There is a syslog rule (1002) which looks for any one of a list of
"bad words".
On my RHEL servers this is picking up any mis-typed passwords
Received From: (server) 123.456.789.012->/var/log/secure
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the
system."
Portion of the log(s):
Sep 23 10:32:25 server sshd[25209]: pam_ldap: error trying to bind as
user "uid=user123,ou=People,dc=domain,dc=com" (Invalid credentials)
Whilst I want rule 1002 to remain, in the case of mistyped passwords I
only want to be informed if this occurs multiple times.
I created an override in local_rules
<group name="syslog,errors,">
<! Ignore mistyped passwords until 3rd occurrence -->
<rule id="101002" level="5" frequency="3" timeframe="360">
<if_matched_sid>1002</if_matched_sid>
<match>error trying to bind as user</match>
<description>Wrong password entered repeatedly</description>
</rule>
</group> <!-- SYSLOG,errors -->
but this is not working.
Can you combine if_matched_sid with match?
Is there an easier way to do this?
