Hello,
I have my mail server log in GL.
I want to know if an IP is trying to find passwords ( brute force or a user with a wrong mail config )
To do this, I create an alert on authentication failed groupped by IP.
But, with the basic GL, I can’t group by IP.
I found 2 plugins :
Now :
My “Aggregation Count Alert Condition” is :
- backlog:
10
- comment:
<empty>
- distinction_fields:
<empty>
- grace:
60
- grouping_fields:
<empty>
- query:
message:(“error=authentication failed for” OR “authentication failed: authentication failure”) AND exists:clientIP AND NOT clientIP_country_code:FR AND exists:clientIP_country_code
- repeat_notifications:
false
- threshold:
10
- threshold_type:
MORE
- time:
30
This catch all authentication failures but not groupped by IP.
If I had a “distinction field : IP”, the same alert send me all the mail log !
Do y ou have an example ?
Thank you