hi,
one possible approach for addressing the problem is outlined below (the
file contexts have been omitted for the reasons of clarity):
type=Single
ptype=RegExp
pattern=sshd\[\d+\]: Failed .+ for (\S+) from [\d.]+ port \d+ ssh2
context=!CONTINUOUS_ACTIVITY_$1
desc=Continuous SSH login failures within 3 days for user $1
action=create CONTINUOUS_ACTIVITY_$1 259200 \
(pipe '%s' /bin/mail -s 'SSH login alert' root@localhost; \
delete RESET_MONITORING_$1); \
create RESET_MONITORING_$1 3600 (delete CONTINUOUS_ACTIVITY_$1)
type=Single
ptype=RegExp
pattern=sshd\[\d+\]: Failed .+ for (\S+) from [\d.]+ port \d+ ssh2
desc=SSH login failure for user $1
action=set RESET_MONITORING_$1 3600
The ruleset above assumes that the word "continuous" means each login
failure happening at most 1 hour after the previous one. In order to
implement the monitoring two contexts are used -- CONTINUOUS_ACTIVITY_user
exists as long as the given user is monitored, and when this context
expires normally after 3 days, it will also emit an alarm about the user.
The RESET_MONITORING_user context is employed for ensuring that subsequent
login failures are separated by at most 3600 seconds, and if this is no
longer the case, the context will delete the CONTINUOUS_ACTIVITY_user
context, preventing it from expiring normally and emitting an output alarm.
The task of the first rule is to match an SSH login failure if the user is
not yet under monitoring, and create the CONTINUOUS_ACTIVITY_user and
RESET_MONITORING_user contexts for the user. The second rule matches SSH
login failures if the user is already monitored, and it simply extends the
lifetime of RESET_MONITORING_user for another 3600 seconds. Therefore, if
RESET_MONITORING_user expires, no SSH login failure have been observed for
this user for more than 3600 seconds (that's why CONTINUOUS_ACTIVITY_user
needs to be deleted from action-on-expire list of RESET_MONITORING_user).
Hopefully this example is useful,
risto
2016-02-05 10:17 GMT+02:00 nitesh kumar <delhinitesh2...@gmail.com>:
> Considering this example from here -
> http://simple-evcorr.sourceforge.net/man.html#lbAD
>
>
>
> /usr/bin/sec --conf=/etc/sec/sshd.rules --input=/var/log/secure-current.log
>
> in order to monitor the /var/log/secure file for sshd events.
>
> Also, suppose that the /etc/sec/sshd.rules configuration file contains the
> following rule for correlating SSH failed login events:
>
>
>
> type=SingleWithThreshold
>
> ptype=RegExp
>
> context=[_FILE_EVENT_/var/log/secure-current.log]
>
> pattern=sshd\[\d+\]: Failed .+ for (\S+) from [\d.]+ port \d+ ssh2
>
> desc=10 SSH login failures within 2 days for user $1
>
> action=pipe '%s' /bin/mail -s 'SSH login alert' root@localhost
>
> window=172800
>
> thresh=10
>
>
>
> Requirement – :
>
> Alert only if this happens for a particular user continuously over 3
> days (the count doesn't matter).
>
>
> Problem is can't set a threshold value because it will alert as soon as it
> sees those many login failures.
>
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
>
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
