Syslog Alert Help

alexpf

I need to create an alert that matches a string which is pretty easy.  However, the string can also contain one of 10 IP addresses.  Is it possible to match 5 alerts from the same IP address without having to write an alert for each one?

For example, match 5 alerts in 5 minutes from message pattern "here is the log" while I am receiving similar logs from 10 other IP addresses:

10.10.10.1 here is the log --1

10.10.10.2 here is the log

10.10.10.1 here is the log --2

10.10.10.6 here is the log

10.10.10.5 here is the log

10.10.10.4 here is the log

10.10.10.3 here is the log

10.10.10.1 here is the log --3

10.10.10.93 here is the log

10.10.10.87 here is the log

10.10.10.1 here is the log --4

10.10.10.1 here is the log --5 --> Send an email if the 5th time was received in 5 minutes.

It could be possible for 10.10.10.2 to send 5 logs in 5 minutes and I would want to send an email then as well. However, if an IP does not send a certain amount of the same log in 5 minutes, we will not alert. I am trying to accomplish 2 things:

1. Do not write more than 1 alert.

2. send an email if 5 logs are received from the same IP address (any of 10 IP addresses) within 5 minutes; do not send an email if the same syslog is received from different IP addresses in the same time frame.

Thanks,

Alex

jeilers

I'm not sure this is possible without a bunch of rules because the wildcards I think it would match any of them and add to the counter triggering everytime.

It might be easier for you to create one rule that works how you want it to, then export that rule, change the fields how you need, then import the rule with the other settings. That way the log would only match and count correctly.

Although the syslog viewer is pretty snappy so it might be just as easy to manually add the rules.