How about using Comp-\S+? I would also recommend to use a variable like
this (taken from syslog rules):
core_dumped|failure|error|attack|bad |illegal
|denied|refused|unauthorized|fatal|failed|Segmentation Fault|Corrupted
On Mon, Dec 28, 2015 at 10:22 AM, wrote:
>
Hello all and Happy Holidays,
I setup a rule to look for log-in's after hours as follows:
authentication
6 pm - 9 am
Login after hours
50
USERNAME
Ignore USERNAME
The first rule tries to pickup all logins after hours, and the subordinate
rule tries to