Ok Dan, I will try to find a way to do it .
Thank you On Feb 6, 1:50 pm, "dan (ddp)" <[email protected]> wrote: > On Fri, Feb 3, 2012 at 6:50 AM, alsdks <[email protected]> wrote: > > Hi Dan, > > > I do not know if that is possible but turning off "message repeated" > > messages would probably affect other logging as well. > > > Now as for overwriting the rule , 5720 is a generic rule that > > addresses many platforms ...For IBM AIX for example the described > > problem does not exist, at least in my environment.Lowering the > > threshold for Solaris would mean that for AIX would be even lower > > (8vs6). > > > Is there a way to overwrite that rule per platform ? > > Not at this time. You might be able to limit a rule to specific > agents, but I can never remember for sure (and I can't test at the > moment). > > > > > > > > > Thank you > > BR > > > On Feb 2, 3:21 pm, "dan (ddp)" <[email protected]> wrote: > >> On Thu, Feb 2, 2012 at 5:03 AM, alsdks <[email protected]> wrote: > >> > Hello list, > > >> > Some systems , in syslog logging , tend to group same messages to save > >> > space and load. For example Solaris > >> > logs failed ssh logins to syslog but issues an event that says that > >> > the last message repeated x times, like : > > >> > sshd[22082]: [ID 800047 auth.notice] Failed keyboard-interactive > >> > for .... > >> > Feb 2 10:38:00 systemname last message repeated 1 time > > >> > This way rule ID 5720 triggers at actually about 10 failed logins > >> > instead of 8. > > >> > Is there a way to work around this ? Maybe lower the threshold for > >> > specific systems\platforms ? > > >> > The same goes for telnet logging which does summarize a lot these > >> > events .Probably other services too . > > >> > Thank you ! > > >> Maybe you could turn off the "message repeated" messages. > >> Or I guess you could use the overwrite option to the rules that are > >> issues to lower the frequency for your environment.
