The system.auth data stream within the System integration, does not map events to event.category and event.action, making it difficult to differentiate between process and authentication events. If we had them, it would make building security rules for logs from linux systems easier, e.g. event.category:session AND event.action:logged-on AND threshold count > 10.
Examples:
Jun 9 08:34:42 hostname sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
event.category would be session; event.action would be logged-on
Jun 9 08:34:42 hostname sudo: pam_unix(sudo:session): session closed for user root
event.category would be session; event.action would be logged-off
Jun 9 08:34:42 hostname sudo: oracle-cloud-agent : TTY=unknown ; PWD=/var/lib/oracle-cloud-agent ; USER=root ; COMMAND=/bin/systemctl is-active unified-monitoring-agent.service
event category would be process
The system.auth data stream within the System integration, does not map events to
event.categoryandevent.action, making it difficult to differentiate between process and authentication events. If we had them, it would make building security rules for logs from linux systems easier, e.g. event.category:session AND event.action:logged-on AND threshold count > 10.Examples:
event.category would be session; event.action would be logged-on
event.category would be session; event.action would be logged-off
event category would be process