We have a simple query which tracks failed login attempts, however, the eventstats function is unable to give me the proper count filter where we need only results where a user has exceeded a specific amount of login attempts:
What our current query looks like:
index=localLogFile loginFail: host=LocalServer | rex field=_raw " ]\s\w{4}:\s(?P/*?):" | eventstats count AS aFieldCount by FailReason | eventstats count(InfoMessage) AS EventCountTotal | table ipAddress UserName FailReason Info Message aFieldCount EventCountTotal
What I'm looking to add to this query
We are looking to simply add another instance of eventstats or stats count that will give us the number of failed attempts when it is less than or greater than a specific number of occurrences, allowing us to later generate a report that will trigger when someone has attempted to log in more times than they should have.
Any direction or help is appreciated
try something like this,
makeresults|stats count(_raw) as total_failure_attempts by FailReason| eval occurrence=10|where total_failure_attempts>occurrence | table field_1 field_2 field_3
Thank you,
I ended up combing your logic with my existing query successfully.