Is there a feature to configure a rule to alert or send an email on a failed login.
I know it will show on the home screen when there is a failed log-in, but I would like something that can alert a little better. Syslog maybe too?
Here is what I have configured but it doesnt appear to be working. Is 1701 not the correct key?
Also, is there a key inside the UI to look for that can also see the failed ssh/console auths?
The ruleset you imported is correct, I believe 1701 is right, however there is on adjustment I want to make to the best practice and then it would be perfect, I'll try to do that today.
As far as failed SSH logins, there isnt anything in the GUI, but you could log that over syslog in the rsyslogd.conf under Configuration > Appliances > File Editor.
Here is a revised ruleset. I'll work with the owner of the article to get it updated.
The revised ruleset allow you to pick the ID you want to monitor for AND allow you to fallback to the original description of the incident.
So in your example you have "1701 > 1000;bad login"
With the new ruleset you can just put "1701 > 1000;" this will have the MWG fill in the message instead of using a generic message that you came up with.