<rule id="5504" level="5">
<if_sid>5500</if_sid>
- <match>check pass; user unknown</match>
+ <match>check pass; user unknown|error retrieving information about user</match>
<description>Attempt to login with an invalid user.</description>
<group>invalid_login</group>
</rule>
<description>User changed password.</description>
</rule>
+ <rule id="5556" level="0">
+ <decoded_as>unix_chkpwd</decoded_as>
+ <description>unix_chkpwd grouping.</description>
+ </rule>
+
+ <rule id="5557" level="5">
+ <if_sid>5556</if_sid>
+ <match>password check failed </match>
+ <description>Password check failed.</description>
+ <group>authentication_failure</group>
+ </rule>
+
</group> <!-- SYSLOG,pam -->