Ok I have done this:
event filter> show
Filter Name Rule Rule Message Name SNMP Trap Type Severity
Position Type
----------- -------- --------- ---------------------- --------------- --------
default-trap-events
1 include * * EMERGENCY, ALERT
2 include callhome.* * ERROR
3 include * Standard, Built-in
*
4 exclude * * *
failedlogin-events
1 include security.invalid.login * ALERT
2 exclude * * *
important-events
1 include * * EMERGENCY, ALERT
2 include callhome.* * ERROR
3 exclude * * *
no-info-debug-events
1 include * * EMERGENCY, ALERT, ERROR, NOTICE
2 exclude * * *
event config*> show
Mail From: XXXXXX@XXXXXXX
Mail Server: HHHH.DDDD.COM
Proxy URL: -
Proxy User: -
Suppression: on
Console: on
Max Target Log Size: 36700160
Max Filter Count: 50
Max Filter Rule Count: 128
Max Destination Count: 20
Max Notification Count: 20
Filter Exempt from Suppression: failedlogin-events
Duplicate Suppression Duration (secs): 120
Log Rotation Size (bytes): 40MB
REST API Delivery Timeout (secs): 60
I then generated a failed logon but the event was not logged ! aka it was suppressed.
If I turn off suppression all works OK and the failed login is recorded and shown in:
event log > show
3/28/2017 13:31:37 hncl1-01 ALERT security.invalid.login: Failed to authenticate login attempt to Vserver: hncl1, username: XXXXXX\YYYYYYY, application: ssh.