or match=in match=NetworkManager match=device state change log=event:Linux-NetworkManager_State_Change_Device type:system NEXT id=616 name=This Linux systems NetworkManager policy has been set as default. match=in match=or match=ol match=er match=ic match=]: match=as default for match=Policy set match=NetworkManager log=event:Linux-NetworkManager_Policy_Set type:system NEXT id=617 name=This Linux systems NetworkManager reported a successful device activation. match=or match=ion match=ed match=ic match=at match=ss match=ti match=Activation match=device activated match=NetworkManager log=event:Linux-NetworkManager_Activation_Device type:system NEXT id=618 name=This Linux systems NetworkManager has reported its state as CONNECTING. match=CONNECTING match=st match=or match=er match=at match=an match=stat match=!CONNECTED_GLOBAL match=!CONNECTED_LOCAL match=NetworkManager state is now log=event:Linux-NetworkManager_State_Connecting type:system NEXT id=619 name=This Linux systems NetworkManager has reported its state as CONNECTED_LOCAL. match=CONNECTED_LOCAL match=st match=or match=er match=at match=an match=stat match=!CONNECTED_GLOBAL match=!CONNECTING match=NetworkManager state is now log=event:Linux-NetworkManager_State_Connected_Local type:system NEXT id=620 name=This Linux systems NetworkManager has reported its state as CONNECTED_GLOBAL. match=CONNECTED_GLOBAL match=st match=or match=er match=at match=an match=stat match=!CONNECTED_LOCAL match=!CONNECTING match=NetworkManager state is now log=event:Linux-NetworkManager_State_Connected_Global type:system NEXT id=621 name=This Linux systems NetworkManager has reported a new ethernet device. match=in match=er match=ic match=ce match=an match=NetworkManager match=new Ethernet device log=event:Linux-NetworkManager_Device_Ethernet_New type:system NEXT id=622 name=This Linux systems NetworkManager is auto-activating a connection. match=in match=ion match=ect match=at match=er match=Auto-activating connection match=NetworkManager log=event:Linux-NetworkManager_Connection_Auto_Activating type:system NEXT id=1300 name=This Linux system has had a new user added. match=ser match=user match=useradd[ match=]: new user: name= match=, home=/ match=, shell=/ regex= name=([^,]+), log=event:Linux-User_Added type:system user:$1 NEXT id=1301 name=This Linux system had a group added. match=ser match=useradd[ match=user match=]: new group: name= log=event:Linux-Group_Added type:system NEXT id=1302 name=The user has been locked. match=]: match=ck match=ser match=usermod[ match=user match=pass match=]: lock user log=event:Linux-User_Locked type:system NEXT id=1303 name=The user has been unlocked. match=]: match=ck match=ser match=usermod[ match=user match=pass match=]: unlock user log=event:Linux-User_Unlocked type:system NEXT id=1304 name=The user's shell has been changed. match=]: match=ser match=ang match=usermod[ match=user match=shell match=]: change user log=event:Linux-User_Changed_Shell type:system NEXT id=1305 name=The user's UID has been changed. match=]: match=ser match=ang match=usermod[ match=user match=UID match=]: change user log=event:Linux-User_Changed type:system NEXT id=1306 name=This Linux system had a root login. match=lo match=log match= login[ match=OT match=]: ROOT LOGIN match=IN match=LO match=ROOT match=OOT regex=ROOT LOGIN (?:on|ON) \S+ log=event:Linux-Root_Login type:login NEXT id=1307 name=This Linux system had a password change. match=ss match=ass match= passwd[ match=pass match=]: password for ` match=ser match=ed match=' changed by user ` match=an match=user regex=passwd\[\d+\]: password for \S+ changed by user log=event:Linux-Password_Change type:system NEXT id=1308 name=This Linux system had an invalid login attempt with a bad password. match=lo match=log match=login[ match=ss match=ass match=]: invalid password for ` match=pass regex=login\[\d+\]: invalid password for \S+ log=event:Linux-Failed_Login type:login-failure NEXT id=1309 name=This Linux system had failed login. match=lo match=log match=login match=: FAILED LOGIN match=IN match=LO match= FOR match=FO match=ail match=ailure match=ent match=ion match=, Authentication failure match=uthentication log=event:Linux-Failed_Login type:login-failure NEXT id=1310 name=This Linux system had software installed via the dpkg package manager. match=sta match=le match=ed match= status installed match=nstall match=status regex=^20[0-9][0-9]-[0-3][0-9]-[0-9][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9] status installed log=event:Linux-DPKG_Software_Installed type:system NEXT id=1311 name=This Linux system had software