I am trying to configure a correlated alert for multiple login failures followed by successful logins from the same source. I attempted to create a rule that used the event categories Auth.Failures followed by Auth.Successful. This has not worked. Any input on this is appreciated. It seems like I have this problem for other platforms as well. It appears that the basic categories do not give me what I want and I have to choose specific message IDs not just event categories. Has anyone else experienced this? Also, can anyone help provide a resource that shows what each Linux ID is (ex. what does 00010:02 mean?) Thanks!