Hello,
The following should do what you are looking for, i.e. to log a message
to the internal log when any user logs in more than 3 times during a 10
second time interval.
<Input in>
Module im_tcp
Port 2345
Exec if $raw_event =~ /User (\S+) has has successfully logged on/ \
$AccountName = $1; \
$Action = 'logon-success';
</Input>
<Processor evcorr>
Module pm_evcorr
# Uncomment the following if the log source provides the EventTime field,
# e.g. parse_syslog(), im_msvistalog , etc
# We don't have it in this case.
# TimeField EventTime
<Thresholded>
# Here we could do a regexp match directly but it is better to separate
# the parser logic since there can be a lot of different logon events
# coming from various sources
Condition defined $Action and $Action == 'logon-success'
Context $AccountName
Threshold 3
Interval 10
Exec log_info("User logon threshold reached for " + $AccountName);
</Thresholded>
</Processor>
You can test with the following:
-------------- INPUT ---------------------
User john has has successfully logged on
User james has has successfully logged on
User john has has successfully logged on
User john has has successfully logged on
User mary has has successfully logged on
------------ OUTPUT ----------------------
2014-01-06 14:33:14 INFO User logon threshold reached for john
Regards,
Botond
On Mon, 6 Jan 2014 05:41:33 -0700
"Paul Fontenot" <ssdv6...@gmail.com> wrote:
> I need to report if there is greater than 3 successful logins for a given
> account within 45 seconds. I have read over the pm_evcorr section of the
> documentation and now I'm confused. I have tried the following configuration
> and it resulted in two logs with the same information in both of them - 1
> log has everything the other I only want the successful logins to be written
> to. Part of my confusion comes from the 'Condition' statement, when I used
> '$Message =~ /An account has successfully logged on/' I received an error
> but when I used '$Message =~ /^thresholded/' I received no errors. (I have
> only included the section of the configuration that deals with pm_evcorr -
> if it would help to clarify anything I can include the rest of the
> configuration)
>
> <Processor wfscpkicas-evcorr>
> Module pm_evcorr
> <thresholded>
> # if the number of events exceeeds the given threshold
> within the interval do the Exec
> # Same as SingleWithThreshold in SEC
> Condition $Message =~ /^thresholded/
> Threshold 3
> Interval 45
> </thresholded>
> </Processor>
>
> <Output wfscpkicas-evcorr-out>
> Module om_file
> CreateDir true
> Exec to_syslog_bsd();
> Exec $raw_event =
> "---------------------------------------------------------------------------
> ----\n" + $raw_event;
> File '%WEBTRUST%/' + $Hostname + '/' + $Hostname +
> '-events.log'
> </Output>
>
> -----Original Message-----
> From: Botond Botyanszki [mailto:b...@nxlog.org]
> Sent: Monday, January 06, 2014 3:25 AM
> To: nxlog-ce-users@lists.sourceforge.net
> Subject: Re: [nxlog-ce-users] pm_evcorr information
>
> Hi,
>
> Can you elaborate on what exactly "correlate X number of successful logins
> in a given time" means?
> For example you want to have all successful login events for each user
> merged into a new event every N seconds or you want to alert/log if the user
> login count exceeds X over a specific interval?
> See the Thresholded rule in pm_evcorr for the latter.
>
> Regards,
> Botond
>
>
>
> On Fri, 3 Jan 2014 11:27:57 -0700
> "Paul Fontenot" <ssdv6...@gmail.com> wrote:
>
> > I've read over the pm_evcorr information at nxlog.org and am a little
> > confused. Can anyone point me in the direction of an example (web page
> > is
> > fine) of how to correlate X number of successful logins in a given
> > time frame?
> >
> >
> > ----------------------------------------------------------------------
> > -------- Rapidly troubleshoot problems before they affect your
> > business. Most IT organizations don't have a clear picture of how
> > application performance affects their revenue. With AppDynamics, you
> > get 100% visibility into your Java,.NET, & PHP application. Start your
> > 15-day FREE TRIAL of AppDynamics Pro!
> > http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.c
> > lktrk _______________________________________________
> > nxlog-ce-users mailing list
> > nxlog-ce-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/nxlog-ce-users
>
> ----------------------------------------------------------------------------
> --
> Rapidly troubleshoot problems before they affect your business. Most IT
> organizations don't have a clear picture of how application performance
> affects their revenue. With AppDynamics, you get 100% visibility into your
> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics
> Pro!
> http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
> _______________________________________________
> nxlog-ce-users mailing list
> nxlog-ce-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nxlog-ce-users
>
------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________
nxlog-ce-users mailing list
nxlog-ce-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nxlog-ce-users