removed via dpkg package manager. match=rem match= remove regex=^20[0-9][0-9]-[0-3][0-9]-[0-9][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9] remove log=event:Linux-DPKG_Software_Removed type:system NEXT id=1312 name=This Linux system had an rpc.statd exploit attempt. match=AT match=Oct 27 13:27:54 igunda rpc.statd[353]: POSSIBLE SPOOF/ATTACK ATTEMPT! match= rpc.statd[ match=MP match=]: POSSIBLE SPOOF/ATTACK ATTEMPT! match=ATTACK log=event:Linux-RPC_Statd_Exploit type:intrusion dstport:111 NEXT id=1313 name=This Linux system had a mountd export request. match=xport match=est match=request match=rom match=rpc.mountd: export request from regex=rpc\.mountd: export request from ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Linux-RPC_Mountd_Export_Request srcip:$1 type:connection NEXT id=1314 name=This Linux system had a remote pam_unix authentication failure. match=pam_unix match=ailure match=ho match= authentication failure; match=authentication failure; match=uthentication match=io match=fa match=at match=un match=he match=on match=ent match=auth match=re match=user match=se match=ser match=host match=ca match=nt match=en match=ai match=ic match=cat match=nti match=use match=au match=ur match=log match=er match=ut match=fail match=failure match=st match=ion regex= rhost=([^ $]{1,100}) log= event:Linux-PAM_Remote_Auth_Failure type:login-failure srcip:$1 NEXT id=1315 name=This Linux system had a local pam_unix authentication failure. match=ailure match=ho match=lo match= rhost= match=ame match=io match=ser match=at match=uth match=ail match=he match= authentication failure; match=authentication failure; match=uthentication match=on match=log match=ent match=tion match=auth match=ty match=pam_unix match=re match=host match=ca match=nt match=en match=na match=failure match=ai match=ic match=cat match=user match=nti match=use match=og match=fail match=st match=ion match=name regex= rhost=\s+user=([^ $]{1,100}) log=event:Linux-PAM_Local_Auth type:login-failure NEXT id=1316 name=This Linux system had promiscuous mode enabled. This means a sniffer is now active. match=kernel match=rom match=romiscuous match=le match=ed match=: Promiscuous mode enabled. log=event:Linux-Promiscuous_Mode_Enabled type:system NEXT id=1317 name=This Linux system had promiscuous mode enabled. This means a sniffer is now active. match=kernel match=rom match=romiscuous match=ent match=ed match= entered promiscuous mode log=event:Linux-Promiscuous_Mode_Enabled type:system NEXT id=1318 name=This Linux system had a group account added. match=ser match=user match= useradd[ match=ed match=]: account added to group - account= match=acc log=event:Linux-Group_Added type:system NEXT id=1319 name=This Linux system had an account added which already existed. match=ser match=user match= useradd[ match=]: account already exists - account= match=acc log=event:Linux-User_Exists type:error NEXT id=1320 name=This Linux system had an account added. match=ser match=user match= useradd[ match=ed match=]: new account added - account= match=acc regex= account=([^,]+), log=event:Linux-User_Added type:system user:$1 NEXT id=1321 name=This Linux system had an account removed from a group. match=rom match=ed match=]: account removed from group - account= match=acc match=rem match=, group= match=, gid= match=, by= log=event:Linux-User_Removed_From_Group type:system NEXT id=1322 name=This Linux system had an account deleted. match= shadow[ match=le match=ed match=]: account deleted match=acc match=- account= log=event:Linux-User_Deleted type:system NEXT id=1323 name=This Linux system had a user password changed. match=ss match=ass match= passwd[ match=pass match=ed match=]: password changed - account= match=acc match=an log=event:Linux-User_PW_Changed type:system NEXT id=1324 name=This Linux system had a password changed. match=ss match=ass match=passwd match=pass match=ed match=: password changed for match=an log=event:Linux-User_PW_Changed type:system NEXT id=1325 name=This Linux system had a user deleted. match=!from group match=!removed group match=ser match=userdel[ match=user match=le match=]: delete user log=event:Linux-User_Deleted type:system NEXT id=1326 name=This Linux system had a user added. match=ser match= adduser[ match=]: new user: name= match=user regex= name=([^,]+), log=event:Linux-User_Added type:system user:$1 NEXT id=1327 name=This Linux system had a group added. match=ser match= adduser[ match=]: new group: name= match=user log=event:Linux-Group_Added type:system NEXT id=1328 name=This Linux system is running SE Linux and had an AVC access granted. match=tem