**Phase 1: Completed pre-decoding.
       full event: 'Sep 11 01:40:59 bogus.com su: ericx to root on /dev/ttyu0'
       hostname: 'bogus.com'
       program_name: 'su'
       log: 'ericx to root on /dev/ttyu0'

**Phase 2: Completed decoding.
       decoder: 'su'
       srcuser: 'ericx'
       dstuser: 'root'

**Phase 3: Completed filtering (rules).
       Rule id: '5305'
       Level: '4'
       Description: 'First time (su) is executed by user.'
**Alert to be generated.


