If there is multiple login failed in 10 minutes, how can I create alerting for it.
Thanks, Regards
1 Like
Please take the time to properly write up your use-case. Are referring to multiple login attempts per user or in total or from one IP?
The next step after correctly specifying what you are after is actually not to write a watch, but to come up with a query that answers your question. Only if that is done, you can actually think about writing a watch around that.
Also check out the examples repo
Hope this helps as a start!
My use-case is if there is multiple login failed in 10minutes I should get an alerting.
And i am putting this template, but it is giving me error.
PUT _xpack/watcher/watch/my-watch2
{
"trigger" : {
"schedule" : {
"interval" : "10s"
}
},
"input" : {
"search" : {
"request" : {
"indices" : [
"firewall"
],
"body": {
"size": 1,
"query" : {
"bool" : {
"must": [
{
"term": {
"msg": {
"value": "Login Failed"
}
}
}
],
"filter" : {
"range": {
"@timestamp": {
"from": "{{ctx.trigger.scheduled_time}}||-10",
"to": "{{ctx.trigger.triggered_time}}"
}
}
}
}
}
}
}}
},
"actions" : {
"email_admin" : {
"email" : {
"to" : "abcd@abc.com",
"subject" : "Priority : High State : Down ",
"body": {
"text": "login-failed-more-then-10"
}
}
}
}
}
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.