match=ystem match= avc: match=kernel match=kernel: audit( match=ed match=: avc: granted { match=an log=event:SELinux-AVC_granted sensor:$1 type:system NEXT id=1329 name=This Linux system is running SE Linux and had an AVC access denied. match=kernel match=tem match=ystem match=kernel: match= avc: match=ed match=: avc: denied { log=event:SELinux-AVC_denied sensor:$1 type:access-denied NEXT id=1331 name=This Linux system is out of memory. match=kernel match=ce match=ss match=ut match=cr match=kernel: Out of memory: Kill log=event:Linux-Out_Of_Memory type:error NEXT id=1332 name=This Linux system had a local named cache hit denied. match=ed match=named[ match=ent match=]: client match=client match=: query (cache) denied regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Named-Cache_Denied srcip:$1 type:access-denied NEXT id=1333 name=This Linux system had named configuration failure. match=ed match= named[ match=ail match=lo match=ion match=ing match=]: loading configuration: failure match=ailure log=event:Named-Configuration_Failure type:error NEXT id=1334 name=This Linux system is running SELinux and it has prevented a system process from accessing a resource. match=SE match=SELinux match=ent match=ing match=is preventing match=le match=. For complete log=event:SELinux-Action_Prevention type:access-denied NEXT id=1335 name=This Linux system is out of memory. match=kernel match=ce match=le match=ed match=ss match=kernel: Out of Memory: Killed process log=event:Linux-Out_Of_Memory type:error NEXT id=1336 name=This Linux system has logged an error with the CD-ROM drive. match=kernel match=rom match= cdrom_pc_intr: log=event:Linux-CDROM_Error type:error NEXT id=1337 name=This Linux server has logged a connection to a service being hosted by the xinetd daemon. match= xinetd[ match=RT match= START: match=ST match=rom match= from= match=from regex= from(?:=|=::ffff:)([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Linux-Xinetd_Connection type:connection srcip:$1 NEXT id=1338 name=The Yum application manager has installed a system package. match=yum match=sta match=le match=ed match= Installed: match=nstall log=event:Linux-Yum_Installation type:system NEXT id=1339 name=This Linux operating system has recently rebooted. The matched syslog message indicating the kernel type is only displayed during the boot process. match=io match=on match=ersion match=ver match=kern match=er match=ve match=version match=kernel match=ion match=kernel: Linux version 2. log=event:Linux-System_Start type:restart NEXT id=1340 name=The Yum application manager has installed updated a system package. match=yum match=ate match=ed match= Updated: match=date log=event:Linux-Yum_Updated type:system NEXT id=1341 name=The Yum application manager has erased a system package match=yum match=ed match= Erased: log=event:Linux-Yum_Erased type:system NEXT id=1342 name=The Up2date application successfully authenticated to an up2date server. This means that a Red Hat server was able to connect to a server to receive an update. match=ate match=] up2date match=date match=ent match=ion match=uthentication match=ce match=ed match=ss match= successfully retrieved authentication token log=event:Linux-Up2date_Authenticated type:system NEXT id=1343 name=The Up2date application failed to connect to an up2date server. This could mean that the Red Hat server is not configured correctly, or has network connectivity issues. match=ate match=] up2date match=date match=ser match=rr match=ing match= Error communicating with server log=event:Linux-Up2date_Connection_Failure type:error NEXT id=1344 name=The Up2date application registered the system. This is part of the process of receiving system updates from Red Hat. match=ate match=] up2date match=date match=tem match=ed match= Registered system. match=ystem log=event:Linux-Up2date_Registered_System type:system NEXT id=1345 name=The Up2date application added packages to the package profile. Software was added to the Red Hat server. match=ate match=] up2date match=date match=ack match=ing match=le match= Adding packages to package profile log=event:Linux-Up2date_Package_Additions type:system NEXT id=1346 name=The Up2date application removed packages from the package profile. Software was removed from the Red Hat server. match=ate match=] up2date match=date match=rom match=ack match=ing match=le match= Removing packages from package profile log=event:Linux-Up2date_Package_Deletions type:system NEXT id=1347 name=The Up2date application was unable to activate installation. This could mean that the Red Hat server is not configured correctly, or