I followed a tutorial on how to create an alert for a failed root login by typing "failed password for root" The alert is created but I want to see the alert be triggered. I'm working on a VM, what's the best way to see the alert in action?
this alert is related to a failed access to a Linux system, so you have only to try to access your Linux target system and try with a wrong account or wrong password.
What's your problem?
the EventCode of the failed login in Windows is 4625 so you have to check it:
index=wineventlog EventCode=4625 | stats count BY host Account_name | where count>10
obviously, you can choose the final threeshold you prefer.
Only one final information: Windows can be useful for testing (I' use it on my laptop) or a Proof of Contest or a very little infrastructure, but I never saw any production system using Windows as Operative System!