Hi Dan, I do not know if that is possible but turning off "message repeated" messages would probably affect other logging as well.
Now as for overwriting the rule , 5720 is a generic rule that addresses many platforms ...For IBM AIX for example the described problem does not exist, at least in my environment.Lowering the threshold for Solaris would mean that for AIX would be even lower (8vs6). Is there a way to overwrite that rule per platform ? Thank you BR On Feb 2, 3:21 pm, "dan (ddp)" <[email protected]> wrote: > On Thu, Feb 2, 2012 at 5:03 AM, alsdks <[email protected]> wrote: > > Hello list, > > > Some systems , in syslog logging , tend to group same messages to save > > space and load. For example Solaris > > logs failed ssh logins to syslog but issues an event that says that > > the last message repeated x times, like : > > > sshd[22082]: [ID 800047 auth.notice] Failed keyboard-interactive > > for .... > > Feb 2 10:38:00 systemname last message repeated 1 time > > > This way rule ID 5720 triggers at actually about 10 failed logins > > instead of 8. > > > Is there a way to work around this ? Maybe lower the threshold for > > specific systems\platforms ? > > > The same goes for telnet logging which does summarize a lot these > > events .Probably other services too . > > > Thank you ! > > Maybe you could turn off the "message repeated" messages. > Or I guess you could use the overwrite option to the rules that are > issues to lower the frequency for your environment.
