Hi,
I want to setup an alert when 3 login rejections occur on the same switch in order to get this info on my dashboard.
I created a threshold rule “Alerte Brute Force Cisco” that raise an alert when 3 authentications are rejected on a same switch on the last 7 minutes (the rule in executed every 5 minutes).
I created a connector with the CLI using this command.
I added this as an index connector to the rule with the following document to index.
By doing this I am trying to create a data stream that I can use in the dashboard.
After that I did 3 rejected login authentications.
The alert is raised but we can see an error in the log of the rule:
I tried to test the connector like this, but it failed showing the same error:
In Discover, I wanted to create a data view, but I can only see an index and not a data stream in the matching results. The index showing me nothing at all.
In the Index Management, you can see an Indice named “alert-brute-force-cisco” but there is nothing else for this in Data Stream, Index Template and Component Table.
I absolutely don’t know what I’m missing or if I’m doing it right.
I hope that my explanations are clear and that someone can help me.
Florian