alert always includes too many log entries

25 views
Skip to first unread message

erik clark

unread,
Jan 20, 2022, 3:30:37 PM1/20/22
to ossec-list
Using the auditd decoder (auditd-syscall), with the following rule file:

<group name="syslog,">
<rule id="1111111" level="7">
<decoded_as>auditd</decoded_as>
<match>FOO</match>
</rule>
</group>

ALWAYS gives me at least one additional audit entry in the alert.

This frequently pukes with rule 1003 non standard syslog message size too large.

I want to match any message in audit.log that contains the (audit key) key=FOO, and absolutely nothing else. 

Why am I getting at least 1 additional audit entry in this log, when it should only be the syscall entry?
Reply all
Reply to author
Forward
0 new messages