Overview
This filter will trigger only when the preceding filters have been met X times in Y seconds.
The Flags/Counters filters need to be placed after all the other filter types in the rule. This is so the other filters can be processed first.
Details
The Threshold filter is useful when you only want to know about an event when it reaches a certain level. For example, you may receive the occasional message containing the text "port scan detected", but you only want to be alerted to it when it occurs 5 times within a minute. This would indicate that there is someone persistently scanning your network.
Another example would be to watch for failed login attempts. If the text "login failed" occurred more than 5 times within 30 seconds then it could indicate a brute force login attempt.
Example of a link down notification using the time interval filter:
Rule: Failed login
Filters
Filter: Field=Hostname, Type=Simple.
Include: "unixhost.company.com" [S]
Filter: Field=Msg Text, Type=Simple.
Include: "login failed" [S]
Filter: Field=Flags/Counters, Type=Threshold
Filter is true if event occurs 10 times in 120 seconds.
Actions
Action: Send E-mail message
E-mail body: Intruder Alert – Login failed 10 times in 2 minutes.
Alert - %MsgText
When 10 messages arrive from the host "central-router.company.com" that contains the words "login failed" in the text within 120 seconds, the filter will be true. If the filter is true, the actions below it will be performed.
This filter may also be used to reduce the amount of notification e-mail sent to you. You can use it to set the Threshold at which you want to be notified.
Maintain individual threshold counts for each host address
If checked, this setting means that Kiwi Syslog Daemon will maintain a separate internal threshold count for each host that sends a message.
What this means, is that instead of keeping a general threshold count of messages sent 'X times in Y seconds', Kiwi Syslog Daemon records a count of messages sent 'X times in Y seconds from host Z'.
The following example highlights the usage of this setting, in notifying an administrator via email when 'port-flapping' is detected on a device over and above a certain threshold. One email is received for each device that is above the threshold. The host or device that caused the threshold event to fire can be reported using '%MsgHost'.
Rule: Link Up
Filters
Filter: Field=Msg Text, Type=Simple
Include: "Link Up" [S]
Filter: Fields=Flags/counters, Type=Threshold
Filter is true is event occurs 10 times in 120 seconds,
maintain individual threshold counts for each host address.
Actions
Action: Send E-mail message
E-mail body: Port Flapping Detected - Link Up message on device '%MsgHost' received 10 times in 2 minutes.
Device - %MsgHost
Alert - %MsgText