We do this for all kinds of things. We - monitor mailing list subscription rates and then add firewall block rules automatically for abusive users (usually spammers) - monitor failed login rates to block ip access - monitor failed login rates followed by successful login and lock accounts. On 3/6/19 10:44 AM, Jim Hendrick wrote:
I was wondering if anyone has used syslog-ng to trigger some dynamic action based on logs.
For example, if a certain threshold of messages happens in a time window, send an alert. LIke suppress () but more general actions. Or if a specific event happens, send *.debug from that system for 5 minutes. Or run a program to collect system data and send it along based on some condition.
Not thinking SIEM functionality here, but maybe allow the log servers to be more dynamic around what actions they take for basic things.
Thoughts?
Thanks. Jim
-- Evan