I parse the sshd log. I’ve the app_status field with “Failed password” for example.
I want to create an alert “brute force” with agreggation based:
If a sshd log with “Failed password” in app_status field have 5 hits in 3 minutes, an alert is triggered.
Is it possible ?
In the agreggation alert, there is ‘count’ based agreggation without checks with value’s field.