has network connectivity issues. match=ate match=] up2date match=date match=sta match=rr match=ion match=ing match=le match= There was an error while activating the installation match=an match=nstall log=event:Linux-Up2date_Activation_Failure type:error NEXT id=1348 name=The Up2date application passed invalid credentials. This could mean that a Red Hat server's maintenance has expired. # Please note, no initial up2date token in this up2date log record match=rr match=ss match=ass match=Error Class Info match=ent match=tem match=ed match=Invalid System Credentials match=ystem log=event:Linux-Up2date_Invalid_Credentials type:error NEXT id=1349 name=The network time protocol has synchronized to a network time source. match=tp match=ntpd[ match=ntp match=ed match= synchronized to match= stratum match=! LOCAL regex=synchronized to ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=event:Linux-Network_Time_Update type:system dstip:$1 NEXT id=1350 name=This Linux system had promiscuous mode disabled. This means a sniffer is now deactivated. match=kernel match=rom match=romiscuous match=le match= left promiscuous mode log=event:Linux-Promiscuous_Mode_Disabled type:system NEXT id=1351 name=This Linux system had a user removed from a group. match=!removed group match=rom match=from group match=ser match=userdel[ match=user match=le match=]: delete ` log=event:Linux-User_Removed_From_Group type:system NEXT id=1352 name=This Linux system had a group removed. match=ser match=userdel[ match=user match=ed match=]: removed group match=rem match=owned by log=event:Linux-Group_Removed type:system NEXT id=1353 name=This Linux system had a system administrator run the gpasswd command to perform a bulk change of users. match=ss match=ass match=pass match=gpasswd[ log=event:Linux-Group_Passwd_Change type:system NEXT id=1354 name=The ntpd is shutting down. match=tp match=ntp match=ntpd[ match=ing match=ntpd exiting on signal 15 match=signal log=event:Linux-Network_Time_Daemon_Shutdown type:process NEXT id=1355 name=The ntpd is starting up. match=tp match=ntp match=ntpd[ match= ntpd regex=ntpd\[([0-9]+)\]\: ntpd [0-9]\.[0-9].*20[0-9][0-9] log=event:Linux-Network_Time_Daemon_Version type:system NEXT id=1356 name=This Linux system has logged a segfault from a running process. match=kernel match=segfault at log=event:Linux-Segfault_Detected type:process NEXT id=1357 name=The ntp daemon cannot open the temporary drift file. match=tp match=ntp match=ntpd[ match=ion match=ed match=ss match=can't open /etc/ntp/drift.TEMP: Permission denied match=an match=MP log=event:Linux-Network_Time_Permission_Denied type:error NEXT id=1358 name=This Linux system had promiscuous mode enabled. This means a sniffer is now active. match=ce match= device match=ent match=rom match=ed match= entered promiscuous mode log=event:Linux-Promiscuous_Mode_Enabled type:system NEXT id=1359 name=This Linux system had promiscuous mode disabled. This means a sniffer is now deactivated. match=ce match= device match=rom match=romiscuous match=le match= left promiscuous mode log=event:Linux-Promiscuous_Mode_Disabled type:system NEXT id=1360 name=This system had multiple SUDO login attempts. match=sudo: match=tem match=rr match=ss match=ass match=pt match=incorrect password attempts match=ect match=pass match=USER match=SE match=ER match=; USER= match=; PWD= match=; COMMAND= log=event:Linux-Multiple_SUDO_Failures type:login-failure NEXT id=1361 name=The network time protocol has synchronized to a local network time source. match=tp match=ntp match=AL match=ntpd[ match=ed match= synchronized to match= stratum match= LOCAL match=LO log=event:Linux-Network_Time_Local_Update type:system NEXT id=1362 name=This Linux system had a user removed. match=ser match=userdel[ match=user match=le match=ed match=]: account deleted - account= match=acc log=event:Linux-User_Account_Removed type:system NEXT id=1363 name=This Linux system is running SELinux and it has been disabled. match= avc: match=ce match=ed match= received setenforce notice match=ing match= (enforcing=0) log=event:SELinux-Disabled type:system NEXT id=1364 name=This Linux system is running SELinux and it has been enabled. match= avc: match=ce match=ed match= received setenforce notice match=ing match= (enforcing=1) log=event:SELinux-Enabled type:system NEXT id=1365 name=This Linux system is running the xinetd service. match= xinetd[ match=ion match= xinetd Version match=sta match=ar match=ed match= started with match=start log=event:Linux-Xinetd type:restart NEXT id=1366 name=This Linux server has finished a connection to a service being