Hi everyone, is there somewhere A filter function for the Watcher Agent in X-pack. I wont him to count all faild logins so he can send me a email if its count over 10 trys in 15min.
Hey,
this is exactly what watcher is for, but you need to write the alert by yourself, as we dont know how your data looks like, you need to write your own query. So you need to come up with a query, that searches for failed logins in the last 15 minutes, and check if the count of that query response is greater than 15.
You should check out the getting started guide and in order to speed up writing your watches, this article might help
--Alex
thanks you for the info i will try that. 
it worked for me but ther still a problem my interval is 60s so the watcher will sends me 15 emails over 15 min if he observed real atack is ther an option to send the email only one time
you might want to check out throttling in watcher, see
https://www.elastic.co/guide/en/x-pack/6.0/how-watcher-works.html#watch-acknowledgment-throttling
thank you a lot that was the solution i was searching for "cool down time" wasnt "throttling" on my mind
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.