While the SSH log messages tell me that root logged in, the app shows unknown.
Looks like the ID filed is not taken into account by this:
[|inputlookup auditd_indices] [|inputlookup auditd_sourcetypes] type=USER_LOGIN | eval account=coalesce(acct,user) | table _time host terminal account src action
the USER_LOGIN audit record has neither user nor account set, but I see some default user=unknown in the fields for this event.
Probably the logic should include the ID field as shown by this event:
Jun 8 20:31:29 bsul0903 audispd: type=USER_LOGIN msg=audit(1623177089.054:532049): pid=1526 uid=0 auid=0 ses=6582 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=testbox addr=10.42.42.42 terminal=ssh res=success' UID="root" AUID="root" **ID="root"**
While the SSH log messages tell me that root logged in, the app shows unknown.
Looks like the ID filed is not taken into account by this:
[|inputlookup auditd_indices] [|inputlookup auditd_sourcetypes] type=USER_LOGIN | eval account=coalesce(acct,user) | table _time host terminal account src actionthe USER_LOGIN audit record has neither user nor account set, but I see some default user=unknown in the fields for this event.
Probably the logic should include the ID field as shown by this event:
Jun 8 20:31:29 bsul0903 audispd: type=USER_LOGIN msg=audit(1623177089.054:532049): pid=1526 uid=0 auid=0 ses=6582 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=testbox addr=10.42.42.42 terminal=ssh res=success' UID="root" AUID="root" **ID="root"**