hosted by the xinetd daemon. match= xinetd[ match= EXIT: match=sta match= status= match=status match= pid= match=ion match= duration= log=event:Linux-Xinetd_Connection_Finished type:connection NEXT id=1367 name=This Linux server had a command issued by root. match=ser match=User 'root' match=User match=an match=ecu match=ed match= executed command match=!parent process match=ce match=ss match= The process executed for match=ing match= during which an average of match= of memory was used. match= minor page faults, match= major page faults, match=ommand log=event:Linux-Command_Issued_By_Root type:process NEXT id=1368 name=This Linux server had commands issued by a superuser not named root. match=!User 'root' match=ecu match=ed match= executed command match=ommand match=an match=!parent process match=ce match=ss match= The process executed for match=ing match= during which an average of match= of memory was used. match= minor page faults, match= major page faults, match=ser match=le match= Superuser priveleges were used. log=event:Linux-Command_Issued_By_SuperUser type:process NEXT id=1369 name=This Linux server had commands issued by a non-root user. match=!User 'root' match=ecu match=ed match= executed command match=ommand match=an match=!parent process match=!Superuser priveleges were used. match=ce match=ss match= The process executed for match=ing match= during which an average of match= of memory was used. match= minor page faults, match= major page faults, log=event:Linux-User_Issued_Command type:process NEXT id=1370 name=This Linux system had software configured via the dpkg package manager. match=sta match=status match=le match= status config-files regex=^20[0-9][0-9]-[0-3][0-9]-[0-9][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9] status config-files log=event:Linux-DPKG_Software_Configured type:system NEXT id=1371 name=The network time protocol has synchronized to a network time source. match=tp match=ntp match=ntpd[ match=: time reset log=event:Linux-Network_Time_Reset type:system NEXT id=1372 name=This Linux server had a Small Footprint CIM Broker error accepting an SSL connection. match=SSL match=ion match=onnection match=onnect match=ect match=sfcb[ match=rr match=ing match=ce match=pt match= Error accepting SSL match=acc match=connection -- exiting log=event:Linux-SFCB_SSL_Connection_Error type:error NEXT id=1373 name=This Linux server had commands issued by a superuser not named root. match=!User 'root' match=ecu match=ed match= executed command match=ommand match=an match=ent match=ar match=ce match=ss match= parent process match= The process executed for match=ing match= during which an average of match= of memory was used. match= minor page faults, match= major page faults, match=ser match=le match= Superuser priveleges were used. log=event:Linux-Command_Issued_By_SuperUser_With_ParentID type:process NEXT id=1374 name=This Linux server had commands issued by a non-root user. match=!User 'root' match=ecu match=ed match= executed command match=ommand match=an match=ent match=ar match=ce match=ss match= parent process match=!Superuser priveleges were used. match= The process executed for match=ing match= during which an average of match= of memory was used. match= minor page faults, match= major page faults, log=event:Linux-User_Issued_Command_With_ParentID type:process NEXT id=1375 name=This Linux server had a command issued by root. match=ser match=User 'root' match=User match=ecu match=ed match= executed command match=ommand match=an match=ent match=ar match=ce match=ss match= parent process match= The process executed for match=ing match= during which an average of match= of memory was used. match= minor page faults, match= major page faults, log=event:Linux-Command_Issued_By_Root_With_ParentID type:process NEXT id=1376 name=A process exited abnormally. match=exited abnormally match= ALER match=ER match=: match= [ match=RT match=ed match=ALERT match=AL log=event:Linux-Command_Exited_Abnormally type:process NEXT id=1377 name=A user attempted to authenticate but the account was unknown to the local system. match=error retrieving information about user match=succ match=if match=nformation match=io match= user match=se match=ser match=at match=form match=on match=tion match=rror match=fo match=ing match=ed match=ret match=ab match=su match=ou match=in match=vi match=user match=rr match=ce match=error match=ti match=use match=info match=for match=ma match=er match=pam_succeed_if match=ut match=ion match=rm log=event:Linux-PAM_Unknown_User type:login-failure NEXT id=1378 name=This Linux PAM system had a user start