I need to report if there is greater than 3 successful logins for a given
account within 45 seconds. I have read over the pm_evcorr section of the
documentation and now I'm confused. I have tried the following configuration
and it resulted in two logs with the same information in both of them - 1
log has everything the other I only want the successful logins to be written
to. Part of my confusion comes from the 'Condition' statement, when I used
'$Message =~ /An account has successfully logged on/' I received an error
but when I used '$Message =~ /^thresholded/' I received no errors. (I have
only included the section of the configuration that deals with pm_evcorr -
if it would help to clarify anything I can include the rest of the
configuration)
<Processor wfscpkicas-evcorr>
Module pm_evcorr
<thresholded>
# if the number of events exceeeds the given threshold
within the interval do the Exec
# Same as SingleWithThreshold in SEC
Condition $Message =~ /^thresholded/
Threshold 3
Interval 45
</thresholded>
</Processor>
<Output wfscpkicas-evcorr-out>
Module om_file
CreateDir true
Exec to_syslog_bsd();
Exec $raw_event =
"---------------------------------------------------------------------------
----\n" + $raw_event;
File '%WEBTRUST%/' + $Hostname + '/' + $Hostname +
'-events.log'
</Output>
-----Original Message-----
From: Botond Botyanszki [mailto:[email protected]]
Sent: Monday, January 06, 2014 3:25 AM
To: [email protected]
Subject: Re: [nxlog-ce-users] pm_evcorr information
Hi,
Can you elaborate on what exactly "correlate X number of successful logins
in a given time" means?
For example you want to have all successful login events for each user
merged into a new event every N seconds or you want to alert/log if the user
login count exceeds X over a specific interval?
See the Thresholded rule in pm_evcorr for the latter.
Regards,
Botond
On Fri, 3 Jan 2014 11:27:57 -0700
"Paul Fontenot" <[email protected]> wrote:
> I've read over the pm_evcorr information at nxlog.org and am a little
> confused. Can anyone point me in the direction of an example (web page
> is
> fine) of how to correlate X number of successful logins in a given
> time frame?
>
>
> ----------------------------------------------------------------------
> -------- Rapidly troubleshoot problems before they affect your
> business. Most IT organizations don't have a clear picture of how
> application performance affects their revenue. With AppDynamics, you
> get 100% visibility into your Java,.NET, & PHP application. Start your
> 15-day FREE TRIAL of AppDynamics Pro!
> http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.c
> lktrk _______________________________________________
> nxlog-ce-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/nxlog-ce-users
----------------------------------------------------------------------------
--
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics
Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________
nxlog-ce-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nxlog-ce-users
------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________
nxlog-ce-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nxlog-ce-users
