...
Base on the message that we select we need to create a regular expression to extract the date, host and elementevent.
Apr 01 16:38:29 CNOC-01 b102ogt: [SYSTEM]<6> Local authentication failed(user: admin): Admin password error.
Code Block |
---|
"syslog_message" : { "10" : { "IF" : "^(\\w+\\s\\d+\\s\\d+:\\d+:\\d+)\\s(\\w+[-_]\\w+)", "THEN" : [ "capture(date,host)" ] }, "11" : { "IF" : "Local authentication failed", "THEN" : [ "set.event(Authentication failedFailed)", "set.priority(8)" ] }, } |
After this we need to restart the opeventsd daemon then opEvents will create an event for Authentication Failed.