a session. match=sess match=io match= user match=ser match=se match=un match=for match=on match=fo match=pam_unix match=ed match=ss match=ess match=session match=session opened for user match=en match=for user match=by match=or match=user match=use match=ses match=for match=opened match=er match=ned match=ion match=user match=op regex=session opened for user ([^\ ]{1,40}) log=event:Linux-PAM_Session_Opened type:login user:$1 NEXT id=1379 name=The Linux PAM system had a session close. match=sess match=lo match=io match= user match=se match=ser match=un match=for match=on match=fo match=pam_unix match=ed match=ess match=ss match=for user match=or match=session closed match=user match=use match=ses match=for match=er match=session match=sed match=session closed for user match=ion regex=session closed for user ([^\ ]{2,25}) log=event:Linux-PAM_Session_Closed type:logout user:$1 # id=1380 free NEXT id=1382 name=This Linux system has a session started for argus. match=argus[ match=gu match=argus match=ar match=st match=started log=event:Linux-Argus_Started type:process NEXT id=1383 name=This Linux system has issued an argus interface status. match=argus[ match=gu match=argus match=ar match=Get match=te match=fa match=St match=at match=ArgusGetInterfaceStatus: log=event:Linux-Argus_Interface_Status type:process NEXT id=1384 name=This Linux system has issued a cron command. match=!audit match=CRON[ match=CRON match=CR match=CMD log=event:Linux-CRON_CMD type:system NEXT id=1385 name=This Linux system has issued a cron command. match=!audit match=CROND[ match=CRON match=CR match=CMD log=event:Linux-CRON_CMD type:system NEXT id=1386 name=This Linux system had a user fail authentication. match=uthentication match=io match=fa match=at match=pam_krb match=pam_krb5 match=authentication fails for match=th match=uth match=ail match=he match=ent match=tion match=auth match=fo match=ca match=nt match=or match=ai match=ic match=cat match=il match=ti match=au match=for match=ut match=fail match=ion regex=authentication fails for '([^ ]{2,25})' log=event:Linux-PAM-KRB5_Authentication_Failure type:login-failure NEXT id=1387 name=This Linux system had a user authenticate. match=uthentication match=authentication succeeds for match=succ match=io match=at match=pam_krb match=pam_krb5 match=th match=uth match=he match=cc match=ent match=tion match=auth match=fo match=ed match=ca match=nt match=en match=ic match=cat match=nti match=ce match=ti match=for match=ut match=ion regex=authentication succeeds for '([^ ]{2,25})' log=event:Linux-PAM-KRB5_Authentication_Succeeds type:login user:$1 NEXT id=1388 name=This Linux system had an error reading keytab. match=error match=or match=rr match=rror match=ing match=pam_krb match=pam_krb5 match=error reading keytab log=event:Linux-Error_Reading_Keytab type:error NEXT id=1389 name=This Linux systems NetworkManager has reported a DHCP state change. match=sta match=an match=or match=in match=NetworkManager match=DHCPv4 state changed log=event:Linux-NetworkManager_State_Change_DHCP type:system NEXT id=1390 name=The network time protocol has had its time sync staus changed. match=tp match=ntp match=ntpd[ match=time sync status change log=event:Linux-Network_Time_Status_Change type:system NEXT id=1391 name=The Linux system had an invalid query packet from the avahi daemon. match=avahi-daemon match=Invalid query packet match=er match=packet match=pac match=ack match=daemon log=event:Linux-Avahi_Invalid_Query type:system NEXT id=1392 name=The Linux system had an invalid response packet from the host. match=avahi-daemon match=Invalid response packet match=packet match=pac match=ack match=daemon regex=host ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Linux-Avahi_Invalid_Response type:system srcip:$1 NEXT id=1393 name=The Linux PAM system encountered an unknown user. match=check pass; user unknown match=no match=as match= user match=se match=ser match=un match=nknown match=he match=own match=pam_unix match=ass match=ss match=pass match=wn match=ch match=user match=check pass; user match=now match=use match=ck match=er match=unknown match=user log=event:Linux-PAM_User_Unknown type:login-failure NEXT id=1394 name=This Linux system has refused a mount point. match=est match=request match=rom match=ed match=rpc.mountd: refused mount request from regex=rpc\.mountd: refused mount request from ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) for log=event:Linux-Failed_NFS_Mount type:access-denied srcip:$1 NEXT id=1395 name=This Linux system had a failed password attempt logged. match=as match=fa match= user match=un