Help with log file pattern matching (161 Views)
Reply
Advisor
stevechp
Posts: 27
Registered: ‎11-23-2012
Message 1 of 2 (161 Views)

Help with log file pattern matching

I am trying to create a policy that will scrape a log file and look for failed authentication messages from users. How do I set it up so I only get alerted when there are 3 failed attempts from a particular user. See below example.

 

Example file

User tst123 failed to authenticate

User tst234 failed to authenticate

User tst345 failed to authenticate

User tst123 failed to authenticate

User tst234 failed to authenticate

User tst123 failed to authenticate (alert sent for tst123)

Valued Contributor
pafreire
Posts: 140
Registered: ‎01-10-2011
Message 2 of 2 (141 Views)

Re: Help with log file pattern matching

Hi,

 

I suggest that you use suppress message option to send the message only on third event.

 

To accomplish it, set suppress option like "identical relative to their attributes", Suppress method as counter, Counter threshold as 3 and get the username from log file and insert it in message key field (Message Attributes tab). See attached screenshot.

 

 

HTH,

 

Paulo

“The greatest challenge to any thinker is stating the problem in a way that will allow a solution.”
Bertrand Russell
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.