Set an alert grouped by IP

Hello,

I have my mail server log in GL.

I want to know if an IP is trying to find passwords ( brute force or a user with a wrong mail config )

To do this, I create an alert on authentication failed groupped by IP.
But, with the basic GL, I can’t group by IP.

I found 2 plugins :


Now :
My “Aggregation Count Alert Condition” is :

  • backlog:

10

  • comment:

<empty>

  • distinction_fields:

<empty>

  • grace:

60

  • grouping_fields:

<empty>

  • query:

message:(“error=authentication failed for” OR “authentication failed: authentication failure”) AND exists:clientIP AND NOT clientIP_country_code:FR AND exists:clientIP_country_code

  • repeat_notifications:

false

  • threshold:

10

  • threshold_type:

MORE

  • time:

30

This catch all authentication failures but not groupped by IP.
If I had a “distinction field : IP”, the same alert send me all the mail log !

Do y ou have an example ?

Thank you

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.