How can I setup Alerts when a unauthorized login the application
Hello,
Login events are tracked in catalina.out. This file then gets pushed to SumoLogic. How to create an alert on these login events for unauthorized users
-
Santosh,
You have a couple of options you can use. The first option would be using a "where" statement. With the where statement you also have the "not" option to return results that don't match
Using the "not" option
If you need a query using the where operator, where xxx DOES NOT match yyy, use "!" followed by the matches operator enclosed in parenthesis.
For example:
...| where !(<field xxx> matches "<value yyy>") | ...
or:
...| where !(status matches "200")
or
... | where user not in ("user_a", "user_b")
Here is the KB article for the "where" statement.Your second option is to use a lookup file. Here is the KB article on using the lookup file.
Please sign in to leave a comment.
Comments
1 comment