Hello,
I'm trying to setup an alert that fires when a user tries to log in from more than one src ip address within the last 24 hours.
My base search looks like index=myindex product=myvpnappliance
Src ip's and user fields are extracted automatically.
I've tried different searches to no effect. Can anybody please help?
Both appear to work, i still need to figure out how to setup an alert to fire when the source ip count for any user is greater than 1.
Both appear to work, i still need to figure out how to setup an alert to fire when the source ip count for any user is greater than 1.
Choose if number of events is greater than 0 since you're already evaluating the condition in the search string.
I understand the search and it does work, i also understand how to create alerts, since i have created them before. However, when i choose to create the alert, i only get three conditions: if number of events, hosts, source, and a custom condition. For now i'm just going to send an alert if that search returns any results, but ideally i would like an alert to fire as soon as a user is trying to connect from more than one unique src ip within a specified timeframe. I know this will require the search to run in real time and probably the use of a custom condition.
i am not sure what you mean but you just need click to create alert below this search.
And Ziegfried search is the one to use as it is more efficient
this might be more efficient:
index=myindex product=myvpnappliance | stats dc(src_ip) as src_ip_count by username | where src_ip_count>1
what about?
index=myindex product=myvpnappliance | transaction username maxspan=24h | where mvcount(src_ip) > 1 | table username src_ip
While this should work, using transaction
is a pretty inefficient approach for this particular case. Much better to use stats
as ziegfried suggests.