Aug 1 12:12:12 host [login=name, pid=1356] -> sh [args: "sh", "-c", "ls -l", "/var/log"]