I am using Graylog 6.1.8, and I have created a stream and a notification. I tried to simulate a DDoS attack on my PC, but I am receiving too many emails for every event. I want to group them and receive an email only if the DDoS logs exceed 70 or 80."
Let me know if it works!
Hey @mouayedoss,
This is possible, you will need to group the logs by something like the source_ip of the firewall and maybe also perhaps whichever field is being used to contain the IP of the attacker. In the below example the destination_ip is simply being used as an example.
