Hi All,
I have a very basic alert I want to setup. Essentially I want to trigger an alert when Splunk sees more then X amount of deny logs from the same source address.
I can create an alert if its sees more then X amount of deny logs but I am only interested when a high ammount of denies come from a single source.
If I could see how this is written the logic can be used to create countless other alert conditions. I appreciate any help. Below is a sample deny log
Apr 8 13:45:20 192.168.100.1 1 2014-04-08T13:45:21.129-04:00 FW RT_FLOW - RT_FLOW_SESSION_DENY [junos@2636.1.1.1.2.39 source-address="192.55.66.44" source-port="7986" destination-address="172.19.2.1" destination-port="2000" service-name="junos-sccp" protocol-id="6" icmp-type="0" policy-name="DENY-LOG(global)" source-zone-name="trust" destination-zone-name="trust" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="vlan.3" encrypted="UNKNOWN" reason="policy deny"] session denied 192.55.66.44/7986->172.19.2.1/2000 junos-sccp 6(0) DENY-LOG(global) trust trust UNKNOWN UNKNOWN N/A(N/A) vlan.3 UNKNOWN policy deny
... View more