You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
While the SSH log messages tell me that root logged in, the app shows unknown.
Looks like the ID filed is not taken into account by this: [|inputlookup auditd_indices] [|inputlookup auditd_sourcetypes] type=USER_LOGIN | eval account=coalesce(acct,user) | table _time host terminal account src action
the USER_LOGIN audit record has neither user nor account set, but I see some default user=unknown in the fields for this event.
Probably the logic should include the ID field as shown by this event: Jun 8 20:31:29 bsul0903 audispd: type=USER_LOGIN msg=audit(1623177089.054:532049): pid=1526 uid=0 auid=0 ses=6582 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=testbox addr=10.42.42.42 terminal=ssh res=success' UID="root" AUID="root" **ID="root"**
The text was updated successfully, but these errors were encountered:
While the SSH log messages tell me that root logged in, the app shows unknown.
Looks like the ID filed is not taken into account by this:
[|inputlookup auditd_indices] [|inputlookup auditd_sourcetypes] type=USER_LOGIN | eval account=coalesce(acct,user) | table _time host terminal account src actionthe USER_LOGIN audit record has neither user nor account set, but I see some default user=unknown in the fields for this event.
Probably the logic should include the ID field as shown by this event:
Jun 8 20:31:29 bsul0903 audispd: type=USER_LOGIN msg=audit(1623177089.054:532049): pid=1526 uid=0 auid=0 ses=6582 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=testbox addr=10.42.42.42 terminal=ssh res=success' UID="root" AUID="root" **ID="root"**The text was updated successfully, but these errors were encountered: