Alert if brute force detected

(alias) #1


I parse the sshd log. I’ve the app_status field with “Failed password” for example.
I want to create an alert “brute force” with agreggation based:

If a sshd log with “Failed password” in app_status field have 5 hits in 3 minutes, an alert is triggered.

Is it possible ?

In the agreggation alert, there is ‘count’ based agreggation without checks with value’s field.


(alias) #2

Solved with stream & Alert. But only simple agreggation alert.

(Megan) #3

You can look at additional 3rd party alert plugins such as

(alias) #4

Thanks @megan201296 , I check this

(system) closed #5

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.