Team Spectrum Guru-
I've been struggling to filter an Event A that contains "authentication failure" in its VARDATA 6.
So basically, we don't want to see Event A that contains "authentication failure" in {V 6} creating an Alarm, but any other line in {V 6} should create Alarm.
Right now Event A comes, no matter what is in {V 6} will create Alarm.
I thought If I create an Event Condition, use regex to find auth. fails and assign to a dummy Event might be solution.
As an example {V 6} is = *:"pam_unix(sshd:auth): authentication failure, logname= uid=0 euid=0 tty=ssh ruser=johndoe rhost=1.2.3.4"
Been trying Event Condition with (regexp({v 6}, {S \"authentication failure\"})) or just (regexp({v 7}, {S \"authentication\"})) will not work.
(maybe asterisk or quotes causing issues).
Then later I also found out that this event's VARDATA 7 is always "login" for auth. fails. So If I try (regexp({v 7}, {S \"login\"})), this works, and event goes to dummy event, but not before it already fired the alarm.
I am at loss how this could be done. Please help If you have some thoughts how to filter these auth. fails, please please let me know.
Regards and thanks.