Set an alert grouped by IP


I have my mail server log in GL.

I want to know if an IP is trying to find passwords ( brute force or a user with a wrong mail config )

To do this, I create an alert on authentication failed groupped by IP.
But, with the basic GL, I can’t group by IP.

I found 2 plugins :

Now :
My “Aggregation Count Alert Condition” is :

  • backlog:


  • comment:


  • distinction_fields:


  • grace:


  • grouping_fields:


  • query:

message:(“error=authentication failed for” OR “authentication failed: authentication failure”) AND exists:clientIP AND NOT clientIP_country_code:FR AND exists:clientIP_country_code

  • repeat_notifications:


  • threshold:


  • threshold_type:


  • time:


This catch all authentication failures but not groupped by IP.
If I had a “distinction field : IP”, the same alert send me all the mail log !

Do y ou have an example ?

Thank you

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.