Failed Logon Alert Configuration Assistance

This support forum board is for support questions relating to Nagios Log Server, our solution for managing and monitoring critical log data.
Locked
rferebee
Posts: 733
Joined: Wed Jul 11, 2018 11:37 am

Failed Logon Alert Configuration Assistance

Post by rferebee »

Good morning,

I'm attempting to setup an alert that triggers whenever any account has failed a logon attempt more than 10 times in a 10 minute period. I understand that I can do this with either a custom JSON query or it looks like I can do it by setting up a Real-Time alert?

I found some helpful information in other support threads: https://support.nagios.com/forum/viewto ... s&start=10

But, I'm not super familiar with JSON and the alert isn't behaving like I expect it to, here's my example:

Code: Select all

{
    "query": {
        "filtered": {
            "query": {
                "bool": {
                    "should": [
                        {
                            "query_string": {
                                "query": "*"
                            }
                        }
                    ]
                }
            },
            "filter": {
                "bool": {
                    "must": [
                        {
                            "range": {
                                "@timestamp": {
                                    "from": 1576514353823,
                                    "to": 1576515253823
                                }
                            }
                        },
                        {
                            "fquery": {
                                "query": {
                                    "query_string": {
                                        "query": "_type:(\"eventlog\")"
                                    }
                                },
                                "_cache": true
                            }
                        },
                        {
                            "fquery": {
                                "query": {
                                    "query_string": {
                                        "query": "EventID:(\"4625\" \"4771\" \"4776\")"
                                    }
                                },
                                "_cache": true
                            }
                        },
                        {
                            "fquery": {
                                "query": {
                                    "query_string": {
                                        "query": "TargetUserName:((count >10))"
                                    }
                                },
                                "_cache": true
                            }
                        }
                    ],
                    "must_not": [
                        {
                            "fquery": {
                                "query": {
                                    "query_string": {
                                        "query": "TargetUserSid:(\"S-1-0-0\")"
                                    }
                                },
                                "_cache": true
                            }
                        },
                        {
                            "fquery": {
                                "query": {
                                    "query_string": {
                                        "query": "TargetUserName:(\"Altiris\")"
                                    }
                                },
                                "_cache": true
                            }
                        }
                    ]
                }
            }
        }
    }
}
With the above query I think I'm saying, during x time period look for event ID 4625 or 4771 or 4776 where any TargetUserName occurs more than 10 times and does not equal Altiris and does not have S-1-0-0 in the message field.

It's reporting that I have 17746 matching entries, so I either my environment is on the brink of collapse or I'm doing something wrong. My guess is the latter... Would I be better off with the custom query or should I use the Real-Time alert function?

The other thing I want to have happen is, in the email that's generated, I want it to provide a list of the unique TargetUserNames. I can do this with other alerts by using a line like this: <li>%uniquehosts%</li> but I don't know the comparable variable to get a list of users rather than hosts.

Can you folks help me out?
Top
User avatar
cdienger
Support Tech
Posts: 5045
Joined: Tue Feb 07, 2017 11:26 am

Re: Failed Logon Alert Configuration Assistance

Post by cdienger »

I wasn't able to get it to work with teh count option, but this seems to do the trick:

Code: Select all

{
        "query": {
            "filtered": {
                "query": {
                    "bool": {
                        "should": [
                            {
                                "query_string": {
                                    "query": "*"
                                }
                            }
                        ]
                    }
                },
                "filter": {
                    "bool": {
                        "must": [
                            {
                                "range": {
                                    "@timestamp": {
                                        "from": 1576514353823,
                                        "to": 1576515253823
                                    }
                                }
                            },
                            {
                                "fquery": {
                                    "query": {
                                        "query_string": {
                                            "query": "_type:(\"eventlog\")"
                                        }
                                    },
                                    "_cache": true
                                }
                            },
                            {
                                "fquery": {
                                    "query": {
                                        "query_string": {
                                            "query": "EventID:(\"4625\" \"4771\" \"4776\")"
                                        }
                                    },
                                    "_cache": true
                                }
                            },
                        ],
                        "must_not": [
                            {
                                "fquery": {
                                    "query": {
                                        "query_string": {
                                            "query": "TargetUserSid:(\"S-1-0-0\")"
                                        }
                                    },
                                    "_cache": true
                                }
                            },
                            {
                                "fquery": {
                                    "query": {
                                        "query_string": {
                                            "query": "TargetUserName:(\"Altiris\")"
                                        }
                                    },
                                    "_cache": true
                                }
                            }
                        ]
                    }
                }
            }
        }
		
