On Thu, Feb 2, 2012 at 5:03 AM, alsdks <als...@gmail.com> wrote: > Hello list, > > > Some systems , in syslog logging , tend to group same messages to save > space and load. For example Solaris > logs failed ssh logins to syslog but issues an event that says that > the last message repeated x times, like : > > sshd[22082]: [ID 800047 auth.notice] Failed keyboard-interactive > for .... > Feb 2 10:38:00 systemname last message repeated 1 time > > > This way rule ID 5720 triggers at actually about 10 failed logins > instead of 8. > > Is there a way to work around this ? Maybe lower the threshold for > specific systems\platforms ? > > The same goes for telnet logging which does summarize a lot these > events .Probably other services too . > > Thank you !
Maybe you could turn off the "message repeated" messages. Or I guess you could use the overwrite option to the rules that are issues to lower the frequency for your environment.