Nagios Support Forum

Hello Team,

How to we save query for the dashboard results with filters? Also guide me with creating new queries for alerts configuration

Regards,
Swapnil

Found this query from Windows Failed Logins. However I need further modifications to it, so that the alert is generated only if same ID [TargetUserName] has unsuccessful logon for more than 9 times within one day.


Default:
{ "query": { "filtered": { "query": { "bool": { "should": [ { "query_string": { "query": "*" } } ] } }, "filter": { "bool": { "must": [ { "range": { "@timestamp": { "from": 1412792929211, "to": 1412879329211 } } }, { "fquery": { "query": { "query_string": { "query": "EventID: (4625)" } }, "_cache": true } }, { "fquery": { "query": { "query_string": { "query": "_type: (\"eventlog\")" } }, "_cache": true } }, { "fquery": { "query": { "query_string": { "query": "SourceName: (\"Microsoft-Windows-Security-Auditing\")" } }, "_cache": true } } ] } } } } }


My Amendment:
{ "query": { "filtered": { "query": { "bool": { "should": [ { "query_string": { "query": "*" } } ] } }, "filter": { "bool": { "must": [ { "range": { "@timestamp": { "from": 1412792929211, "to": 1412879329211 } } }, { "fquery": { "query": { "query_string": { "query": "EventID: (4625),(4771),(4776)" } }, "_cache": true } }, { "fquery": { "query": { "query_string": { "query": "_type: (\"eventlog\")" } }, "_cache": true } }, { "fquery": { "query": { "query_string": { "query": "SourceName: (\"Microsoft-Windows-Security-Auditing\")" } }, "_cache": true } } ] } } } } }

Here I added additional Event IDs: (4771),(4776) however want to add the above highlighted logic for same TargetUserName with 9+ unsuccessful logons.

Regards,
Swapnil

I only have the 4776 event ID to view at the moment, but if you drill down on any of those events, you should see details including username or account name that you can include in the filters. Event ID 4776 parsed out the SubjectUserName which appears to be useful.

How can I set a alert to trigger only if a user has attempted Unsuccess sign-on for more than 10 times?

TargetUserName Count > 10

You can set a threshold on the alert once you've narrowed down your query:

https://assets.nagios.com/downloads/nag ... Server.pdf
https://assets.nagios.com/downloads/nag ... Server.pdf

I have the threshold set already, but it doesn't count for same TargetUserName > 10 in last 24 hours

I see what you're trying to do now -trying to produce an alert for ANY account with 10 or more failed logins, correct?- and will have to play around with this a bit to see if it is in fact something NLS can handle.

Sample alert that I am receiving:

AIA PMCS Unsuccessful Logon Alert came back with a CRITICAL state at

The alert was processed with the following thresholds:

• Lookback period: 1440m
• Warning: 20
• Critical: 10

Here is the full alert output:

CRITICAL: 66760 matching entries found |logs=66760;20;10

See the last 1440m in the Nagios Log Server dashboard.

Nagios Log Server

Alert Query is as follows:

{"query":{"filtered":{"query":{"bool":{"should":[{"query_string":{"query":"*"}}]}},"filter":{"bool":{"must":[{"range":{"@timestamp":{"from":1504735059807,"to":1504821459807}}},{"fquery":{"query":{"query_string":{"query":"EventID:(\"4625\" \"4771\" \"4776\")"}},"_cache":true}},{"fquery":{"query":{"query_string":{"query":"_type:(\"eventlog\")"}},"_cache":true}}],"must_not":[{"fquery":{"query":{"query_string":{"query":"message:(S-1-0-0)"}},"_cache":true}},{"fquery":{"query":{"query_string":{"query":"SComInstaller,Guest, IWKSEA%, IWKSSA%, SRV_PE_URL_MON"}},"_cache":true}}]}}}}}

I want your help to input the logic to limit the alerts only when a particular user has more than 10 unsuccessful logons.

Quick response will be appreciated.

Regards,
Swapnil

I'm fairly certain you'd need to do a terms aggregation to figure that out. I'm not sure if Nagios Log Server can properly parse a terms aggregation with the current alerting setup.