Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Base on the message that we select we need to create a regular expression to extract the date, host and elementevent

Apr 01 16:38:29 CNOC-01 b102ogt: [SYSTEM]<6> Local authentication failed(user: admin): Admin password error.

Code Block
"syslog_message" : {
    "10" : {
	 "IF" : "^(\\w+\\s\\d+\\s\\d+:\\d+:\\d+)\\s(\\w+[-_]\\w+)",
         "THEN" : [
            "capture(date,host)"
         ]
        },
       	"11" : {
          "IF" : "Local authentication failed",
          "THEN" : [
            "set.event(Authentication failedFailed)",
            "set.priority(8)"
         ]
      },
   }


After this we need to restart the opeventsd daemon then opEvents will create an event for Authentication Failed.