The inputs.conf is just the standard
[default]
host = thedesiredhostname
The props is the standard from TA_nix
[linux_secure]
Event extractions by type
REPORT-0authentication_for_linux_secure = ssh-login-events, ssh-session-close, ssh-disconnect, sshd_authentication_kerberos_success, sshd_authentication_refused, sshd_authentication_tried, sshd_login_restricted, pam_unix_authentication_success, pam_unix_authentication_failure, sudo_cannot_identify, ksu_authentication, ksu_authorization, su_simple, su_authentication, su_successful, wksh_authentication, login_authentication, ftpd_authentication
EVAL-action = if(app="su" AND isnull(action),"success",action)
REPORT-account_management_for_linux_secure = useradd, userdel
REPORT-firewall = ipfw, ipfw-stealth, ipfw-icmp, pf
REPORT-routing = iptables
EVAL-signature = if(isnotnull(inbound_interface),"firewall",null())
REPORT-signature_for_linux_secure_timesync = signature_for_nix_timesync
REPORT-dest_for_linux_secure = host_as_dest
LOOKUP-action_for_linux_secure = nix_action_lookup vendor_action OUTPUTNEW action
REPORT-pid-process_for_linux_secure = syslog-extractions
REPORT-src_for_linux_secure = src_dns_as_src, src_ip_as_src, host_as_src
... View more