Hi Guys, I am facing problem with root login rule. I would like to
obtain alert (from RE) everytime when somebody login as root and it
usualy works, but... Today we tested root login on Debian server and it
sent log:" Sep 22 16:01:57 10.10.10.10 logi...
Hi, is anybody using SDEE for collecting logs from Cisco IPS on SA? I
tried to set it up, but its not collecting any events.From logs it
seems, that communication is OK. On enVision it works fine. I found
difference in requests between enVi & SA and ...
Hi mates,in our enviroment all devices are sending logs to syslog-ng
server which is relaying them to SA, but... SA recognize all of those
messages as "device.ip=10.0.0.5" (syslog server) instead of original
device address - for example 10.0.0.1 (fw)...
Hello guys, is here somebody who is collecting logs and events from
Vmware vSphere already? Could somebody give me some hint how to do that?
I tried setup collection on collector. But it will not connect to our
vSphere, so somewhere must be some misc...
It would be fine if you can take a look on it. It's Debian and I think,
that index level is set high enough.Everything in timeframe close to
this log seems to be indexed regarding event.desc and I am able to run
queries over them successfully.
Hi Christopher,There is nothing to be escaped in my query therefore I am
searching just for "ROOT" or "ROOT LOGIN" in event.desc (event.desc
contains 'root'). I'll push that rule to Decoder and take a look if
there will be some difference.
Hi John,Thank you for fast response.In index-concentrator.xml there is
already "IndexValues", I am also able to search in "event.desc" except
in this one (it's the first one which I found to be unusable). There
must be some problem with apostrophes i...
Problem solved...I removed Alert ID from Meta Group, and when I tryed to
re-add it there has been Alerts also... That's really wierd, but I am
glad that its there finaly Thanks Deepanshu! I think, that without your
screenshot I'll never try to remove...