Alert rule for auth critical messages in syslog.
An auth critical event was detected in the system log files.
This rule is disabled by default. To enable this rule for monitoring, use overrides to configure the log file path and enable the rule. The log file path is set with the overridable property named LogFile, and the value must be set to the full path to the log file that will receive these events, as defined in the syslog configuration. Overrides can be used to change the parameter values for all instances or for specific instances or groups.
A security failure may happen due to several reasons. Information about the failure is available in the associated output data item, events and alerts.
The description of the alert and/or the output data item contains information on the problem encountered. Check the associated event details and any other security events that happened around the time of this failure to diagnose the problem.
Target | Microsoft.Solaris.11.Computer | ||
Category | EventCollection | ||
Enabled | True | ||
Alert Generate | True | ||
Alert Severity | Error | ||
Alert Priority | Normal | ||
Remotable | True | ||
Alert Message |
|
ID | Module Type | TypeId | RunAs |
---|---|---|---|
EventDS | DataSource | Microsoft.Unix.SCXLog.Datasource | Default |
GenerateAlert | WriteAction | System.Health.GenerateAlert | Default |
<Rule ID="Microsoft.Solaris.11.LogFile.Syslog.Auth.Critical.Alert" Target="Microsoft.Solaris.11.Computer" Enabled="true" Remotable="true">
<Category>EventCollection</Category>
<DataSources>
<!-- [TYPE] Solaris Alert False -->
<!-- [INPUT] Nov 30 16:22:28 jeffcof-sol11-x86 su: [ID 810491 auth.crit] 'su root' failed for jeffcof on /dev/pts/1 -->
<DataSource ID="EventDS" TypeID="Unix!Microsoft.Unix.SCXLog.Datasource">
<Host>$Target/Property[Type="Unix!Microsoft.Unix.Computer"]/PrincipalName$</Host>
<LogFile>/var/adm/messages</LogFile>
<RegExpFilter>\[ID [[:digit:]]+ auth\.(crit|emerg|alert)\]</RegExpFilter>
<IndividualAlerts>false</IndividualAlerts>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="GenerateAlert" TypeID="SystemHealth!System.Health.GenerateAlert">
<Priority>1</Priority>
<Severity>2</Severity>
<AlertMessageId>$MPElement[Name="Microsoft.Solaris.11.LogFile.Syslog.Auth.Critical.AlertMessage"]$</AlertMessageId>
<AlertParameters>
<AlertParameter1>$Data/EventDescription$</AlertParameter1>
</AlertParameters>
<Suppression>
<SuppressionValue/>
</Suppression>
</WriteAction>
</WriteActions>
</Rule>