Hi,
I am trying to create a successful brute force attempts. For that I am writing a ruby code in logstash.
Is there any other method like writing a query in elasticsearch, so that I could meet the logic of the successful brute force attempt [Brute force attempt by a particular user on a particular IP]?
I have already created many filters in my logstash and I don't want to overload it. I have tried the query in kibana but I am not able to meet it there.
I am not sure why you'd want to write ruby in Logstash to achieve brute force detection.
I'd suggest taking a look at Elasticsearch Terms Aggregations combined with Alerting.
Also see this blog re portscan detection (logic can be adapted for failed bruteforce login).
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.