I have a very basic alert I want to setup. Essentially I want to trigger an alert when Splunk sees more then X amount of deny logs from the same source address.
I can create an alert if its sees more then X amount of deny logs but I am only interested when a high ammount of denies come from a single source.
If I could see how this is written the logic can be used to create countless other alert conditions. I appreciate any help. Below is a sample deny log
Apr 8 13:45:20 192.168.100.1 1 2014-04-08T13:45:21.129-04:00 FW RT_FLOW - RT_FLOW_SESSION_DENY [email@example.com source-address="220.127.116.11" source-port="7986" destination-address="172.19.2.1" destination-port="2000" service-name="junos-sccp" protocol-id="6" icmp-type="0" policy-name="DENY-LOG(global)" source-zone-name="trust" destination-zone-name="trust" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="vlan.3" encrypted="UNKNOWN" reason="policy deny"] session denied 18.104.22.168/7986->172.19.2.1/2000 junos-sccp 6(0) DENY-LOG(global) trust trust UNKNOWN UNKNOWN N/A(N/A) vlan.3 UNKNOWN policy deny
You'd do something like this:
base search yielding deny events | stats count by source-address | where count > X
I'm assuming you're looking at the field
source-address, fill in a value for X. Define an alert to trigger whenever this search yields events.
I am a little confused. I created a regular search looking for the word deny. This matches all the deny logs from my firewall.
From there I saved the search as an alert. Now under the trigger condition selected custom and put the following
stats count by source-address | where count > 5
This is a realtime search looking at the past 1 minute.
What am I doing wront here?
stats should be part of the saved search. The
where can be part of the search as well, or it can be defined in the trigger condition.