On Tue, 25 Jun 2013, Orangepeel Beef wrote:
I am wondering if it is possible to collect all the events that match in a
singlewiththreshold and send them all out when the threshold is hit?
you can't do it with one rule (singlewiththreshold), but you can have a single
rule that gathers the logs into a report, and then a singlewiththreshold that
exports the data when it fires.
The problem is expiring the old data from the report. I can think of ways to do
this, but not clean ones.
David Lang
#more than 15 failed logins
type=singlewiththreshold
desc=Possible brute force attempt of $1 from $3 (>15 in 30min)
ptype=regexp
pattern=\d+:\d+:\d+ GMT (\w+) .+UI CMD_EXECUTED \d+ \d+ :\s+User (\w+) -
Remote_ip (\d+\.\d+\.\d+\.\d+) - Command "login.+" - Status "ERROR: Invalid
username or password"
action=pipe '$0' /usr/bin/mail -s '%s' %e
window=1800
thresh=15
This is working, but I'm only getting the 1 log line from the last event
that triggered the threshold. I'd like to be able to send all the previous
log lines with it in the email.
------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:
Build for Windows Store.
http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:
Build for Windows Store.
http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
