Hello list,
Some systems , in syslog logging , tend to group same messages to save space and load. For example Solaris logs failed ssh logins to syslog but issues an event that says that the last message repeated x times, like : sshd[22082]: [ID 800047 auth.notice] Failed keyboard-interactive for .... Feb 2 10:38:00 systemname last message repeated 1 time This way rule ID 5720 triggers at actually about 10 failed logins instead of 8. Is there a way to work around this ? Maybe lower the threshold for specific systems\platforms ? The same goes for telnet logging which does summarize a lot these events .Probably other services too . Thank you !
