I have setup event notification for security events like 'security.invalid.login' to be email to an ALERT list. This is an attempt at basic attack detection.
The first event tested perfect then it stopped !
Investigation revealed 'event config show' suppression = ON.
Now here is where I want to have my cake and eat it !!
Is it possible to exclude certain events such as security from event suppression. This is important for 2 reasons:
1) We actual receive event notiifcations as expected without suppression of security.*
2) Our logs show an accurate picture of security events for example a brute force attack
My ailternative would be to turn off suppression however it would be nice to tailor suppression if it was possible.
Rgds AndyP