		"aggs" : {
"byUser" : {
    "terms" : { "field" : "TargetUserName.raw", "min_doc_count": 10 }
}
}
}
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Top
rferebee
Posts: 733
Joined: Wed Jul 11, 2018 11:37 am

Re: Failed Logon Alert Configuration Assistance

Post by rferebee »

Ok, great. I'll try this out.

The other part I needed was this:
The other thing I want to have happen is, in the email that's generated, I want it to provide a list of the unique TargetUserNames. I can do this with other alerts by using a line like this: <li>%uniquehosts%</li> but I don't know the comparable variable to get a list of users rather than hosts.
Can you help me with that piece as well?
Top
rferebee
Posts: 733
Joined: Wed Jul 11, 2018 11:37 am

Re: Failed Logon Alert Configuration Assistance

Post by rferebee »

It keeps telling me the query you provided is not valid JSON.

I thought it might be as simple as a missing bracket or something like that, but I pasted it into Notepad++ and even with the missing 3 brackets it still won't work in Log Server. Got anything else for me?
Top
User avatar
mbellerue
Posts: 1403
Joined: Fri Jul 12, 2019 11:10 am

Re: Failed Logon Alert Configuration Assistance

Post by mbellerue »

Line 72 needed a comma. It's always the little things. :)

Code: Select all

{
        "query": {
            "filtered": {
                "query": {
                    "bool": {
                        "should": [
                            {
                                "query_string": {
                                    "query": "*"
                                }
                            }
                        ]
                    }
                },
                "filter": {
                    "bool": {
                        "must": [
                            {
                                "range": {
                                    "@timestamp": {
                                        "from": 1576514353823,
                                        "to": 1576515253823
                                    }
                                }
                            },
                            {
                                "fquery": {
                                    "query": {
                                        "query_string": {
                                            "query": "_type:(\"eventlog\")"
                                        }
                                    },
                                    "_cache": true
                                }
                            },
                            {
                                "fquery": {
                                    "query": {
                                        "query_string": {
                                            "query": "EventID:(\"4625\" \"4771\" \"4776\")"
                                        }
                                    },
                                    "_cache": true
                                }
                            },
                        ],
                        "must_not": [
                            {
                                "fquery": {
                                    "query": {
                                        "query_string": {
                                            "query": "TargetUserSid:(\"S-1-0-0\")"
                                        }
                                    },
                                    "_cache": true
                                }
                            },
                            {
                                "fquery": {
                                    "query": {
                                        "query_string": {
                                            "query": "TargetUserName:(\"Altiris\")"
                                        }
                                    },
                                    "_cache": true
                                }
                            }
                        ]
                    }
                }
            }
        },
      
      "aggs" : {
"byUser" : {
    "terms" : { "field" : "TargetUserName.raw", "min_doc_count": 10 }
}
}
}
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.

Be sure to check out our Knowledgebase for helpful articles and solutions!
Top
rferebee
Posts: 733
Joined: Wed Jul 11, 2018 11:37 am

Re: Failed Logon Alert Configuration Assistance

Post by rferebee »

This is the error I'm getting after pasting in your updated query (with the comma).
You do not have the required permissions to view the files attached to this post.
Top
User avatar
cdienger
Support Tech
Posts: 5045
Joined: Tue Feb 07, 2017 11:26 am

Re: Failed Logon Alert Configuration Assistance

Post by cdienger »

We have a feature request in place to allow custom fields to be returned, but at the moment you're limited to:
macros.png
Try:

