On Fri, Feb 3, 2012 at 6:50 AM, alsdks <[email protected]> wrote: > Hi Dan, > > I do not know if that is possible but turning off "message repeated" > messages would probably affect other logging as well. > > Now as for overwriting the rule , 5720 is a generic rule that > addresses many platforms ...For IBM AIX for example the described > problem does not exist, at least in my environment.Lowering the > threshold for Solaris would mean that for AIX would be even lower > (8vs6). > > Is there a way to overwrite that rule per platform ? >
Not at this time. You might be able to limit a rule to specific agents, but I can never remember for sure (and I can't test at the moment). > Thank you > BR > > > > On Feb 2, 3:21 pm, "dan (ddp)" <[email protected]> wrote: >> On Thu, Feb 2, 2012 at 5:03 AM, alsdks <[email protected]> wrote: >> > Hello list, >> >> > Some systems , in syslog logging , tend to group same messages to save >> > space and load. For example Solaris >> > logs failed ssh logins to syslog but issues an event that says that >> > the last message repeated x times, like : >> >> > sshd[22082]: [ID 800047 auth.notice] Failed keyboard-interactive >> > for .... >> > Feb 2 10:38:00 systemname last message repeated 1 time >> >> > This way rule ID 5720 triggers at actually about 10 failed logins >> > instead of 8. >> >> > Is there a way to work around this ? Maybe lower the threshold for >> > specific systems\platforms ? >> >> > The same goes for telnet logging which does summarize a lot these >> > events .Probably other services too . >> >> > Thank you ! >> >> Maybe you could turn off the "message repeated" messages. >> Or I guess you could use the overwrite option to the rules that are >> issues to lower the frequency for your environment.
