I have file log access /var/log/secure .
Use log rotate ( setting daily)
I need collect log login fail 3 times on 1 IP within 1 hour from file log /var/log/secure.
I used the following query:
> source="/var/log/secure" sourcetype=linux_secure process=sshd "password for" NOT pam_unix NOT Accepted earliest=-24h latest=now | rex field=_raw "(?Accepted|Failed) password for (?\w+) from (?[0-9A-Fa-f:\.]+)" | stats count by ipaddr | where count >=3
I need support collecting logs with 1 hours
Please support me.