Alert for detection of anormal increase of logs

Discussion created by Dujardin on Jan 12, 2012
Latest reply on Jan 16, 2012 by RSA Admin

Hi all,


I would like to detect when an event source is sending much more logs (in general) than usual.

For example, a firewall is sending 200 events per minute and for a reason X or Y we receive 2000 events per minute during a brief period, this is not normal so i would like to trigger an alert.


What I want is an alert is triggerd when the average activity increases. So don't want to monitor a specific message ID but the average amount of logs received instead.


Have some tips, existing rules or explanation to help me?

Thank you in advance for your help.