We have a simple query which tracks failed login attempts, however, the eventstats function is unable to give me the proper count filter where we need only results where a user has exceeded a specific amount of login attempts:
What our current query looks like:
index=localLogFile loginFail: host=LocalServer | rex field=_raw " ]\s\w{4}:\s(?P/*?):" | eventstats count AS aFieldCount by FailReason | eventstats count(InfoMessage) AS EventCountTotal | table ipAddress UserName FailReason Info Message aFieldCount EventCountTotal
What I'm looking to add to this query
We are looking to simply add another instance of eventstats or stats count that will give us the number of failed attempts when it is less than or greater than a specific number of occurrences, allowing us to later generate a report that will trigger when someone has attempted to log in more times than they should have.
Any direction or help is appreciated
... View more