Hi All...
I am trying to figure out how to generate a alert if the same IP address fails SSH authentication on multiple sources (hosts).
Example Data
Jun 5 08:26:55 clunker-aus sshd[4087]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=140.22.0.186 user=monitor
Jun 5 08:26:55 webserver-aus sshd[4089]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=140.22.0.186 user=root
Jun 5 08:26:55 server1 sshd[4090]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=140.22.0.186 user=root
How would I create an alert for a pattern matching this in lets say a 5 minute window against 3 or more hosts?
Thanks in advance 😃
Try this search, where XYZ
is the name of your sourcetype
sourcetype=XYZ "authentication failure"
Then save it as an alert with the following characteristics
Number of hosts
Here are the docs: Define rolling-window alerts