DX NetOps

Team Spectrum Guru-

     I've been struggling to filter an Event A that contains "authentication failure" in its VARDATA 6.

     So basically, we don't want to see Event A that contains "authentication failure" in {V 6} creating an Alarm, but any other line in {V 6} should create Alarm.

     Right now Event A comes, no matter what is in  {V 6} will create Alarm.

     I thought If I create an Event Condition, use regex to find auth. fails and assign to a dummy Event might be solution.

     As an example {V 6} is = *:"pam_unix(sshd:auth): authentication failure, logname= uid=0 euid=0 tty=ssh ruser=johndoe rhost=1.2.3.4"

     Been trying Event Condition with (regexp({v 6}, {S \"authentication failure\"})) or just (regexp({v 7}, {S \"authentication\"})) will not work.

     (maybe asterisk or quotes causing issues).

      Then later I also found out that this event's VARDATA 7 is always "login" for auth. fails. So If I try (regexp({v 7}, {S \"login\"})), this works, and event goes to dummy event, but not before it already fired the alarm.

     I am at loss how this could be done. Please help If you have some thoughts how to filter these auth. fails, please please let me know.

     Regards and thanks.

Hi,

Can you try this?

(regexp({v 6}, {S \"authentication.*failure.*\"}))

Regards,

-Lakshmi.

Thank you.

• Disable alarm generation on EventA
• Copy EventA to create new event EventB
• Create a new Event Condition on EventA , add rule "if regexp({v 6}, {S \"authentication failure\"}) generate Event 0x10000"
• On the same Event Condition on EventA, create "default" rule (Operator: Default) that generates EventB, Copy All Event Variables.
• set the evaluation order so that default is at the bottom
• Set EventB to generate an alarm

Thank you a lot. This did it. Learnt something new. Much appreciated with solution.