I am trying to apply a filter on the syslog messages i am receiving from a firewall for any kind of Denied traffic. For this, i am required to apply a counter of 100 to denied messages from a specific source ip in real time. Since there are lot of denied messages from several IPs, the counter can be reached easily and trigger the action which is of no use. I want to track the count for a matching source ip inside the message content.
Is there any expression i can use to match a string pattern at a specific location again and again to increase the counter?
Thank you in advance for your valuable input.