Hi,
I want to create events for say, consecutive failed login from the same user, so i would use the query,
gl2_source_input: AND EventID:4771
And I would set search frequency, and Create Events for Definition if…‘Aggregation of results reaches a threshold’.
But how would I specify that these events are from the same user?
Any help would be appreciated.
Many Thanks,
Rohit
hi
The first specific source next user (IP) and etc *
only must know hierarchy query in graylog
https://docs.graylog.org/en/3.1/pages/queries.html
hi bahram,
Ok, either IP or username would work for my purpose, but how do I specify , username=‘const’, i.e, username remains the same for a particular set of events.
And I don’t want it for specific user. I want to know if a particular number of event occur from ‘any’ same user.
Couldn’t find that in the documentation or other community posts. Any help appreciated!!
Thank you.
rvikram
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
