Hi,
i'd like to keep track of users (ip) who try to attack services, for
example with special crafted requests to an apache server:
1.2.3.4 - - [10/Jul/2013:19:03:23 +0200] "GET /badurl
Therefor i have created an item:
log["/var/www/logs/access_log","/badurl","UTF-8",30]
which matches and collects these entries from /var/www/logs/access_log -> OK
Now, how can i trigger an alert, if exactly this particular user (ip) 1.2.3.4 tries other
'bad' requests in the next X minutes. Do i have to work with Macros to extract
the IP? Sth like this.
{server:log["/var/www/logs/access_log","([^ ]+) - - */badurl"].count(60)}>5
Thanks
EDIT 11.07.2013 - 08:04 fixed typo
To make it a little bit more simple..first of all...how can i extract a substring (simple
perl substitution ([^ ]+) substitution = $1) to get the ip?
i'd like to keep track of users (ip) who try to attack services, for
example with special crafted requests to an apache server:
1.2.3.4 - - [10/Jul/2013:19:03:23 +0200] "GET /badurl
Therefor i have created an item:
log["/var/www/logs/access_log","/badurl","UTF-8",30]
which matches and collects these entries from /var/www/logs/access_log -> OK
Now, how can i trigger an alert, if exactly this particular user (ip) 1.2.3.4 tries other
'bad' requests in the next X minutes. Do i have to work with Macros to extract
the IP? Sth like this.
{server:log["/var/www/logs/access_log","([^ ]+) - - */badurl"].count(60)}>5
Thanks
EDIT 11.07.2013 - 08:04 fixed typo
To make it a little bit more simple..first of all...how can i extract a substring (simple
perl substitution ([^ ]+) substitution = $1) to get the ip?
Comment