Hi, I need to set an alert to warn me when someone is trying to get into the domain and had failed multiple times, I know that Windows had the logs for that, but I want it to send me an alert if this is happen in real time.
Thanks in advance, I'm a newbie in splunk : /
Use the stats command to count the number of events by username.
...| stats count by user
Then use the where command to add a condition for which you want to match on.
...| where count > 5
After that create the alert to trigger when there is a result returned
try this
go to manager->searches and reports->new
http://docs.splunk.com/Documentation/Splunk/5.0.2/Alert/Setupalertactions
Eventid=4776|stats count by user|where count > 2
or
<"your search to findout failed login">|stats count by user|where count > 2.
and create alert
The problem is, what I need to search for? The event ID is 4776, but how can I set a search to look up for more than 2 failed loggin attemps on the same account, for example?