I am a little confused. I created a regular search looking for the word deny. This matches all the deny logs from my firewall.
From there I saved the search as an alert. Now under the trigger condition selected custom and put the following
stats count by source-address | where count > 5
This is a realtime search looking at the past 1 minute.
What am I doing wront here?
... View more
I have a very basic alert I want to setup. Essentially I want to trigger an alert when Splunk sees more then X amount of deny logs from the same source address.
I can create an alert if its sees more then X amount of deny logs but I am only interested when a high ammount of denies come from a single source.
If I could see how this is written the logic can be used to create countless other alert conditions. I appreciate any help. Below is a sample deny log
Apr 8 13:45:20 192.168.100.1 1 2014-04-08T13:45:21.129-04:00 FW RT_FLOW - RT_FLOW_SESSION_DENY [firstname.lastname@example.org source-address="126.96.36.199" source-port="7986" destination-address="172.19.2.1" destination-port="2000" service-name="junos-sccp" protocol-id="6" icmp-type="0" policy-name="DENY-LOG(global)" source-zone-name="trust" destination-zone-name="trust" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="vlan.3" encrypted="UNKNOWN" reason="policy deny"] session denied 188.8.131.52/7986->172.19.2.1/2000 junos-sccp 6(0) DENY-LOG(global) trust trust UNKNOWN UNKNOWN N/A(N/A) vlan.3 UNKNOWN policy deny
... View more