Alert when specific syslog message is received multiple times?

I’d like to set up an alert for deauthentication messages. They show up in syslog as something like deauthentucaton received from .

I’d like the alert to hit whenever the deauthentication message has the same Mac 5 times within a minute.

Is this possible without knowing the Mac first?

imo yes its possible,

But u need to make an advance SQL query with count addon
And add new Macro for 1m (asuming u got 1 min pollings or 1 min allerting)
past_1m DATE_SUB(NOW(),INTERVAL 1 MINUTE)

Look for
Syslog, Authentication failure on Device

syslog.timestamp >= macros.past_5m && syslog.msg ~ “@authentication [email protected]

Edit this to

syslog.timestamp >= macros.past_1m && syslog.msg ~ “@>your lookup here>@”
Asuming u got static mac adress etc

Now u need to tweak the rules / advance SQL whit an COUNT() sql

Maybe to make an request for addon in the rule builder for the count :slight_smile:

the message I receive in syslog is:
“ath0 Received deauth from 2c:c5:d3:69:ba:4c. Reason: Class 2 frame received from nonauthenticated STA.”

The mac isn’t going to necessarily be the same every time. However if I include from nonauthenticated STA it wont matter. I can print them in sql using the query “select * from syslog where msg like “%Received deauth from% %Reason: Class 2 frame received from nonauthenticated STA%”;”

So following your examlple id use: syslog.timestamp >= macros.past_1m && syslog.msg ~ “%Received deauth from% %Reason: Class 2 frame received from nonauthenticated STA%” && devices.disabled = 0 && devices.ignore = 0

along with some form of count if I needed the count (which thinking about it i could likely do without and be okay. I shouldn’t receive any of these messages unless There is an actual problem.