New to LEM... we enabled a bunch of default rules. Every 15 minutes or so, incidents are created from events automatically happening on the manager. The rules that are firing to create the incidents are "Authentication Traffic but No Agent" and "Authentication Attempt - Default Account".
The event info is always 'pam user logoff "root" from service "cron:session"' and 'pam user logon "root" for service "cron:session"'
From the description of the "Authentication Traffic but No Agent" rule, it says it "Detects unauthorized workstations on the network" which is something we'd like to do. So are we supposed to modify the rule to exclude the LEM Manager?
For the "Authentication Attempt - Default Account" rule, I see it's looking for authentication attempts for *administrator, *root, or *guest. While we would like to know if somebody is trying to login with these accounts, I don't really care that the LEM manager is logging in by itself to run cron jobs.
How do we exclude these specific events from generating the incidents, but allow LEM to create incidents if the rules are triggered for other reasons?