|
Hello, I'm trying to setup an alert that fires when a user tries to log in from more than one src ip address within the last 24 hours. My base search looks like index=myindex product=myvpnappliance Src ip's and user fields are extracted automatically. I've tried different searches to no effect. Can anybody please help? |
|
Both appear to work, i still need to figure out how to setup an alert to fire when the source ip count for any user is greater than 1. i am not sure what you mean but you just need click to create alert below this search. And Ziegfried search is the one to use as it is more efficient
(16 Jun '11, 05:25)
MarioM
I understand the search and it does work, i also understand how to create alerts, since i have created them before. However, when i choose to create the alert, i only get three conditions: if number of events, hosts, source, and a custom condition. For now i'm just going to send an alert if that search returns any results, but ideally i would like an alert to fire as soon as a user is trying to connect from more than one unique src ip within a specified timeframe. I know this will require the search to run in real time and probably the use of a custom condition.
(16 Jun '11, 06:28)
Joetron
Choose if number of events is greater than 0 since you're already evaluating the condition in the search string.
(16 Jun '11, 06:30)
ziegfried ♦
|
|
this might be more efficient: |
|
what about? 2
While this should work, using
(15 Jun '11, 16:21)
southeringtonp ♦
|
