Suggestion: Alarm on multiple conditions

Maybe there’s a way to do it but I don´t know.

I am monitoring a recursive DNS infrastructure using Graylog. Basicly I am parsing the query logs, and I am interested on detecting error conditions that involve both an abnormal number of failed queries and an abnormal number of clients receiving errors.

I am using the aggregation count plugin from Airbus Cyber and I can trigger an alerts based on a high number of affected clients or a high number of different failed queries.

But I need and AND condition. Otherwise the alarm will fire whenever a customer generates a report from a firewall access log (triggering countless failed reverse DNS lookups) or whenever a single IP address scans lots of customers.


This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.