Sudo Message

Classification

Rule Name	Rule Type	Common Event	Classification
Sudo Message	Base Rule	General Sudo Command	Activity
GDM Configuration System Accessed	Sub Rule	Object Accessed	Access Success
User Modify Command Executed	Sub Rule	User Account Attribute Modified	Account Modified
BASH Shell Executed	Sub Rule	Command Executed	Access Success
Change Owner Command Executed	Sub Rule	Command Executed	Access Success
Passwd Command Executed	Sub Rule	Command Executed	Access Success
Change Mode Command Executed	Sub Rule	Command Executed	Access Success
User Delete Command Executed	Sub Rule	User Account Deleted	Account Deleted
User Add Command Executed	Sub Rule	User Account Created	Account Created
Service Enabled	Sub Rule	Process/Service Started	Startup and Shutdown
Service Disabled	Sub Rule	Process/Service Stopped	Startup and Shutdown
Service Restarted	Sub Rule	Process/Service Restarted	Startup and Shutdown

Mapping with LogRhythm Schema  

Device Key in Log Message	LogRhythm Schema	Data Type
Host	<sname>	Text\String
N/A	<dname>	Text\String
N/A	<login>	Text\String
User	<account>	Number
COMMAND	<object>	Text\String
N/A	<tag1>	Text\String
N/A	<tag2>	Text\String

×