Trigger actions based on flags or counters
This feature is available only in a licensed edition of Kiwi Syslog Server.
Use Flags/Counters filters to trigger or suppress actions based on the number of times a filter returns
TRUE during the specified interval.
Use a Time interval filter to avoid triggering the same action multiple times during the specified interval.
Example: a rule sends an email alert when a message contains the text
link down. When a problem occurs, the link goes up and down a number of times a minute. As a result, you receive an email alert for each
link downmessage. To prevent receiving several alerts for the same event, include a Time interval filter with a value of 5. Kiwi Syslog Server sends an email alert for the first "link down" message. Other
link downmessages received during next five minutes do not trigger additional email alerts.
Use a Threshold filter to receive alerts when a message is sent more than a certain number of times during the specified interval.
Example: you occasionally receive a message containing the text
port scan detected, but you don't want to receive alerts unless it occurs more than five times within a minute. That frequency would indicate that someone is persistently scanning your network.
You can also use this filter to watch for failed login attempts. If the text
login failedoccurs more than five times within 30 seconds, it could indicate a brute force login attempt.
Use a Timeout filter to monitor syslog devices and send an alert when a device is unexpectedly quiet. This filter triggers an action when the filters that precede it in the rule are not met a minimum number of times per interval.
Example: your firewall normally generates at least 200 messages per hour. If the number of messages drops below 10 in an hour, this filter triggers an email alert.
Use the reset flags and counters action to reset the internal counter or timer used by these filters. The internal counter or timer used by these filters can be reset with the action to reset flags and counters.
- From the Kiwi Syslog Service Manager, choose File > Setup.
- Add a rule, or locate an existing rule.
- Right-click Filters below the rule, and click Add Filter.
- Right-click the default filter name. Click Rename Filter to enter a descriptive name.
In the Field menu, select Flags/Counters.
Select an option from the Filter Type menu.
To avoid conflicts in processing, the filter options below should not be used together within the same rule filter. Each filter type must reside in its own individual filter.
Enter a time interval in minutes.
A Time interval filter prevents subsequent rule filters from processing for the specified interval. A time interval filter should be the last filter in a rule. You can reorder filters. This filter should not be in the same rule with the Threshold or Timeout filters.
- Enter the threshold and interval in seconds.
- To have a separate interval message counts from different IP addresses, select Maintain individual threshold counts.
A Threshold filter prevents subsequent rule filters from processing for the specified interval. A threshold filter should be the last filter in a rule. This filter should not be in the same rule with the Time Interval or Timeout filters.
To configure a Timeout filter:
- Add filters before the Timeout filter to specify which messages to count. For example, to watch for inactivity on the firewall, create a filter to include only messages from the firewall's IP address.
- In the Timeout filter, enter the minimum number of times the message should be received in Kiwi Syslog Server.
- Enter the time interval in minutes.
- To avoid triggering an alert at times when low activity is expected, add a Time of day filter to include only certain days and time periods.
A Timeout filter prevents subsequent rule filters from processing for the specified interval. Other than the optional Time of day filter, a timeout filter should be the last filter in a rule. This filter should not be in the same rule as the Time interval or Threshold filters.
When this filter returns
TRUE, a message with the following format is passed to actions in the rule:
Priority: Local7.Debug (191)
HostIP: 127.0.0.1 (localhost)
MsgText: The rule 'ruleName' has only been matched x times in y minutes. The threshold was set for z times.
- Test the filter.
The Kiwi Syslog Server triggers actions in the associated rule when the specified threshold is exceeded (for Time interval and Threshold filters) or is not met (for Timeout filters).