On Fri, Apr 20, 2012 at 4:33 PM, mtw <[email protected]> wrote: > I am very fond of this rule: > > Rule: 10100 fired (level 7) -> "First time user logged in." > > Could you help me with a new rule that would trigger each time a user logged > in from a new location (IP address)? I know that the fts-queue file holds > this. I guess an inelegant way would be to just monitor that file for > changes, but I know there is a better way. > > Thanks.
<fts>srcip</fts> ?
