This feature is available only in the licensed version.
Use Flags/Counters filters to trigger or suppress actions based on the number of times a filter returns TRUE during the specified interval. The following Flags/Counters filters are available:
Use a Time interval filter to avoid triggering the same action multiple times during the specified interval.
Example: a rule sends an email alert when a message contains the text "link down." When a problem occurs, the link sometimes goes up and down many times a minute, and you receive an email alert for each "link down" message. To prevent this, you include a Time interval filter with a value of 5. Kiwi Syslog Server sends an email alert for the first "link down" message. Other "link down" messages during next five minutes do not trigger additional email alerts.
Use a Threshold filter to be alerted if a message is sent more than a certain number of times during the specified interval.
Example: you occasionally receive a message containing the text "port scan detected," but you don't want to be alerted unless it occurs more than five times within a minute. That frequency would indicate that someone is persistently scanning your network.
You can also use this filter to watch for failed login attempts. If the text "login failed" occurs more than five times within 30 seconds, it could indicate a brute force login attempt.
Use a Timeout filter to monitor syslog devices and send an alert when a device is unexpectedly quiet. This filter triggers an action when the filters that precede it in the rule are not met a minimum number of times per interval.
Example: your firewall normally generates at least 200 messages per hour. If the number of messages drops below 10 in an hour, this filter triggers an email alert.
The internal counter or timer used by these filters can be reset with the action to reset flags and counters.
In the Field menu, select Flags/Counters.
Select an option from the Filter Type menu.
|Time interval|| |
Enter a time interval in minutes.
A Time interval filter should be the last filter in a rule. You can reorder filters.
A Threshold filter should be the last filter in a rule.
To configure a Timeout filter:
Other than the optional Time of day filter, a timeout filter should be the last filter in a rule.
When this filter returns TRUE, a message with the following format is passed to any actions in the rule:
Priority: Local7.Debug (191)
HostIP: 127.0.0.1 (localhost)
MsgText: The rule 'ruleName' has only been matched x times in y minutes. The threshold was set for z times.
Click Apply to save the filter.
Actions in the associated rule are triggered when the specified threshold is exceeded (for Time interval and Threshold filters) or is not met (for Timeout filters).