I want to setup an alert based on too many of one type of log showing up compared to another type of log during a window
Ideally, with the appropriate log messages being in a report For example, I want to look at the number of successful and failed logins, and alert if the number of failed logins is >5 and >5% of the successful logins within a 20 minute window So far, the best I've been able to come up with is to use snippets of perl code to set variables and then have another rule after them that does the comparison. However, the one thing that I am getting stuck on is how to expire old matches after 20 minutes. I guess I can setup a pair of singlewiththreashold rules with super high thresholds to detect the events and then look at the SEC internal variables for this to alert on them, but this seems like a fragile way to go about this. any better ideas? ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