match=ail match=he match=pw match=ed match=ss match=for user match=failed match=or match=ch match=ai match=user match=il match=ailed match=use match=ck match=ile match=for match=password match=er match= failed match=rd match=fail match=failed for user match=unix_chkpwd log=event:Linux-Password_Check_Failed type:login-failure NEXT id=1396 name=Telnet user has access denied due to terminal not being secure. match=login: match=pam match=tt match=secure match=access match=ss match=denied match=ed match=access denied match=is match=not match=is not secure log=event:Linux-Telnet_Login_Not_Secure type:login-failure NEXT id=1397 name=A login failure due to a requirement not being met. match=pam match=requirement match=cc match=succeed match="uid >= 1000" match=not met by user match=user match=er match=ed regex=not met by user "([^\ ]{1,25})" log=event:Linux-Login_Failure type:login-failure NEXT id=1398 name=This Linux system has issued a cron command. match=!audit match=crond[ match=cron match=cr match=CMD log=event:Linux-CRON_CMD type:system NEXT id=1399 name=This Linux system has saved a core dump from a crashing process. match=id match=core d match=ed match=re match=co match=ab match=rt match= pid match= abrt[ log=event:Linux-Process_Core_Dump_Saved type:process NEXT id=11400 name=This Linux systems Policy Kit has had an operator of a session fail to authenticate. match=polkitd match=pol match=kit match=FAILED to authenticate to gain authorization for action match=FA match=ED match=to match=au match=ate match=ai match=ion match=ac log=event:Linux-Polkit_Autentication_Operator_Failed type:login-failure NEXT id=11401 name=This Linux systems Policy Kit has Registered Authentication Agent for session. match=polkitd match=pol match=kit match=Registered Authentication Agent for match=Re match=ed match=Au match=ion match=or match=ss match=se match=st log=event:Linux-Polkit_Authentication_Agent_Registered type:login NEXT id=11402 name=This Linux systems Policy Kit has unregistered an Authentication Agent for a session. match=polkitd match=pol match=kit match=Unregistered Authentication Agent for session match=Un match=ed match=Au match=ion match=or match=ss match=se match=st log=event:Linux-Polkit_Authentication_Agent_Unregistered type:system NEXT id=11403 name=This Linux systems Policy Kit has had an operator of a session successfully authenticate. match=polkitd match=pol match=kit match=successfully authenticated as match=ll match=Oper match=to match=au match=ate match=ai match=ion match=ac log=event:Linux-Polkit_Authentication_Operator_Successful type:login NEXT id=15400 name=This Linux systems Automatic Bug Reporting Tool has dectected the sending of an email. match=en match=an match=Se match=il match=ail match=in regex=(?:abrt-server|abrtd): Sending an email log=event:Linux-ABRT_Email_Sending type:system NEXT id=15401 name=This Linux systems Automatic Bug Reporting Tool has dectected an email being sent to an account. match=en match=as match=to match=il match=ent match=ail regex=(?:abrt-server|abrtd): Email was sent to: log=event:Linux-ABRT_Email_Sent type:system NEXT id=15402 name=This Linux systems Automatic Bug Reporting Tool has dectected a duplicate UUID. match=ic match=at regex=(?:abrt-server|abrtd): Duplicate: UUID log=event:Linux-ABRT_UUID_Duplicate_Detected type:system NEXT id=15403 name=This Linux systems Automatic Bug Reporting Tool has dectected a new problem directory (processing). match=in match=re match=or match=ect match=ire match=ing regex=(?:abrt-server|abrtd): New problem directory log=event:Linux-ABRT_Directory_Problem_New type:system NEXT id=15404 name=This Linux systems Automatic Bug Reporting Tool has dectected that the problem directory is a duplicate. match=at match=re match=or match=ect match=ire match=ic regex=(?:abrt-server|abrtd): Problem directory is a duplicate of log=event:Linux-ABRT_Directory_Problem_Duplicate type:system NEXT id=15405 name=This Linux systems Automatic Bug Reporting Tool has detected a missing file or directory. match=an match=en match=re match=to match=or match=ire match=No such file or directory regex=(?:abrt-server|abrtd): Can't open file log=event:Linux-ABRT_Directory_Or_File_Missing type:system NEXT id=15406 name=This Linux systems Automatic Bug Reporting Tool has dectected the creation of a directory. match=at match=ti match=re match=ire match=ect match=tion match=creation detected regex=(?:abrt-server|abrtd): Directory log=event:Linux-ABRT_Directory_Creation type:system NEXT id=15407 name=This Linux systems Automatic Bug Reporting Tool has dectected an executable that doesn't belong to any