On Thu, Feb 2, 2012 at 5:03 AM, alsdks als...@gmail.com wrote:
Hello list,
Some systems , in syslog logging , tend to group same messages to save
space and load. For example Solaris
logs failed ssh logins to syslog but issues an event that says that
the last message repeated x times, like :
sshd[22082]: [ID 800047 auth.notice] Failed keyboard-interactive
for
Feb 2 10:38:00 systemname last message repeated 1 time
This way rule ID 5720 triggers at actually about 10 failed logins
instead of 8.
Is there a way to work around this ? Maybe lower the threshold for
specific systems\platforms ?
The same goes for telnet logging which does summarize a lot these
events .Probably other services too .
Thank you !
Maybe you could turn off the message repeated messages.
Or I guess you could use the overwrite option to the rules that are
issues to lower the frequency for your environment.