SEM Rule Not Firing for EventInfo / ExtraInfo Fields

Hi all,

I’m trying to create a SEM rule to monitor chown executions on Linux.

I created a rule using EventInfo and ExtraInfo as it is shwon in live events
EventInfo = /bin/chown and/or ExtraInfo = TeleType: "pts/1", Working Directory: "/tmp", Command: "/bin/chown"
The rule does not fire when the command is executed.
However, if I choose “File – Execute Occurred”, the rule fires correctly.
even we choose only *chown* in eventinfo not working

My question:

Is it normal that SEM rules using EventInfo or ExtraInfo don’t trigger?
Is there a way to make SEM reliably fire on these fields without using the “File – Execute Occurred” event type?

Any guidance or best practices for creating rules based on EventInfo / ExtraInfo would be appreciated.

thanks in adanvce for your kind of help

Find more posts tagged with

Comments

npatterson

What connector are your using the FIM agent or is this syslog from Linux? It would be better to know what tool alias this is coming will help determine what field and data the connector has.

Herou-GH

This is a Linux machine, not a network device or a Windows machine, The FIM agent is only available for Windows.

For Linux we use a Linux agent, but it does not include FIM functionality