Threshold filter

 Top  Previous  Next

 

Overview

This filter will trigger only when the preceding filters have been met X times in Y seconds.

 

The Flags/Counters filters need to be placed after all the other filter types in the rule. This is so the other filters can be processed first.

 

 

Details

The Threshold filter is useful when you only want to know about an event when it reaches a certain level. For example, you may receive the occasional message containing the text "port scan detected", but you only want to be alerted to it when it occurs 5 times within a minute. This would indicate that there is someone persistently scanning your network.

 

Another example would be to watch for failed login attempts. If the text "login failed" occurred more than 5 times within 30 seconds then it could indicate a brute force login attempt.

Example of a link down notification using the time interval filter:

 

Rule: Failed login

 Filters

   Filter: Field=Hostname, Type=Simple.

           Include: "unixhost.company.com" [S]

   Filter: Field=Msg Text, Type=Simple.

           Include: "login failed" [S]

   Filter: Field=Flags/Counters, Type=Threshold

           Filter is true if event occurs 10 times in 120 seconds.

 Actions

   Action: Send E-mail message

           E-mail body: Intruder Alert – Login failed 10 times in 2 minutes.

          Alert - %MsgText

 

When 10 messages arrive from the host "central-router.company.com" that contains the words "login failed" in the text within 120 seconds, the filter will be true. If the filter is true, the actions below it will be performed.

 

This filter may also be used to reduce the amount of notification e-mail sent to you. You can use it to set the Threshold at which you want to be notified.

 

Maintain individual threshold counts for each host address

If checked, this setting means that Kiwi Syslog Server will maintain a separate internal threshold count for each host that sends a message.

What this means, is that instead of keeping a general threshold count of messages sent 'X times in Y seconds', Kiwi Syslog Server records a count of messages sent 'X times in Y seconds from host Z'.

 

The following example highlights the usage of this setting, in notifying an administrator via email when 'port-flapping' is detected on a device over and above a certain threshold.  One email is received for each device that is above the threshold.  The host or device that caused the threshold event to fire can be reported using '%MsgHost'.

 

Rule: Link Up

 Filters

   Filter: Field=Msg Text, Type=Simple

           Include: "Link Up" [S]

   Filter: Fields=Flags/counters, Type=Threshold

          Filter is true is event occurs 10 times in 120 seconds,

           maintain individual threshold counts for each host address.

 

 Actions

   Action: Send E-mail message

           E-mail body: Port Flapping Detected - Link Up message on device '%MsgHost' received 10 times in 2 minutes.

          Device - %MsgHost

          Alert - %MsgText

 

The internal counter for the Threshold filter can be reset, by using the Reset Flags/Counters Action.