Brute Force query in ELK


I am trying to create a successful brute force attempts. For that I am writing a ruby code in logstash.

Is there any other method like writing a query in elasticsearch, so that I could meet the logic of the successful brute force attempt [Brute force attempt by a particular user on a particular IP]?

I have already created many filters in my logstash and I don't want to overload it. I have tried the query in kibana but I am not able to meet it there.

I am not sure why you'd want to write ruby in Logstash to achieve brute force detection.

I'd suggest taking a look at Elasticsearch Terms Aggregations combined with Alerting.

Also see this blog re portscan detection (logic can be adapted for failed bruteforce login).

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.