Override alert based on values in the alert description RRS feed

  • Question

  • Hello,

    SCOM 2019 monitors our LINUX (RHEL6/RHEL7) environment and Qualys does a security check.
    It regularry checks if it can login using SSH with known old passwords

    For each attempt the management pack creates an alert in SCOM

    I need an override config that when the IP adres is it won't create an alert.
    I have tried working with RegExpFilters but can't figure it out.

    The default monitor configuration shows 




    Wednesday, July 22, 2020 1:27 PM

All replies

  • The RegExpFilter should indeed be the way to go, but you need a regex that will not match if the log entry contains

    Could you show us an example of such entry?

    • Edited by CyrAz Wednesday, July 22, 2020 6:06 PM
    Wednesday, July 22, 2020 6:06 PM
  • The default RegExp filter is \s+sshd\[[[:digit:]]+\]: Failed password for (invalid user )?root from \S+ 

    i have tried creating a new one but it doesn't work



    Wednesday, July 22, 2020 6:10 PM
  • I am no regex expert, but it seems it uses PHP regex syntax and something like this could work :

    \s+sshd\[[[:digit:]]+\]: Failed password for (invalid user )?root from ((?!192\.168\.1\.1(\D|$)))\S+

    You can test it here : https://regex101.com/

    Wednesday, July 22, 2020 7:33 PM
  • You could also add a filter condition to your rule, between the datasource and the writeaction (not 100% sure of the Xpath though, I would need to double check the XML structure of the linux events propertybags) :

    <ConditionDetection ID=”Filter” TypeID=”System!System.ExpressionFilter”>
                         <XPathQuery Type="String">EventDescription</XPathQuery>
    More about these : https://matthewlong.wordpress.com/2012/07/03/the-scom-unsung-hero-using-the-system-expressionfilter-module/

    • Edited by CyrAz Saturday, July 25, 2020 9:27 PM
    Wednesday, July 22, 2020 8:39 PM