Alert if brute force detected

alias · December 5, 2018, 3:22pm

Hi,

I parse the sshd log. I’ve the app_status field with “Failed password” for example.
I want to create an alert “brute force” with agreggation based:

If a sshd log with “Failed password” in app_status field have 5 hits in 3 minutes, an alert is triggered.

Is it possible ?

In the agreggation alert, there is ‘count’ based agreggation without checks with value’s field.

Thanks

alias · December 6, 2018, 7:00am

Solved with stream & Alert. But only simple agreggation alert.

megan201296 · December 6, 2018, 4:53pm

alias · December 6, 2018, 6:11pm

Thanks @megan201296 , I check this

system · December 20, 2018, 6:11pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Alert on Login Failures or Brute Force Login attempts? Graylog Central (peer support)	5	9419	January 30, 2018
Alert on multiple ssh root sessions Graylog Central (peer support)	2	764	November 18, 2021
How powerful are Graylog alerts? Graylog Central (peer support) alert	2	417	April 25, 2023
Alerts not being triggered for [ALL MSgs] Graylog Central (peer support)	7	2347	April 25, 2017
AD failed log on stream Graylog Central (peer support)	5	2320	January 3, 2018