I am wondering if it is possible to collect all the events that match in a
singlewiththreshold and send them all out when the threshold is hit?
#more than 15 failed logins
type=singlewiththreshold
desc=Possible brute force attempt of $1 from $3 (>15 in 30min)
ptype=regexp
pattern=\d+:\d+:\d+ GMT (\w+) .+UI CMD_EXECUTED \d+ \d+ :\s+User (\w+) -
Remote_ip (\d+\.\d+\.\d+\.\d+) - Command "login.+" - Status "ERROR: Invalid
username or password"
action=pipe '$0' /usr/bin/mail -s '%s' %e
window=1800
thresh=15
This is working, but I'm only getting the 1 log line from the last event
that triggered the threshold. I'd like to be able to send all the previous
log lines with it in the email.
------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:
Build for Windows Store.
http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
