1[sudo: all] 2log 1 pass = Apr 27 15:22:23 niban sudo: dcid : TTY=pts/4 ; PWD=/home/dcid ; USER=root ; COMMAND=/usr/bin/tail /var/log/snort/alert.fast 3log 2 pass = Apr 14 10:59:01 enigma sudo: dcid : TTY=ttyp3 ; PWD=/home/dcid/ossec-hids.0.1a/src/analysisd ; USER=root ; COMMAND=/bin/cp -pr ../../bin/addagent ../../bin/osaudit-logaudit ../../bin/ossec-execd ../../bin/ossec-logcollector ../../bin/ossec-maild ../../bin/ossec-remoted /var/ossec/bin 4log 3 pass = Apr 19 14:52:02 enigma sudo: dcid : TTY=ttyp3 ; PWD=/var/www/alex ; USER=root ; COMMAND=/sbin/chown dcid.dcid . 5log 4 pass = Dec 30 19:36:11 rheltest sudo: cplummer : TTY=pts/2 ; PWD=/home/cplummer1 ; USER=root ; TSID=0000UM ; COMMAND=/bin/bash 6 7rule = 5403 8alert = 4 9decoder = sudo 10 11[Failed attempt to run sudo] 12log 1 pass = Jun 25 15:51:13 precise32 sudo: mike : 1 incorrect password attempt ; TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/bin/ls 13 14rule = 5401 15alert = 5 16decoder = sudo 17 18[First time user executed sudo] 19log 1 pass = Jun 25 15:48:21 precise32 sudo: mike : TTY=pts/0 ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/su - 20 21rule = 5403 22alert = 4 23decoder = sudo 24 25[3 incorrect password attempts] 26log 1 pass = Jun 25 16:15:45 precise32 sudo: mike : 3 incorrect password attempts ; TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/bin/ls 27 28rule = 5404 29alert = 10 30decoder = sudo 31 32[unauthorized user] 33log 1 pass = Apr 13 08:36:31 ix sudo: ddp2 : user NOT in sudoers ; TTY=ttypZ ; PWD=/home/ddp2 ; USER=root ; COMMAND=/bin/ls 34 35rule = 5405 36alert = 5 37decoder = sudo 38 39