Syslog Alert Trigger Threshold Question

byrona

When you set a Syslog Alert Trigger Threshold to 10 in 10 seconds, do the logs all have to be exactly the same or do they just have to meet the specified criteria?

For example:

I have an alert that looks for "logon*failed" so anything containing the words "logon" and "failed" and I have the Trigger Threshold set to 10 in 10 seconds so I won't receive an alert unless I get 10 logs in 10 seconds which indicates a bot attempting to hack my system. 

Do all of the logs I get in that 10 second time frame have to be exactly the same log or do they all just need to meet the criteria that I have specified?

Thanks in advance for any help on this!

sedmo

They all just have to meet the criteria specified in your alert trigger.  This also means that the alert will be triggered if 10 different servers each send one "login failed" message within a 10 second window.