I have my mail server log in GL.
I want to know if an IP is trying to find passwords ( brute force or a user with a wrong mail config )
To do this, I create an alert on authentication failed groupped by IP.
But, with the basic GL, I can’t group by IP.
I found 2 plugins :
My “Aggregation Count Alert Condition” is :
message:(“error=authentication failed for” OR “authentication failed: authentication failure”) AND exists:clientIP AND NOT clientIP_country_code:FR AND exists:clientIP_country_code
This catch all authentication failures but not groupped by IP.
If I had a “distinction field : IP”, the same alert send me all the mail log !
Do y ou have an example ?