In my experience Correlated Alerts are something the average user doesn’t touch on, either thinking that they don’t need them, or believing (falsely) that setting up a correlated alert is much more difficult than it is. While correlated events can be used on almost any form of data, my personal opinion is that they’re at their best when dealing with data such as audit or webserver logs, but truly they will excel in any environment that makes use of error messages or codes. Today, I’m going to walk you through setting up a correlated alert, just to show how easy it is.
Correlated Events, Easier than they seem.
Now for this I’m going to presume you already know the basics of alerting in Logscape, if you don’t, you can read the documentation on alerts, here.
With that out of the way, let’s get going, if you’re not familiar with the Correlated alerts section of alerting, it can be found as the last option in the trigger tab(I’ve included a picture to the right). You have the trigger source, as with any alert trigger, but then we come to the daunting, correlation section.
Time Window, Type, Event Value, Correlation Field, Correlation Key? No need to worry, each has a simple, and intuitive use.
Time Window – The time, in seconds, to look for the events you will later specify.
Type – Sequence or average, sequence expects specific events in a, well, sequence, whereas average is the average across your time window.
Event Value – In the case of average, this is the value you want to alert on, if you’ve chosen your type as sequence however, this is a comma separated list of values to look for in sequence.
Correlation Field – The field which will be evaluated
Correlation Key – A value to group by, for example specifying _host, means it would use avg value by host, or look for a specific host which had a sequence of events.
Pretty simple right? Now for an example.
I’m going to be dealing with logs from our FTP Server, and I want to perform an alert if someone fails to login 4 times in a row, so I’ve set my alert up like this –
This is a simple search to capture any event which contains an error code, for help creating your search you can check out the searching docs. Moving on to how I’ve got my correlation configured, it’s really quite simple.
My alert is going to look over a 60 second time period, it’s going to look for a sequence of events, More accurately it’s going to look for four ’10’s in a row (FTP Username/Password Incorrect), and it’s going to look at the AlertCode field from my search, and finally, it’s going to group the events by _srcIP so that four different IP’s failing to login won’t trigger my alert, you need to fail four times, from the same _srcIP. If my values meet this criteria, my alert will fire, and whatever you specify in your actions tab, will be performed, for us it’s a simple email, but there are quite a few different possibilities, all of which are covered in the alerting docs.
Hopefully today’s blog has helped you to understand how easy correlated alerts are to use, and how much they’re capable of.