I am new to this, how can i use the MULTIPLE keywords to trigger alerts? It has be for ANY user not a particular. We do not have the enterprise edition yet. I looked at the alert rule, i think i have to do the following:
"Events/Log Level" ANY and match substring "sshd session opened"
I do not understand where i would use "(=username)" ? I have attached screenshot, to give you visual. Please, comment
I don't think you can do multiple keywords with an AND statement without actually doing multiple conditions (yep, enterprise...) but if there is a string that shows up regularly such as login or sshd session opened you could create TWO separate alerts. HTH, -Stacey
I changed step 2 from WARN to info : "platform.log_track.level Warn" > "platform.log_track.level Info" but that still did not do the trick. I am really puzzled how else i can go about it. I am sure i am not the only one trying to do this. If you have this implemented, what are your exact settings (please be as detailed as possible).
First thing you should be aware of is that this is not instant. The log event checks are every 5 minutes, so you may have to wait up to 5 minutes to get a "user logged in" event in HQ.
Second thing to know is the "user login" events you are looking for are not gotten via looking in any log. So you do not have to do any log configuration past turning it on to get these events.
Third, is that this does not always work on Windows. It does not sound like you are on Windows, but just in case.
Are you seeing events that look like the one mirko posted in the second post?
Try these settings just to see if we can get it working: - platform.log_track.enable = true - platform.log_track.level = Error - All other log_track properties leave empty. Make sure there is nothing in the text fields for platform.log_track.include, platform.log_track.exclude and platform.log_track.files
Next, edit your alert definition and remove the substring. Just make it empty. This will mean you are setting up an alert to alert on ALL log track events. Since you did not specify any log track files, I would only expect to see login events. Try logging in a new user on the system and keep that user logged in for at least 5 minutes. If you still do not get an event or the alert notification for the event... not sure, would need to get details about what OS, etc. you are running on.