pC_unixunixcefuserswitchsuccesssusuccess.md

Parser Content

{
Name = unix-unix-cef-user-switch-success-susuccess
  ParserVersion = "v1.0.0"
  Conditions = [ """CEF""", """Unix|Unix""", """|su succeeded|""" ]
  Fields = ${UnixParsersTemplates.cef-unix-template.Fields}[
     """\sduser=({account}.*?)\s+\w+="""
  ]

cef-unix-template = {
    Vendor = Unix
    Product = Unix Auditd
    TimeFormat = epoch
    Fields = [
      """\Wrt=({time}\d{13})""",
      """\Wdvc=({host}[^\s]+)""",
      """\Wdvchost=({host}[^\s]+)""",
      """CEF:([^\|]*\|){4}({additional_info}[^\|]+)""",
      """CEF:([^\|]*\|){5}({event_code}[^\|]+)""",
      """CEF:([^\|]*\|){6}({alert_severity}[^\|]+)""",
      """\WeventId=({alert_id}\d+)""",
      """\Wsuser=({user}[\w\.\-\!\#\^\~]{1,40}\$?)""",
      """\Wdhost=({dest_host}[\w\-.]+)""",
    
}