I am trying to set up alerts on failed password attempts for any user on my *nix box.
Below is my query and it works fine, but I am having trouble setting up alerts. It just floods my mailbox as soon as the condition matches.
index="main" "Failed password for" OR "authentication failure" | rex "Failed password for (?.*?) from (?P[^ ]+)port (?\d+)" | stats count by _time,SSHInvalidUser, InvalidSSHIP, host | eventstats count by SSHInvalidUser
Below is my current trigger condition look like.
Alert type = Real-time
Trigger alert when -> Number of Results
Is Greater than 1
In 1 minutes
Basically, I would like to get it triggered if there are multiple users or even a single user trying to break-in or possible brute force.
For that I think I may need to change my condition in the query, please correct my if I am wrong
index="main" "Failed password for" OR "authentication failure"
| bin _time span=10m
| rex "Failed password for (?.*?) from (?P[^ ]+)port (?\d+)"
| stats count by _time,SSHInvalidUser, InvalidSSHIP, host | where count >= 1
I have done the following alert
*/10 * * * *
Run in every 10 minutes and if counts are equal to or more than 1 in 10 minutes of time span send the alert
you don't need to use
bin command. Your original query will work fine for any time period you want to set. Just be sure to use the "scheduled" and then set the "time-period" in the alert configuration to match the run frequency.
I have set the Time Range 15 minutes and Run on Cron Schedule with * * * * * every minute. Do I also have to do something in Trigger Conditions or leave it default?
So basically it checks in 15 minutes time range and run Cron job every minute and make sure if there are any failed login attempts in last 15 minutes? Please correct me if I am wrong.
It will run every minute, and search the past 15 minutes. This means you will get 15 emails for every event. So you need to set the time range the same as the run frequency. Set trigger conditions to "Trigger once if results > 0 "