Considering this example from here -
http://simple-evcorr.sourceforge.net/man.html#lbAD
/usr/bin/sec --conf=/etc/sec/sshd.rules --input=/var/log/secure-current.log
in order to monitor the /var/log/secure file for sshd events.
Also, suppose that the /etc/sec/sshd.rules configuration file contains the
following rule for correlating SSH failed login events:
type=SingleWithThreshold
ptype=RegExp
context=[_FILE_EVENT_/var/log/secure-current.log]
pattern=sshd\[\d+\]: Failed .+ for (\S+) from [\d.]+ port \d+ ssh2
desc=10 SSH login failures within 2 days for user $1
action=pipe '%s' /bin/mail -s 'SSH login alert' root@localhost
window=172800
thresh=10
Requirement – :
Alert only if this happens for a particular user continuously over 3 days
(the count doesn't matter).
Problem is can't set a threshold value because it will alert as soon as it
sees those many login failures.
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
