Hello,
I am trying to set up alerts on failed password attempts for any user on my *nix box.
Below is my query and it works fine, but I am having trouble setting up alerts. It just floods my mailbox as soon as the condition matches.
index="main" "Failed password for" OR "authentication failure"
| rex "Failed password for (?.*?) from (?P[^ ]+)port (?\d+)"
| stats count by _time,SSHInvalidUser, InvalidSSHIP, host | eventstats count by SSHInvalidUser
Below is my current trigger condition look like.
Alert type = Real-time
Trigger alert when -> Number of Results
Is Greater than 1
In 1 minutes
Trigger Once
Basically, I would like to get it triggered if there are multiple users or even a single user trying to break-in or possible brute force.
Thanks!
Regards,
... View more