I slightly changed EXTRACT-sudo_open_details so it also works with "su"
^\w+ \d+ \d{2}:\d{2}:\d{2} (?<src>.+) (?<app>\w+).*: pam_unix\(.+:session\): (?<vendor_action>session \w+) for user (?<user>\w+)
For the rest it works perfect with my RHEL. Thanks !
... View more