Hi!
I've found the following problems when parsing Linux events related to user creation/modification/deletion.
All the raw events are from the /var/log/secure log
- Failing to add an user
Do not populate user.name/related.user and the outcome is "success" when the command failed
Oct 11 09:10:48 plinode useradd[25494]: failed adding user 'aol', exit code: 4
- Deletion and modification of an user does not populate
user.name/related.user
Oct 14 16:49:59 dlig userdel[1619336]: delete user 'jce'
Oct 19 12:54:40 plielk0 usermod[7730]: change user 'acris' expiration from '2001-01-01' to '2243-10-16'
There are other cases (when using the chage command). I'll prepare the raw logs and I'll open a new issue
Thanks!
Hi!
I've found the following problems when parsing Linux events related to user creation/modification/deletion.
All the raw events are from the
/var/log/securelogDo not populate
user.name/related.userand the outcome is "success" when the command failedOct 11 09:10:48 plinode useradd[25494]: failed adding user 'aol', exit code: 4user.name/related.userOct 14 16:49:59 dlig userdel[1619336]: delete user 'jce'Oct 19 12:54:40 plielk0 usermod[7730]: change user 'acris' expiration from '2001-01-01' to '2243-10-16'There are other cases (when using the chage command). I'll prepare the raw logs and I'll open a new issue
Thanks!