How can I setup Alerts when a unauthorized login the application

Follow

Santosh Babburu

• September 24, 2018 13:59
• Edited

Hello,

Login events are tracked in catalina.out. This file then gets pushed to SumoLogic. How to create an alert on these login events for unauthorized users

 

0

• 

  Nathan Beltran

  • September 24, 2018 14:24

  Santosh,

  You have a couple of options you can use. The first option would be using a "where" statement. With the where statement you also have the "not" option to return results that don't match

  Using the "not" option

  If you need a query using the where operator, where xxx DOES NOT match yyy, use "!" followed by the matches operator enclosed in parenthesis.

  For example:

  ...| where !(<field xxx> matches "<value yyy>") | ...

  or:

  ...| where !(status matches "200")

  or

   ...  | where user not in ("user_a", "user_b")

  Here is the KB article for the "where" statement.

  https://help.sumologic.com/Search/Search-Query-Language/Search-Operators/where

   

   

  Your second option is to use a lookup file. Here is the KB article on using the lookup file.

  https://help.sumologic.com/Search/Search-Query-Language/Search-Operators/lookup

  0

  Comment actions Permalink

Please sign in to leave a comment.