package. match=to match=an match=lo match=ecu match=doesn't belong to any package regex=(?:abrt-server|abrtd): Executable log=event:Linux-ABRT_Executable_ type:system NEXT id=15408 name=This Linux systems Automatic Bug Reporting Tool has dectected a post-create exit. match=at match=ed match=st match=re match=exited regex=(?:abrt-server|abrtd): 'post-create' on log=event:Linux-ABRT_Post-create_Exit type:system NEXT id=15409 name=This Linux systems Automatic Bug Reporting Tool has dectected a corrupted or bad directory. Deleting. match=to match=or match=re match=ire match=pt match=rr regex=(?:abrt-server|abrtd): Corrupted or bad directory log=event:Linux-ABRT_Corrupt_Bad_Directory type:system NEXT id=15410 name=This Linux systems Automatic Bug Reporting Tool has dectected a new client connection. match=nn match=ed match=ent match=ect match=en regex=(?:abrt-server|abrtd): New client connected log=event:Linux-ABRT_Client_Connected_New type:system NEXT id=15411 name=This Linux has detected an I/O error. match=er match=st match=en match=rr match=to match=est match=end_request: I/O error log=event:Linux-IO_Error type:error NEXT id=15412 name=This Linux system has dectected a Buffer I/O error. match=ic match=er match=or match=rr match=cal match=log match=Buffer I/O error on device log=event:Linux-IO_Error_Buffer type:error NEXT id=11404 name=The network time protocol is listening for interface updates. match=tp match=ntpd[ match=ntp match=face match=socket match=update match=Listening on routing socket on log=event:Linux-Network_Time_Listen_Socket type:system NEXT id=11405 name=The network time protocol is listening normally on an interface. match=tp match=ntpd[ match=ntp match=mal match=Li match=lly match=on match=Listen normally on regex=Listen normally on \d+ \S+ ([a-fA-F0-9.:]+) log=event:Linux-Network_Time_Listen_Normal type:system srcip:$1 NEXT id=11406 name=The network time protocol is reporting on its I/O information. match=tp match=ntpd[ match=ntp match=script match=socket match=max match=ntp_io: estimated max descriptors log=event:Linux-Network_Time_IO_Info type:system NEXT id=11407 name=The network time protocol has refreshed its peers. match=tp match=ntpd[ match=ntp match=ee match=res match=peers refreshed log=event:Linux-Network_Time_Peers_Refreshed type:system NEXT id=11408 name=The network time protocol is in Listen and Drop mode on an interface. match=tp match=ntpd[ match=ntp match=on match=and match=drop match=Listen and drop on regex=on \d+ \S+ ([a-fA-F0-9.:]+) log=event:Linux-Network_Time_Listen_Drop type:system srcip:$1 NEXT id=11409 name=The network time protocol has reported on its protocol precision. match=tp match=ntpd[ match=ntp match=proto match=rec match=usec match=proto: precision = log=event:Linux-Network_Time_Proto_Info type:system NEXT id=11410 name=The network time protocol has failed to bind to a wildcard address. match=tp match=ntpd[ match=ntp match=bin match=addr match=unable match=another process may be running match=unable to bind to wildcard address regex=wildcard address ([a-fA-F0-9.:]+) log=event:Linux-Network_Time_Bind_Failed type:error srcip:$1 NEXT id=11411 name=The network time protocol has found a new interface, and is waking up the resolver. match=tp match=ntpd[ match=ntp match=interface match=new match=found match=waking up resolver match=new interface(s) found: log=event:Linux-Network_Time_Interface_Found type:system NEXT id=11412 name=The network time protocol has deleted an interface. match=tp match=ntpd[ match=ntp match=Deleting interface match=secs match=stats match=drop match=time log=event:Linux-Network_Time_Interface_Delete type:system NEXT id=11413 name=The network time protocol has failed to bind, and cannot assign a requested address. match=tp match=ntpd[ match=ntp match=bin match=failed: match=addr match=Can match=Cannot assign requested address log=event:Linux-Network_Time_Bind_Failed type:error NEXT id=11414 name=The network time protocol has failed to init and interface for an address. match=tp match=ntpd[ match=ntp match=failed match=init match=addr match=face match=failed to init interface for address log=event:Linux-Network_Time_Interface_Failed type:error NEXT id=11415 name=The network time protocol has failed to create a socket on an interface. match=tp match=ntpd[ match=ntp match=socket match=create match=unable match=to match=unable to create socket on log=event:Linux-Network_Time_Socket_Failed type:error NEXT id=11459 name=This Linux system logged that a group was successfully added. match=group match=groupadd match=name= match=]: log=event:Linux-Group_Added type:system