Systems Management (OpenView-OP Mgmt) Practitioners Forum
Showing results for 
Search instead for 
Do you mean 

Help with log file pattern matching

Highlighted
Advisor

Help with log file pattern matching

I am trying to create a policy that will scrape a log file and look for failed authentication messages from users. How do I set it up so I only get alerted when there are 3 failed attempts from a particular user. See below example.

 

Example file

User tst123 failed to authenticate

User tst234 failed to authenticate

User tst345 failed to authenticate

User tst123 failed to authenticate

User tst234 failed to authenticate

User tst123 failed to authenticate (alert sent for tst123)

1 REPLY
Valued Contributor

Re: Help with log file pattern matching

Hi,

 

I suggest that you use suppress message option to send the message only on third event.

 

To accomplish it, set suppress option like "identical relative to their attributes", Suppress method as counter, Counter threshold as 3 and get the username from log file and insert it in message key field (Message Attributes tab). See attached screenshot.

 

 

HTH,

 

Paulo

“The greatest challenge to any thinker is stating the problem in a way that will allow a solution.”
Bertrand Russell