Code: Select all

{
        "query": {
            "filtered": {
                "query": {
                    "bool": {
                        "should": [
                            {
                                "query_string": {
                                    "query": "*"
                                }
                            }
                        ]
                    }
                },
                "filter": {
                    "bool": {
                        "must": [
                            {
                                "range": {
                                    "@timestamp": {
                                        "from": 1576514353823,
                                        "to": 1576515253823
                                    }
                                }
                            },
                            {
                                "fquery": {
                                    "query": {
                                        "query_string": {
                                            "query": "_type:(\"eventlog\")"
                                        }
                                    },
                                    "_cache": true
                                }
                            },
                            {
                                "fquery": {
                                    "query": {
                                        "query_string": {
                                            "query": "EventID:(\"4625\" \"4771\" \"4776\")"
                                        }
                                    },
                                    "_cache": true
                                }
                            }
                        ],
                        "must_not": [
                            {
                                "fquery": {
                                    "query": {
                                        "query_string": {
                                            "query": "TargetUserSid:(\"S-1-0-0\")"
                                        }
                                    },
                                    "_cache": true
                                }
                            },
                            {
                                "fquery": {
                                    "query": {
                                        "query_string": {
                                            "query": "TargetUserName:(\"Altiris\")"
                                        }
                                    },
                                    "_cache": true
                                }
                            }
                        ]
                    }
                }
            }
        },
	"aggs" : {
    "byUser" : {
        "terms" : { "field" : "TargetUserName.raw", "min_doc_count": 10 }
    }
    }
    }
and also running it from the command line with:

Code: Select all

curl -XGET 'http://localhost:9200/logstash-*/_search?pretty' -d    '{
        "query": {
            "filtered": {
                "query": {
                    "bool": {
                        "should": [
                            {
                                "query_string": {
                                    "query": "*"
                                }
                            }
                        ]
                    }
                },
                "filter": {
                    "bool": {
                        "must": [
                            {
                                "range": {
                                    "@timestamp": {
                                        "from": 1576514353823,
                                        "to": 1576515253823
                                    }
                                }
                            },
                            {
                                "fquery": {
                                    "query": {
                                        "query_string": {
                                            "query": "_type:(\"eventlog\")"
                                        }
                                    },
                                    "_cache": true
                                }
                            },
                            {
                                "fquery": {
                                    "query": {
                                        "query_string": {
                                            "query": "EventID:(\"4625\" \"4771\" \"4776\")"
                                        }
                                    },
                                    "_cache": true
                                }
                            }
                        ],
                        "must_not": [
                            {
                                "fquery": {
                                    "query": {
                                        "query_string": {
                                            "query": "TargetUserSid:(\"S-1-0-0\")"
                                        }
                                    },
                                    "_cache": true
                                }
                            },
                            {
                                "fquery": {
                                    "query": {
                                        "query_string": {
                                            "query": "TargetUserName:(\"Altiris\")"
                                        }
                                    },
                                    "_cache": true
                                }
                            }
                        ]
                    }
                }
            }
        },
	"aggs" : {
    "byUser" : {
        "terms" : { "field" : "TargetUserName.raw", "min_doc_count": 10 }
    }
    }
    }'
You do not have the required permissions to view the files attached to this post.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Top
rferebee
Posts: 733
Joined: Wed Jul 11, 2018 11:37 am

Re: Failed Logon Alert Configuration Assistance

Post by rferebee »

It was happy with that query, but it's weird. I can run it directly on the server and get the results I expect, but when I run it from the Log Server console it's showing me the previous queries results and isn't updating the output. Maybe it's timing out somewhere?

I sent you a PM with the output since it has a bunch of user email addresses in it.
Top
User avatar
cdienger
Support Tech
Posts: 5045
Joined: Tue Feb 07, 2017 11:26 am

Re: Failed Logon Alert Configuration Assistance

Post by cdienger »

Looking into the code, it doesn't appear this will work because NLS first does a query against the count API(https://www.elastic.co/guide/en/elastic ... count.html) which doesn't like the agg parameter. We have a couple of feature requests in place to better support aggregation like this. I will add your information to it to show the demand for this kind of functionality.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Top
rferebee
Posts: 733
Joined: Wed Jul 11, 2018 11:37 am

Re: Failed Logon Alert Configuration Assistance

Post by rferebee »

Ok so, at this time, we are unable to get this kind of data from Log Server using a query?

Would the "real-time" alerts help me at all?
Top
Locked

Return to “Nagios Log Server”