A security administrator notices that a specific user is generating excessive logs due to repeated authentication failures. The administrator wants to see only failed authentication events for that user in the monitor tab. Which filter string should be used in the log viewer?
Trap 1: (addr.src eq user@domain.com) or (eventid eq auth-fail)
OR would show all events for that user or all auth fails, not the intersection.
Trap 2: (addr.src eq user@domain.com) and (severity ge medium)
Severity does not specifically filter auth failures.
Trap 3: (src eq user@domain.com) and (eventid eq auth)
'src' is not the standard field for user; 'eventid eq auth' is too broad.
- A
(addr.src eq user@domain.com) or (eventid eq auth-fail)
Why wrong: OR would show all events for that user or all auth fails, not the intersection.
- B
(addr.src eq user@domain.com) and (severity ge medium)
Why wrong: Severity does not specifically filter auth failures.
- C
(addr.src eq user@domain.com) and (eventid eq auth-fail)
Correctly combines user and auth-fail event.
- D
(src eq user@domain.com) and (eventid eq auth)
Why wrong: 'src' is not the standard field for user; 'eventid eq auth' is too broad.