RSA Admin

Linux Message IDs

Discussion created by RSA Admin Employee on Nov 5, 2008
Latest reply on Nov 5, 2008 by RSA Admin

All,

 

I am trying to configure a correlated alert for multiple login failures followed by successful logins from the same source.  I attempted to create a rule that used the event categories Auth.Failures followed by Auth.Successful.  This has not worked.  Any input on this is appreciated.  It seems like I have this problem for other platforms as well.  It appears that the basic categories do not give me what I want and I have to choose specific message IDs not just event categories.  Has anyone else experienced this?  Also, can anyone help provide a resource that shows what each Linux ID is (ex. what does 00010:02 mean?)  Thanks!

Outcomes