Linux Message IDs
I am trying to configure a correlated alert for multiple login failures followed by successful logins from the same source. I attempted to create a rule that used the event categories Auth.Failures followed by Auth.Successful. This has not worked. Any input on this is appreciated. It seems like I have this problem for other platforms as well. It appears that the basic categories do not give me what I want and I have to choose specific message IDs not just event categories. Has anyone else experienced this? Also, can anyone help provide a resource that shows what each Linux ID is (ex. what does 00010:02 mean?) Thanks!
Hmmm... Your thought process should work. Post your rule XML here so all can take a look.
In the mean time go to Overview->System Configuration->Messages->Manage Messages and enter the following filter
WHERE Taxonomy/Event Category IN Auth.Failures
AND Device/Type IN Linux
This will create a list of the Linux message numbers for Auth.Failures. Change the above to Auth.Successful to check those messages.
But the purpose of any SIEM is to normalize the messages from various vendors so we do not need to know what a 00010:02 means.
'Luke... Use the Taxonomy"