Im new in this and I need some help with this
for example I need to correlate two events from linux.
my first search is
"svr-jrs-mat" rhost="*"
results: Oct 18 16:48:10 svr-jrs-mat-01 sshd[12160]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.11.61 user=aaa
where only I need rhost=10.0.11.61 and user=aaa for my second result
sourcetype=linux_secure "svr-jrs-mat" parametro="*"
result: Oct 18 16:48:21 svr-jrs-mat-01 sudo: aaa : TTY=pts/1 ; PWD=/home/aaa ; USER=root ; COMMAND=/bin/cat /var/log/secure
the thing is I need to correlate and know what user from what IP do sudo and the command in real time
I try with eval and rex but no result, thanks
regards
↧