Alert if brute force detected


I parse the sshd log. I’ve the app_status field with “Failed password” for example.
I want to create an alert “brute force” with agreggation based:

If a sshd log with “Failed password” in app_status field have 5 hits in 3 minutes, an alert is triggered.

Is it possible ?

In the agreggation alert, there is ‘count’ based agreggation without checks with value’s field.


Solved with stream & Alert. But only simple agreggation alert.

You can look at additional 3rd party alert plugins such as

Thanks @megan201296 , I check this

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.