DX NetOps

Expand all | Collapse all

Filter Event with Specific Strings

Jump to Best Answer
  • 1.  Filter Event with Specific Strings

    Posted 01-14-2016 09:02 PM

    Team Spectrum Guru-

     

         I've been struggling to filter an Event A that contains "authentication failure" in its VARDATA 6.

         So basically, we don't want to see Event A that contains "authentication failure" in {V 6} creating an Alarm, but any other line in {V 6} should create Alarm.

         Right now Event A comes, no matter what is in  {V 6} will create Alarm.

     

         I thought If I create an Event Condition, use regex to find auth. fails and assign to a dummy Event might be solution.

     

         As an example {V 6} is = *:"pam_unix(sshd:auth): authentication failure, logname= uid=0 euid=0 tty=ssh ruser=johndoe rhost=1.2.3.4"

     

         Been trying Event Condition with (regexp({v 6}, {S \"authentication failure\"})) or just (regexp({v 7}, {S \"authentication\"})) will not work.

         (maybe asterisk or quotes causing issues).

     

          Then later I also found out that this event's VARDATA 7 is always "login" for auth. fails. So If I try (regexp({v 7}, {S \"login\"})), this works, and event goes to dummy event, but not before it already fired the alarm.

     

         I am at loss how this could be done. Please help If you have some thoughts how to filter these auth. fails, please please let me know.

        

         Regards and thanks.



  • 2.  Re: Filter Event with Specific Strings

    Posted 01-16-2016 12:43 PM

    Hi,

     

    Can you try this?

     

    (regexp({v 6}, {S \"authentication.*failure.*\"}))

     

    Regards,

    -Lakshmi.



  • 3.  Re: Filter Event with Specific Strings

    Posted 01-18-2016 11:43 AM

    Thank you.



  • 4.  Re: Filter Event with Specific Strings
    Best Answer

    Posted 01-16-2016 01:18 PM
    • Disable alarm generation on EventA
    • Copy EventA to create new event EventB
    • Create a new Event Condition on EventA , add rule "if regexp({v 6}, {S \"authentication failure\"}) generate Event 0x10000"
    • On the same Event Condition on EventA, create "default" rule (Operator: Default) that generates EventB, Copy All Event Variables.
    • set the evaluation order so that default is at the bottom
    • Set EventB to generate an alarm


  • 5.  Re: Filter Event with Specific Strings

    Posted 01-18-2016 11:44 AM

    Thank you a lot. This did it. Learnt something new. Much appreciated with solution.