Where is the mapping defined between NetWitness and syslog messages? For example if I want to see a failed ssh login on a RedHat system I could look for the following in /var/log/messages:
# $msg contains the following; ‘op=PAM’ exe=”/usr/sbin/sshd” res=failed
# acct=username can identify who performed the ssh (root)
What information is used from the syslog to populate alert.id, event.desc etc?
Also is there a list of all possible values of alert.id?.